Include Break Clauses in Cloud Service Contracts
Contracts must have clauses that allow termination if security requirements aren't met by service providers.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Break clauses associated with failure to meet security requirements are documented in contractual arrangements with service providers.
Source: ASD Information Security Manual (ISM)
Plain language
Imagine you're relying on a company to securely manage your important files in the cloud. What happens if they fail to protect your data? This control means you can end your contract if they don't meet their security promises. It’s important because having this safety net helps you avoid bigger issues if things go wrong.
Why it matters
Without break clauses tied to unmet security requirements, you may be locked into a non-compliant cloud provider, extending breach exposure and increasing legal and reputational risk.
Operational notes
Review cloud contracts to ensure break clauses explicitly cover failure to meet security requirements, define triggers/evidence, and specify termination or remediation timeframes.
Implementation tips
- Business managers should work with legal experts to ensure the contract with your cloud service provider includes clear terms about data security expectations. Draft these terms with precise language that specifies the security standards required, such as data encryption and regular audits.
- Procurement officers should collaborate with IT and security teams to identify potential risks associated with the service provider. Conduct a risk assessment to understand where the provider might fall short and ensure these risks are addressed in the break clauses of the contract.
- Legal advisors must review current cloud service contracts to check for existing security clauses. They can update the contracts by adding break clauses that specify actions, like terminating the contract if the provider fails to comply with the agreed security measures.
- Business owners should set up regular meetings with the cloud service provider to review compliance with security clauses. In these meetings, go through the provider's performance reports to verify they are upholding their security commitments.
- HR and training managers should provide education sessions for staff involved in managing cloud services. Teach them about the importance of break clauses and how to monitor contracts for any security compliance issues.
Audit / evidence tips
-
Ask: the signed cloud service contract
Good: shows clear, signed clauses that articulate the right to terminate the contract if security promises aren't met
-
Good: includes these risks being directly addressed in the contract's break clauses
-
Ask: evidence of periodic compliance meetings
Good: shows regular, documented meetings where security compliance is reviewed
-
Good: includes consistent or exceeding results with action items if standards were not met
-
Ask: training records for relevant staff
Good: shows thorough training that includes examples of how to handle non-compliance
Cross-framework mappings
How ISM-1804 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.19 | ISM-1804 relates to contractual break clauses for cloud service security non-compliance | |
| Annex A 5.20 | Annex A 5.20 requires organisations to agree on information security requirements with suppliers | |
| Related (1) | ||
| Annex A 5.21 | Annex A 5.21 addresses end-to-end management of ICT supply chain security risks via defined processes and procedures | |