Integrating security clauses in supplier agreements
Ensure suppliers meet agreed security requirements relevant to their relationship.
Plain language
When you deal with suppliers, it's crucial to make sure they protect your information as well as you do. If they don't, sensitive data could leak or be misused, potentially leading to financial or reputational damage. By including clear security requirements in contracts, you ensure everyone knows the rules and responsibilities, reducing the risk of unpleasant surprises.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.
Why it matters
Without defined security clauses, suppliers may mishandle sensitive data, leading to data breaches and loss of trust.
Operational notes
Regularly review supplier contracts for agreed security requirements (e.g. access, incident notice, audit) and update clauses as the relationship or risks change.
Implementation tips
- The procurement team should ensure that all supplier contracts include specific information security clauses. These clauses should detail what kind of data the supplier can access and how they are expected to protect it, referencing the Privacy Act 1988 where relevant.
- IT managers need to collaborate with legal teams to map out your organisation’s data classification schemes against those used by suppliers. This helps ensure there is no confusion about how protected each type of information should be.
- HR and IT departments should work together to create a list of supplier employees who are authorised to access your organisation’s data. This list should be regularly reviewed and updated in line with staffing changes.
- The legal team should instruct suppliers to conduct security screenings for their employees who will handle sensitive data, referencing Australian laws where appropriate. This will help ensure only trusted individuals have access.
- IT should establish and maintain a register of all active supplier agreements that include security stipulations. Regular reviews will identify expired agreements or contracts needing updates to meet current security standards in line with ISO 27002:2022.
Audit / evidence tips
-
AskRequest copies of supplier agreements that include security clauses.
GoodAll supplier contracts detail security obligations, showing understanding of each party's roles.
-
AskAsk for a document that maps your data classification scheme to that of your suppliers.
GoodThere is a complete and recent mapping that matches your data classification against suppliers’ clearly.
-
AskRequest a list of authorised supplier personnel with access to your systems.
GoodThe list is accurate, with records of regular updates and documented access approvals.
-
AskInquire about the supplier employee screening process.
GoodScreenings are thorough and aligned with Australian regulations, ensuring only vetted personnel have access.
-
AskRequest to see the register of all supplier agreements.
GoodThe register is comprehensive, current, and shows a consistent review process for all agreements.
Cross-framework mappings
How Annex A 5.20 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (10) expand_less | ||
| ISM-0141 | ISM-0141 requires supplier agreements to explicitly include prompt cyber incident reporting to a designated contact | |
| ISM-0731 | ISM-0731 requires CISO oversight of cyber supply chain risk management across the organisation | |
| ISM-1451 | ISM-1451 requires organisations to document data types and ownership in service provider contracts | |
| ISM-1571 | ISM-1571 requires that service provider contracts explicitly document the organisation’s right to verify the provider’s compliance with s... | |
| ISM-1572 | ISM-1572 requires explicit supplier contract terms for data handling locations (regions/availability zones) and minimum advance notice fo... | |
| ISM-1575 | ISM-1575 requires contracts with service providers to include a documented minimum one-month notice period before services can be terminated | |
| ISM-1738 | Annex A 5.20 requires relevant information security requirements to be established and agreed with each supplier based on the relationshi... | |
| ISM-1786 | ISM-1786 requires an organisation to maintain an approved supplier list to control which suppliers can be engaged | |
| ISM-1794 | ISM-1794 requires organisations to document a minimum one-month notification period for significant supplier-side arrangement changes wit... | |
| ISM-1804 | Annex A 5.20 requires organisations to agree on information security requirements with suppliers | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-1178 | ISM-1178 requires limiting the amount of network documentation shared with third parties to what is necessary for contractual services | |
| ISM-1568 | ISM-1568 requires organisations to buy IT/OT products and services only from suppliers that can demonstrate a commitment to security | |
| ISM-1569 | Annex A 5.20 involves establishing and agreeing on information security requirements with suppliers | |
| ISM-1882 | ISM-1882 requires organisations to select suppliers that have demonstrated transparency about their products and services before procurement | |
| ISM-2033 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| handshake Supports (6) expand_less | ||
| ISM-1395 | ISM-1395 requires service providers and subcontractors to protect any data entrusted to them or their services at an appropriate level | |
| ISM-1737 | ISM-1737 requires documenting contractual arrangements for each managed service in a managed service register, along with who to contact ... | |
| ISM-1785 | ISM-1785 requires an organisation to establish and maintain a supplier relationship management policy | |
| ISM-1788 | ISM-1788 requires organisations to identify multiple potential suppliers for critical systems and services to reduce supply chain depende... | |
| ISM-1793 | ISM-1793 requires periodic IRAP assessments of managed service providers against the ISM to maintain assurance over their security compli... | |
| ISM-2088 | ISM-2088 requires techniques that verify AI training data is accurate and reliable prior to use | |
| extension Depends on (1) expand_less | ||
| ISM-1631 | ISM-1631 requires organisations to identify suppliers linked to operating systems, applications, IT/OT equipment and services associated ... | |
| link Related (1) expand_less | ||
| ISM-0072 | Annex A 5.20 requires information security requirements to be agreed with each supplier | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.