OCIO/G4.6
Government guideline on cyber security
ISMF Guideline 6
Cyber security in procurement activities
BACKGROUND
Considering potential and accounting for actual security risks during procurement is a vital
component of holistic security management. Cyber [ICT] security risk management practices are
predominately focused on avoiding potential pitfalls when sourcing products and services. By
identifying potential flaws or conceivable business impact(s) during the sourcing phase, often
costly remediation methods can be minimised or avoided entirely. The old adage ‘a penny saved is
a penny earned’ certainly applies to all sourcing activities. In security terms, a penny saved from
considering security requirements at the design and initiation phases of procurements reduces
multiple risks including: economic, reputational and legal liabilities. Responsible Parties need to
assure themselves that appropriate due diligence has been undertaken against prospective
equipment and service providers.
Particular emphasis in this guideline is placed on verifying that prospective and ongoing suppliers
have a demonstrated commitment to ongoing improvement using the underlying quality
management principles: ‘Plan-Do-Check-Act’. This guideline supports implementation of ISMF
Policy Statement 6.
GUIDANCE
Business Owners are responsible for determining relevant cyber security requirements prior to
finalising sourcing arrangements or procuring equipment and services. The Government of South
Australia defines baseline security requirements for whole of government ICT sourcing
arrangements. Individual agencies and suppliers to government have roles to play in determining
their own security requirements in alignment with the business risk profile which is an indication of
risk tolerance and appetite. These factors will often change on a case by case basis.
For products and services sourced via whole-of-government arrangements, agency-specific
measures are implemented at the Customer Agreement [CA] level. Individually sourced products
and services will also need to factor in cyber security policy requirements defined in the Protective
Security Management Framework [PSMF] and Information Security Management Framework
[ISMF].
This guideline highlights the specific policies and standards related to procurement without delving
into the entire ‘human factors’ that also need to be catered for when considering a sourcing
arrangement. Annex A in the ISMF describes the absolute baseline for cyber security risk
management and each facet of security risk management described therein should be considered
prior to finalising any ICT procurement.
ISMF Guideline 6
ISMF Guideline 1
RISK IDENTIFICATION
Table 1 – Manage risks in the context of an overarching Information Security Management System
Applicability
Relevant ISMF standards, policies or procedures and controls
Policy Statement 1
Responsible Parties must develop or have in place an
Information Security Management System [ISMS] that
conforms to the principles of AS/NZS ISO/IEC 27001. When
the Responsible Party is a Supplier, they must obtain and
maintain certification that their information security
management system conforms to AS/NZS ISO/IEC 27001 if
their contractual obligations require this as described in section
2.1 of the Information Security Management Framework.
Policy Statement 2
Each Responsible Party shall develop and use information
security risk management processes as outlined in section 5.1
of the PSMF and supported by the Government of South
Australia Risk Management Policy Statement. The risk
assessment process shall include the identification and
assessment of security risks for information assets, a summary
of the Agency’s response to these risks and provide ongoing
monitoring and review of the risks and the potential security
exposure(s).
ALL
Access to information processing facilities by third parties must
be controlled and such controls must be agreed to and defined
by way of contractual obligation with the external organisation.
Policy Statement 5
S12.3
Contracts conferring tertiary access (e.g. A supplier who
utilises sub-contractors or outsourced suppliers in the fulfilment
of their contractual obligations and/or service agreement)
should include allowances for designation of deemed eligible
participants and the conditions for their access.
Responsible Parties may embed the use of an assessment tool
as a component of the selection process for external
organisations, such as the Third Party Security Assessment
Tool [TPSAT] available to Information Security Forum
members.
Government guideline on cyber security
Cyber security in procurement activities v1.3
Page 2 of 7
ISMF Guideline 6
ISMF Guideline 1
SECURITY IN PROCUREMENT AND SOURCING ACTIVITIES
Table 2 – Establish security requirements at the outset, before going to market
Applicability
Relevant ISMF standards, policies or procedures and controls
Policy
Statement 6
Access to Agency and Australian Government information
provided to prospective Suppliers during tendering and/or
procurement processes shall be limited on a need-to-know
basis and commensurate with the applicable controls to
the information’s classification.
Agencies must stipulate and account for security
considerations and controls as defined in the PSMF and
ISMF and their subordinate documents during all phases
of the procurement process.
ALL
[C] Confidential
[P] Protected
[SC] Sensitive: Cabinet
Standard 15
Responsible Parties must include and consider the
security controls required by the PSMF and ISMF as part
of their procurement procedures. Information classification
controls must be applied during all phases of the tender
and/or procurement process.
S15.1
Agencies must include the requirements of the PSMF and
