Skip to content
Control Stack logo Control Stack
ISM-0246 ASD Information Security Manual (ISM)

Contact ASD for Emanation Security Assessment

System owners ask for an ASD assessment to ensure their facilities are protected from information leaks.

Proactive SECRET TOP SECRET ASD Information Security ManualGuidelines for physical securitysecure facilitiesassessmentMarch 2026 ISM Update

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Proactive

🔐 Classifications

S, TS

🗓️ ISM last updated

Mar 2026

✏️ Control Stack last updated

23 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for physical security

Section

Emanation Security

Topic

Emanation Security Threat Assessments
Official control statement
When an emanation security risk assessment is required, it is sought as early as possible in a system's life cycle.

Source: ASD Information Security Manual (ISM)

Plain language

This control involves getting an assessment from the Australian Signals Directorate (ASD) to check if your facilities are secure against leaks of sensitive information. It's important because without this check, confidential data could accidentally be broadcasted or leaked, leading to potential data breaches or other security incidents.

Why it matters

Without an ASD assessment, facilities could unknowingly leak sensitive information, leading to security breaches and damage to national interests.

Operational notes

Regularly review and update your system inventory and ensure continuous communication with ASD for timely reassessments.

Implementation tips

  • System owners need to contact the ASD: As soon as they decide to deploy systems handling sensitive data, they should reach out for advice and assessment. Use the official communication channels listed on the ASD website to initiate contact.
  • Identify systems needing assessment: System owners must compile a list of all SECRET or TOP SECRET systems in fixed locations. Gather relevant details like where they're housed and what data they handle to provide ASD with necessary context.
  • Schedule the assessment: Once contact is made, work with the ASD to arrange a convenient time for their experts to conduct the assessment. Ensure all security personnel are available on the agreed day to assist the ASD team.
  • Prepare relevant documentation: System owners should have all records and documentation about their systems readily available. This includes system diagrams, data flow charts, and security policies to facilitate a thorough and efficient assessment.
  • Implement ASD recommendations: After receiving the assessment report, the same team should prioritise and implement any changes or enhancements recommended by the ASD. This might involve software updates, physical adjustments, or policy changes.

Audit / evidence tips

  • Ask: the contact record with ASD: Request evidence of communication with ASD, such as emails or meeting minutes

    Look at: details on what was discussed and confirmation of assessment scheduling

    Good: includes clear communication records outlining the planned assessment dates

  • Ask: a list of systems assessed: Check for a documented list of systems that were flagged for requiring an ASD assessment

    Look at: completeness and correctness in terms of system classifications and locations

    Good: list should cover all SECRET or TOP SECRET systems in fixed facilities

  • Ask: assessment reports: Request the reports generated by the ASD after their assessment

    Look at: the findings and the recommendations provided

    Good: report includes a clear description of potential security issues and tailored recommendations

  • Ask: implementation records: Check if the recommendations from the ASD have been implemented

    Look at: logs or records showing steps taken and completion dates

    Good: includes detailed logs indicating who did what and when

  • Ask: follow-up actions: Request evidence of any follow-up actions taken post-assessment, including any subsequent assessments or reviews

    Look at: documented plans and outcomes

    Good: shows ongoing engagement with the ASD and improvement initiatives

Cross-framework mappings

How ISM-0246 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 8.25 ISM-0246 requires that, when an emanation security threat assessment is required, it is sought as early as possible in a system’s life cycle
Annex A 8.26 ISM-0246 requires that an emanation security threat assessment is sought as early as possible in the system lifecycle when required
Supports (1)
Annex A 8.27 ISM-0246 requires organisations to engage ASD early in the system life cycle when an emanation security risk assessment is required, to a...

Mapping detail

Mapping

Direction

Controls