Ensuring Evaluated Products Follow Delivery Procedures
Products must be delivered according to any specified delivery methods in evaluation documents.
Plain language
When you've evaluated a product and decided to buy it, make sure it's delivered following any specific instructions outlined in evaluation documents. This matters because improper delivery might compromise the product's integrity or functionality, leading to operational hiccups or security vulnerabilities.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for evaluated productsSection
Evaluated product procurementOfficial control statement
Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation.
Why it matters
Improper delivery of evaluated products can compromise integrity, leading to potential security breaches and operational failures.
Operational notes
Regularly verify delivery procedures align with evaluation documents to prevent security and functionality issues.
Implementation tips
- Procurement team should review the evaluation documents: Identify any delivery guidelines specified for a product. This involves checking any requirements about how the item should be packaged, shipped, or received.
- IT manager should coordinate with vendors: Once requirements are identified, communicate these delivery specifications clearly to the supplier. Ensure that the supplier acknowledges and confirms understanding of these requirements.
- Receiving personnel should verify deliveries upon arrival: Use a checklist based on the specified delivery methods in the evaluation documents. Check packaging integrity, shipping method, and any conditions detailed in the requirements.
- System owner should document the delivery process: Capture details of how the product was delivered, including any deviations from the specified methods. Use a simple form to record each step from dispatch to receipt.
- Team lead should conduct regular checks of delivery procedures: Schedule periodic reviews of recent deliveries against documented requirements. Discuss any discrepancies in team meetings to prevent future issues.
Audit / evidence tips
- AskThe evaluation documents: Request the documentation outlining the delivery methods for the evaluated products GoodIncludes clearly outlined steps or conditions for delivery
- GoodLog shows adherence to all evaluation requirements
- AskHow they ensure vendors adhere to specified delivery instructions GoodShows they have a checklist and a process for communicating requirements to suppliers
- GoodObservation would see thorough inspection and proper documentation of receipt
- GoodIncludes an email thread confirming the vendor understands and agrees to these conditions
Cross-framework mappings
How ISM-0285 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-0285 mandates delivery of evaluated products consistent with evaluator-defined procedures | |
| Annex A 5.21 | ISM-0285 requires evaluated products to be delivered in accordance with delivery procedures specified in evaluation documentation | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.