Ensure Security of Unused IT Equipment and Media
IT equipment and media are protected against unauthorized access when not actively being used.
Plain language
This control is about making sure that computers, hard drives, and other tech devices are safely locked away when you're not using them. It’s important because if someone can get to them when you're not watching, they could steal important information or mess up your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
IT equipment and mediaOfficial control statement
IT equipment and media are secured when not in use.
Why it matters
If unused IT equipment or removable media aren’t secured when not in use, they can be stolen or accessed, leading to data exposure and disruption.
Operational notes
Lock unused devices and removable media in secure storage (e.g., cabinets/rooms), restrict key/access lists, and audit holdings regularly to confirm they remain secured.
Implementation tips
- Managers should ensure staff know where to store equipment: Hold a short training session to show employees the designated secure storage areas like locked cabinets or secure rooms. Use clear signage and reminders around the office to reinforce the practice.
- IT teams should label and log equipment: Create a simple log of all IT equipment that includes who it's assigned to and where it should be stored when not in use. Use asset tags on devices to make tracking easier and do regular checks to ensure devices are where they should be.
- Office managers should install locks on storage areas: Recognize areas where IT equipment is stored and fit them with secure locks. Consider using combination or key locks and maintain a list of authorised persons who have access.
- Employees should be reminded to sign out equipment: Implement a sign-out sheet or digital system for tracking who takes devices out of secure storage. Include checking the condition of the devices upon return to ensure nothing is damaged or missing.
- Procurement teams should ensure purchase of lockable storage: When buying new IT equipment or media, also consider lockable cabinets or safes to store them securely when not in use. Prioritize highly portable or sensitive equipment like laptops and external drives.
Audit / evidence tips
-
Askthe equipment storage policy: Check for a document or written policy detailing how and where IT equipment and media should be stored when not in use
Goodshows clear guidance on securing equipment with specifics on storage locations
-
Goodis an updated log that matches the number and type of devices on-site
-
Goodis seeing equipment secured as per the policy, such as in locked cabinets or rooms
-
Askemployees where they store their equipment after hours or when not in use
Goodis employees indicating secured storage according to organisational policy
-
Goodincludes evidence of purchasing these solutions alongside new equipment, ensuring secure storage capacity is in place
Cross-framework mappings
How ISM-0161 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| Annex A 7.7 | ISM-0161 requires IT equipment and media to be secured when not in use, with an emphasis on preventing unauthorised access to physical as... | |
| Annex A 7.8 | ISM-0161 requires IT equipment and media to be physically secured when not in use to prevent unauthorised access | |
| Annex A 7.14 | ISM-0161 requires IT equipment and media to be secured when not in use to prevent unauthorised access | |
| Annex A 8.1 | ISM-0161 requires physical security for unused IT equipment and media to prevent unauthorised access | |
| handshake Supports (5) expand_less | ||
| Annex A 5.10 | ISM-0161 requires organisations to ensure IT equipment and media are secured whenever they are not in use | |
| Annex A 7.1 | ISM-0161 requires securing IT equipment and media when not in use to prevent unauthorised access | |
| Annex A 7.2 | ISM-0161 requires IT equipment and media to be secured when not in use to prevent unauthorised access | |
| Annex A 7.3 | ISM-0161 requires physical protection of IT equipment and media when they are not actively being used | |
| Annex A 7.9 | Annex A 7.9 requires that off-site assets be protected against loss, theft, or damage | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.