Implement and Manage Evaluated Products Correctly
Ensure evaluated products are set up and run correctly following vendor instructions and evaluated settings.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2023
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for evaluated productsSection
Evaluated product usageTopic
Using Evaluated ProductsEvaluated products are installed, configured, administered and operated in an evaluated configuration and in accordance with vendor guidance.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure any security products you've bought that have been officially evaluated are set up and used exactly as the instructions say. If you don't, they might not protect you properly, leading to data breaches or system failures.
Why it matters
Failure to adhere to evaluated settings may lead to exploitable security gaps, invalidating the product's assurance and exposing the organisation to breaches.
Operational notes
Regularly validate evaluated configuration baselines and vendor guidance; use change control, configuration drift monitoring and audits to prevent non-evaluated settings.
Implementation tips
- System administrators should follow the vendor's installation manual and configuration guide for evaluated products. This involves reading the instructions carefully and setting the system up as described, without skipping any steps.
- IT managers should verify that all security settings match the vendor's recommended configurations. This means checking each setting against a list provided by the vendor to ensure compliance.
- The IT team should conduct a training session for staff using these products, making sure they understand how to operate the system effectively. This can be done by running a workshop and providing easy-to-follow user guides.
- Procurement officers need to make sure they have the latest vendor documentation when acquiring evaluated products. This involves contacting the vendor or checking their website for any updates or amendments to manuals and guides.
- Regular audits should be set up by internal auditors to confirm these products are still configured correctly over time. This can be done by scheduling periodic reviews and matching current settings with initial setup documents.
Audit / evidence tips
-
Ask: a copy of the vendor's installation and setup guide: Check that it is the latest version and was used during the product installation
Good: shows the guide with notations or electronic marks indicating it was followed step-by-step
-
Ask: to see system configuration reports: Review these against vendor-recommended settings
Good: includes a comparison document or spreadsheet showing each setting checked off
-
Ask: them to describe the materials and any follow-up learning activities
Good: includes comprehensive training records and user acknowledgments
-
Good: observation shows no deviations from the established procedures
-
Good: record shows regular audits with documented compliance with vendor guidelines
Cross-framework mappings
How ISM-0289 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| Annex A 8.9 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in an evaluated configuration and in accordan... | |
| Annex A 8.19 | Annex A 8.19 requires secure management of software installation on operational systems | |
| Supports (1) | ||
| Annex A 8.32 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in their evaluated configuration and in accor... | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| E8-AH-ML2.5 | ISM-0289 requires evaluated products to be configured, administered and operated in an evaluated configuration and in accordance with ven... | |
| E8-AH-ML2.6 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in an evaluated configuration and in accordan... | |
| E8-AH-ML2.9 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in an evaluated configuration and in accordan... | |