Guidelines for procurement and outsourcing
38 controls in this part of theAustralian Government Information Security Manual. Each control links to plain-English guidance, audit tips and cross-framework mappings.
Cyber supply chain risk management
ISM-1567
Avoid High-Risk Suppliers in Cyber Supply Chain
ISM-1568
Ensure Security Commitment from Suppliers
ISM-1631
Identify Suppliers in Cyber Supply Chain
ISM-1632
Ensure Secure Procurement from Reliable Suppliers
ISM-1785
Develop and Maintain Supplier Management Policy
ISM-1786
Maintain an Approved Supplier List
ISM-1787
Ensure Suppliers are Approved for IT and OT Sourcing
ISM-1788
Identify Multiple Suppliers for Critical IT Sourcing
ISM-1789
Verify Authenticity for Delivery Acceptance in Supply Chain
ISM-1790
Ensure Integrity in IT and OT Deliveries
ISM-1791
Assess Integrity of Delivered IT and OT Products
ISM-1792
Assess Authenticity of IT and OT Deliveries
ISM-1882
Procurement from Transparent Suppliers
Cyber Supply Chain Risk Management
Managed services and cloud services
ISM-0141
Report Cyber Incidents Promptly to Designated Contacts
ISM-1073
Ensure Provider Contracts for System Access
ISM-1395
Ensuring Data Protection by Service Providers
ISM-1451
Document Data Ownership in Service Contracts
ISM-1529
Limit Cloud Services to Community or Private for SECRETS
ISM-1570
Regular IRAP Assessment of Cloud Service Providers
ISM-1571
Verify Security Compliance in Service Contracts
ISM-1572
Document Service Provider Data Handling and Change Notifications
ISM-1573
Log Access Documentation with Service Providers
ISM-1575
One-Month Notice for Service Termination
ISM-1576
Notify Organisation of Unauthorised System Access
ISM-1638
Maintain a Comprehensive Outsourced Cloud Service Register
ISM-1737
Maintain a Comprehensive Managed Service Register
ISM-1793
Regular Assessment of Managed Service Providers
ISM-1794
Notify Significant Changes to Service Provider Agreements
ISM-1804
Include Break Clauses in Cloud Service Contracts
ISM-1971
Security Assessments for TOP SECRET Managed Services
ISM-1972
Security Assessments for Top Secret Cloud Services
Managed Services and Cloud Services
Back to the full Information Security Manual (ISM) control list, or browse the complete control library.