the ISMF in their procurement procedures and should
select only those subsets of controls and procedures
required according the scope and nature of the project(s)
and/or services, products and materials being considered.
S15.2
Particular attention is drawn to part F, paragraph 4.6 of the
PSM which addresses issues such as “Conflict of Interest”
declarations and security clearance requirements. This
constitutes one of the minimum standards for procurement
security and is enabled by the PSMF.
S15.3
Suppliers that intend to procure services, products and/or
materials via a third party shall obtain written authorisation
from the relevant Agency if any classified information
needs to be shared with or otherwise released to the third
party as part of the Supplier’s procurement process.
S15.4
Significant risks identified in the procurement cycle should
be reflected in the organisation’s risk register and the
treatment and/or mitigation strategy should be identified as
part of the organisational risk management procedures.
S15.7
All personnel must be subject to a security vetting process.
Refer to Security Clearances and Briefings section of the
ISM (ISM pages 75-77) for further guidance.
S15.8
All personnel (including respondents) should be subject to
a security vetting process in accordance with Policy 6.1 of
the PSPF. Personnel must be subject to this process when
accessing Commonwealth information.
Government guideline on cyber security
Cyber security in procurement activities v1.3
Page 3 of 7
ISMF Guideline 6
ISMF Guideline 1
ESTABLISH CONTRACTUAL ARRANGEMENTS
Table 3 – Define a cyber security accord with prospective suppliers
Applicability
Relevant ISMF standards, policies or procedures and controls
Standard 14
Arrangements involving third party access to Agency information
processing facilities shall be based on a formal contract
containing, or referring to, all of the security requirements to
ensure compliance with the Responsible Party’s security policies,
standards and obligations.
S14.4
Third parties and their employees, including sub-contracted
service providers, who require access to security classified
information must be security cleared to the appropriate level.
Utilising a Third Party Contract Agreement, the service provider
must be required to implement security procedures that ensure
that access to Official information assets is restricted to those
employees who require access to perform their function.
S14.5
Responsible Parties should establish individual confidentiality
agreements with the staff of contractors. Depending on the risk
assessment findings and sensitivity of information assets or
systems, the Responsible Party may wish to undertake a police
records/fingerprint check of an individual or elect to use a vetting
process for sensitive Positions of Trust.
ALL
Standard 139
Standard 69
Refer OCIO/S4.3 Security in an Outsourced Environment
Information used in Electronic Commerce shall be protected from
fraudulent activity, misuse, breach of privacy and unauthorised
access. Responsible Parties should establish contractual
agreements with providers and partners to minimise the risk of
potential disputes and should give consideration to PCI DSS
compliance for large online transaction based systems that rely on
credit and/or debit card transactions.
Government guideline on cyber security
Cyber security in procurement activities v1.3
Page 4 of 7
ISMF Guideline 6
ISMF Guideline 1
PERIODIC REVIEW OF THIRD PARTY SERVICE DELIVERY
Table 4 – Ongoing supply arrangements should focus on commitment to continual improvement
Applicability
Relevant ISMF standards, policies or procedures and controls
Policy
Statement 16
Responsible Parties shall implement a program of compliance
monitoring, periodic performance review and change
(improvement) management for third party service delivery
agreements.
Standard 51
Each Agency shall be responsible for identifying the risks
associated with the outsourcing arrangements for their processing
facilities and/or service delivery agreements (whether sourced
internally or externally to Government), as well as defining the
control measures that the contractor or other Third Party is
required to implement. At a minimum, controls must include the
applicable security controls described in the ISMF, service
definitions and delivery expectations such as Service Level
Agreements [SLAs] in alignment with OCIO/S4.3 Security in an
Outsourced Environment (ISMF Standard 139).
S51.2
Responsible Parties shall note that external (third party) service
delivery agreements may include supply agreements sourced from
other Agencies and/or service delivery partners (e.g. Shared
Services SA, Service SA, Service Delivery Group etc.).
Standard 11
In addition to periodic self-assessment, each Responsible Party
shall be subject to ongoing independent review of Information
Security policies, practices and implementation at regular intervals
in accordance with the AS/NZS ISO/IEC 27002 standard.
ALL
OUTSOURCING SOFTWARE DEVELOPMENT
Table 5 – Independent reviews, advice and/or certification provide increased assurance
Applicability
Relevant ISMF standards, policies or procedures and controls
Standard 120
Responsible Parties entering into outsourcing arrangements for
software development shall seek legal advice to ensure that the
Agency’s rights and interests are protected and shall implement
the guidance described in the AS/NZS ISO/IEC 27002 standard
pertaining to outsourced software development.
S120.1
Responsible Parties shall implement the control(s) and guidance
described in clause 12.5.5 of the AS/NZS ISOIEC 27002
standard.
ALL
Government guideline on cyber security
Cyber security in procurement activities v1.3
Page 5 of 7
ISMF Guideline 6
ISMF Guideline 1
ADDITIONAL CONSIDERATIONS

