For organisations that have too many contracts to assess individually there is a need to identify and categorise the information shared in contracts, target the contracts that pose the greatest risk and assess the extent to which a supplier meets the required information security arrangements.