Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >AESCSF
  3. >THIRD-PARTIES
  4. >Manage Third-Party Risk
  5. >AESCSF-THIRD-PARTIES-2l
AESCSF-THIRD-PARTIES-2lActive

Selection criteria for higher priority assets include evaluation of any associated third-party hosting environments a...

Statement

Selection criteria for higher priority assets include evaluation of any associated third-party hosting environments and source data

Context and Guidance: Third parties should be selected according to an organised and thorough process and according to explicit specifications and selection criteria. The selection process and criteria should be designed to ensure that the selected entity can fully meet the organisation’s specifications as established. For higher priority assets, these criteria should include the evaluation of associated third-party hosting environments and source data. Hosting environments and source data can be significant sources of acquired risk. Hosting environments comprise many layers of products and services that are not always under the direct control of hosting providers and may pose unidentified risk to the organisation. For example, these may include software packages, open-source code libraries, configurations, and other settings that were used to build a virtual machine that can be deployed in a cloud environment. Similar to a bill of materials, hosting environments should provide documentation of the use of these products and services so that an approximation of acquired risk can be established. In addition, this concept can extend to how hosting organisations store, process, and transmit organisational data. Evaluating the storage locations of data, where it is processed, how it is transmitted, and the controls employed is essential for identifying potential risks to the confidentiality, integrity, and availability of such data.

Related Practices • Input From: Implementing ASSET-1c provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THIRD-PARTIES-2b, THIRD-PARTIES-2i, THIRD-PARTIES-2j, THIRD-PARTIES-2k, THIRD-PARTIES-2l, THIRD-PARTIES-2m.

Location

Domain
THIRD-PARTIES
Objective
Manage Third-Party Risk

Practice Details

Identifier
AESCSF-THIRD-PARTIES-2l
Type
Practice
Domain
THIRD-PARTIES
Objective
Manage Third-Party Risk

Maturity Level

MIL-1MIL-2MIL-3

Security Profile

SP-1SP-2SP-3
ISM
ISM-1395relatedvia aescsf-reference
ISM-1452relatedvia aescsf-reference
ISM-1567relatedvia aescsf-reference
ISM-1632relatedvia aescsf-reference
C2M2
C2M2-THIRD-PARTIES-2Lequivalentvia derived-shared-practice-structure
View in graphReport an issue
← Back to Manage Third-Party Risk
Manage Third-Party Risk13 controls
AESCSF-THIRD-PARTIES-2aThe selection of suppliers and other third parties includes consideration of their cybersecurity qualifications, at l...AESCSF-THIRD-PARTIES-2bThe selection of products and services includes consideration of their cybersecurity capabilities, at least in an ad ...AESCSF-THIRD-PARTIES-2cA defined method is followed to identify cybersecurity requirements and implement associated controls that protect ag...AESCSF-THIRD-PARTIES-2dA defined method is followed to evaluate and select suppliers and other third partiesAESCSF-THIRD-PARTIES-2eMore rigorous cybersecurity controls are implemented for higher priority suppliers and other third partiesAESCSF-THIRD-PARTIES-2fCybersecurity requirements (for example, vulnerability notification, incident-related SLA requirements) are formalise...AESCSF-THIRD-PARTIES-2gSuppliers and other third parties periodically attest to their ability to meet cybersecurity requirementsAESCSF-THIRD-PARTIES-2hCybersecurity requirements for suppliers and other third parties include secure software and secure product developme...AESCSF-THIRD-PARTIES-2iSelection criteria for products include consideration of end-of-life and end-of-support timelinesAESCSF-THIRD-PARTIES-2jSelection criteria include consideration of safeguards against counterfeit or compromised software, hardware, and ser...AESCSF-THIRD-PARTIES-2kSelection criteria for higher priority assets include evaluation of bills of material for key asset elements, such as...AESCSF-THIRD-PARTIES-2lSelection criteria for higher priority assets include evaluation of any associated third-party hosting environments a...AESCSF-THIRD-PARTIES-2mAcceptance testing of procured assets includes consideration of cybersecurity requirements