Skip to content
Control Stack logo Control Stack
ISM-0286 ASD Information Security Manual (ISM)

Consult ASD for High Assurance IT Delivery Procedures

Contact ASD for delivery procedures when buying high-security IT equipment.

Proactive SECRET TOP SECRET Assurance and auditICT supply chainASD Information Security ManualGovernance

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Proactive

🔐 Classifications

S, TS

🗓️ ISM last updated

May 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for evaluated products

Section

Evaluated product procurement

Topic

Delivery of Evaluated Products
Official control statement
When procuring high assurance information technology (IT) equipment, ASD is contacted for any equipment-specific delivery procedures.

Source: ASD Information Security Manual (ISM)

Plain language

When you're buying high-security IT equipment, it's crucial to contact the Australian Signals Directorate (ASD) for specific delivery instructions. This matters because without following proper procedures, sensitive technology could be intercepted or tampered with during delivery, which could lead to data breaches or compromised systems.

Why it matters

If ASD delivery procedures aren’t consulted for high assurance IT procurements, equipment may be intercepted or tampered with before receipt.

Operational notes

Before delivery of high assurance IT equipment, contact ASD and follow any equipment-specific delivery/chain-of-custody procedures provided.

Implementation tips

  • Procurement managers should contact ASD: Reach out to the Australian Signals Directorate when planning to buy high-security IT equipment. Make sure you do this as early as possible in the procurement process to understand any special handling or delivery instructions.
  • IT team should document delivery procedures: After contacting ASD, the IT team should write down the recommended procedures. Keep these documents handy to ensure everyone involved in receiving the equipment follows the right steps.
  • The finance department should coordinate with suppliers: Ensure any contracts or purchase orders include references to the ASD's delivery requirements. This guarantees suppliers are aware and can comply with necessary security measures during shipping.
  • Security officers should monitor deliveries: Arrange for security personnel to be present when the delivery arrives. They should check that the equipment package is sealed and undamaged, following all ASD guidelines.
  • System owners should ensure secure storage: Once received, IT equipment should immediately go to a secure location. This prevents unauthorised access until the equipment can be properly installed and configured.

Audit / evidence tips

  • Ask: ASD communication records: Request emails or letters sent to or received from the ASD regarding delivery procedures

    Good: is clear communication showing the specific delivery advice from the ASD

  • Good: is a comprehensive, clear set of instructions tailored to the specific equipment

  • Ask: them about how they informed suppliers of the special delivery requirements

    Good: is a clear description of the communication process with suppliers

  • Good: is observing all steps being taken as per the guidance

  • Good: shows that only authorised personnel accessed the equipment

Cross-framework mappings

How ISM-0286 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 5.21 ISM-0286 requires organisations procuring high assurance IT equipment to contact ASD for any equipment-specific delivery procedures

Mapping detail

Mapping

Direction

Controls