Contact ASD for Emanation Security Assessment
System owners ask for an ASD assessment to ensure their facilities are protected from information leaks.
Plain language
This control involves getting an assessment from the Australian Signals Directorate (ASD) to check if your facilities are secure against leaks of sensitive information. It's important because without this check, confidential data could accidentally be broadcasted or leaked, leading to potential data breaches or other security incidents.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
S, TS
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Emanation securityOfficial control statement
When an emanation security risk assessment is required, it is sought as early as possible in a system’s life cycle.
Why it matters
Without an ASD assessment, facilities could unknowingly leak sensitive information, leading to security breaches and damage to national interests.
Operational notes
Regularly review and update your system inventory and ensure continuous communication with ASD for timely reassessments.
Implementation tips
- System owners need to contact the ASD: As soon as they decide to deploy systems handling sensitive data, they should reach out for advice and assessment. Use the official communication channels listed on the ASD website to initiate contact.
- Identify systems needing assessment: System owners must compile a list of all SECRET or TOP SECRET systems in fixed locations. Gather relevant details like where they're housed and what data they handle to provide ASD with necessary context.
- Schedule the assessment: Once contact is made, work with the ASD to arrange a convenient time for their experts to conduct the assessment. Ensure all security personnel are available on the agreed day to assist the ASD team.
- Prepare relevant documentation: System owners should have all records and documentation about their systems readily available. This includes system diagrams, data flow charts, and security policies to facilitate a thorough and efficient assessment.
- Implement ASD recommendations: After receiving the assessment report, the same team should prioritise and implement any changes or enhancements recommended by the ASD. This might involve software updates, physical adjustments, or policy changes.
Audit / evidence tips
- Askthe contact record with ASD: Request evidence of communication with ASD, such as emails or meeting minutes Look atdetails on what was discussed and confirmation of assessment scheduling Goodincludes clear communication records outlining the planned assessment dates
- Aska list of systems assessed: Check for a documented list of systems that were flagged for requiring an ASD assessment Look atcompleteness and correctness in terms of system classifications and locations Goodlist should cover all SECRET or TOP SECRET systems in fixed facilities
- Askassessment reports: Request the reports generated by the ASD after their assessment Look atthe findings and the recommendations provided Goodreport includes a clear description of potential security issues and tailored recommendations
- Askimplementation records: Check if the recommendations from the ASD have been implemented Look atlogs or records showing steps taken and completion dates Goodincludes detailed logs indicating who did what and when
- Askfollow-up actions: Request evidence of any follow-up actions taken post-assessment, including any subsequent assessments or reviews Look atdocumented plans and outcomes Goodshows ongoing engagement with the ASD and improvement initiatives
Cross-framework mappings
How ISM-0246 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-0246 requires that, when an emanation security threat assessment is required, it is sought as early as possible in a system’s life cycle | |
| Annex A 8.26 | ISM-0246 requires that an emanation security threat assessment is sought as early as possible in the system lifecycle when required | |
| handshake Supports (1) expand_less | ||
| Annex A 8.27 | ISM-0246 requires organisations to engage ASD early in the system life cycle when an emanation security risk assessment is required, to a... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.