Procurement from Transparent Suppliers
Ensure vendors are transparent about their products and services before purchasing.
Plain language
This control is about making sure you only buy tech products and services from suppliers who are upfront and honest about what they're providing. This is important because if a supplier won't disclose details, they might be hiding security risks. These hidden risks can lead to data breaches or other security issues for your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Operating systems, applications, IT equipment, OT equipment and services are procured from suppliers that have demonstrated a commitment to transparency for their products and services.
Why it matters
If suppliers are not transparent (e.g., no SBOMs or disclosure), insecure components may be procured, raising compromise and data loss risk.
Operational notes
Assess supplier transparency during procurement (SBOMs, disclosure policy, provenance) and re-review periodically; update approved supplier lists as risks change.
Implementation tips
- Procurement team should check for supplier transparency: Before purchasing, procurement should ask potential suppliers to provide clear details about their products, such as technical specifications and security features. They can do this by preparing a detailed questionnaire for suppliers to complete.
- Manager should verify supplier credentials: The manager should ensure that suppliers have a solid reputation for transparency by checking reviews and ratings from other businesses. They can do this by visiting industry-specific forums and reading testimonials or case studies.
- IT team should evaluate supplier's security declarations: The IT team should review any security documentation suppliers provide, such as certifications or security audits. They can do this by comparing the documents against known standards and guidelines from the Australian Cyber Security Centre (ACSC).
- Procurement should require contracts with transparency clauses: Ensure contracts include provisions for ongoing transparency, such as immediate disclosure of product vulnerabilities. They can achieve this by working closely with legal advisors to draft appropriate clauses.
- Management should establish a transparent supplier list: Create and maintain a list of approved suppliers known for their transparency. They can do this by regularly updating the list based on feedback from users and audits of supplier performance.
Audit / evidence tips
- AskSupplier questionnaires: Request copies of the questionnaires sent to suppliers and their responses GoodWill show full and clear responses detailing product security measures
- AskSupplier verification records: Ask to see notes or reports on the background checks conducted on suppliers GoodInvolves documented records of supplier reputations from several trusted platforms
- AskSecurity documentation from suppliers: Request any security certifications or audit reports suppliers have provided GoodIncludes up-to-date certifications aligned with ACSC standards
- AskContract examples: Request copies of contracts with the transparency clauses included GoodShows specific clauses that clearly state these obligations
- AskThe approved supplier list: Request to see the current list of approved, transparent suppliers GoodIs a well-maintained list that shows dates of last review and criteria met by each supplier
Cross-framework mappings
How ISM-1882 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-1882 requires organisations to procure operating systems, applications, IT/OT equipment and services only from suppliers that have de... | |
| Annex A 5.21 | ISM-1882 requires procurement from suppliers that demonstrate transparency for the products and services being acquired | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.20 | ISM-1882 requires organisations to select suppliers that have demonstrated transparency about their products and services before procurement | |
| Annex A 5.22 | ISM-1882 requires procurement from suppliers that demonstrate transparency for their products and services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.