Agencies should educate their users on the security implications associated with procurement
and help them to understand their requirements to ensure the confidentiality, integrity and
availability of government information assets. Most importantly, agency personnel should
understand the bearing that cyber security in procurement has on continued service availability
and the assurance that consistent service levels provide to the community.

Some of the differences between outsourcing and the other forms of third party service
provision include: the question of liability, planning the transition period to an outsourced
environment and potential disruption of operations during any transition, contingency planning
arrangements and due diligence reviews, and collection and management of information on
security incidents. Therefore, it is important that the organisation plans and manages the
transition to such arrangements and has suitable processes in place to manage changes and
the renegotiation/termination of contracts that is driven by business requirements.

Personnel, including contractors, requiring access to security classified information or
resources may need security clearances. (see ISMF Policy Statement 5)

Confidentiality and/or non disclosure agreements must be in place for all staff, contractors
and/or sub contractors that seek or have in place access to South Australian Government
information, materials and/or intellectual property that is not intended for public access. (see
ISMF Standard 8)

Access provided to third parties (including customers, contractors etc) must be controlled
based on the specific business requirements of the responsible party. (see ISMF Standard 13)
This guideline does not aim to provide the reader with all of the cyber security responsibilities,
obligations and controls related to procurement. It is merely an overview of the information
provided in relevant government cyber security policy and the AS/NZS ISO/IEC 27002 standard. It
is highly recommended that agencies review such documents in their entirety. The individual
requirements of agencies will have direct bearing on what measures are implemented to mitigate
identified risk(s).
SAMPLE CONTRACTUAL CLAUSES
An example schedule containing whole-of-government contractual clauses is embedded in this
guideline and may be accessed by double-clicking on the icon below (MS-Word users only).
Schedule 32 Security Requirements Example.docx
Government guideline on cyber security
Cyber security in procurement activities v1.3
Page 6 of 7
ISMF Guideline 6
REFERENCES, LINKS & ADDITIONAL INFORMATION




PC030 Protective Security Management Framework [PSMF]
OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF]
AS/NZS ISO/IEC 27002:2006
Australian Government Protective Security Policy Framework [PSPF]
ID
OCIO_G4.6
Classification/DLM
PUBLIC-I1-A1
Issued
February 2012 (re-designated as ISMF Guideline 6 from Guideline 9 – February 2014)
Authority
State Chief Information Security Officer
Master document location
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and
Standards\ISMF\ISMFguidelines\ISMFguideline6(procurement).docx
Records management
File Folder: 2011/15123/01 - Document number: 5814760
Managed & maintained by
Office of the Chief Information Officer
Author
Jason Caley, Principal Policy Adviser
Reviewer
Peter Fowler MACS (Snr. CP), IP3P, CISM, CGEIT, CRISC, MAIES ,
Director Security and Risk Assurance
Compliance
Discretionary
Review date
February 2016
To attribute this material, cite the
Office of the Chief Information
Officer, Government of South
Australia, ISMF Guideline 6.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright © South Australian Government, 2012.
Disclaimer