Consult ASD for High Assurance IT Delivery Procedures
Contact ASD for delivery procedures when buying high-security IT equipment.
Plain language
When you're buying high-security IT equipment, it's crucial to contact the Australian Signals Directorate (ASD) for specific delivery instructions. This matters because without following proper procedures, sensitive technology could be intercepted or tampered with during delivery, which could lead to data breaches or compromised systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for evaluated productsSection
Evaluated product procurementOfficial control statement
When procuring high assurance information technology (IT) equipment, ASD is contacted for any equipment-specific delivery procedures.
Why it matters
If ASD delivery procedures aren’t consulted for high assurance IT procurements, equipment may be intercepted or tampered with before receipt.
Operational notes
Before delivery of high assurance IT equipment, contact ASD and follow any equipment-specific delivery/chain-of-custody procedures provided.
Implementation tips
- Procurement managers should contact ASD: Reach out to the Australian Signals Directorate when planning to buy high-security IT equipment. Make sure you do this as early as possible in the procurement process to understand any special handling or delivery instructions.
- IT team should document delivery procedures: After contacting ASD, the IT team should write down the recommended procedures. Keep these documents handy to ensure everyone involved in receiving the equipment follows the right steps.
- The finance department should coordinate with suppliers: Ensure any contracts or purchase orders include references to the ASD's delivery requirements. This guarantees suppliers are aware and can comply with necessary security measures during shipping.
- Security officers should monitor deliveries: Arrange for security personnel to be present when the delivery arrives. They should check that the equipment package is sealed and undamaged, following all ASD guidelines.
- System owners should ensure secure storage: Once received, IT equipment should immediately go to a secure location. This prevents unauthorised access until the equipment can be properly installed and configured.
Audit / evidence tips
-
AskASD communication records: Request emails or letters sent to or received from the ASD regarding delivery procedures
Goodis clear communication showing the specific delivery advice from the ASD
-
Goodis a comprehensive, clear set of instructions tailored to the specific equipment
-
Askthem about how they informed suppliers of the special delivery requirements
Goodis a clear description of the communication process with suppliers
-
Goodis observing all steps being taken as per the guidance
-
Goodshows that only authorised personnel accessed the equipment
Cross-framework mappings
How ISM-0286 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.21 | ISM-0286 requires organisations procuring high assurance IT equipment to contact ASD for any equipment-specific delivery procedures | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.