Implement and Manage Evaluated Products Correctly
Ensure evaluated products are set up and run correctly following vendor instructions and evaluated settings.
Plain language
This control is about making sure any security products you've bought that have been officially evaluated are set up and used exactly as the instructions say. If you don't, they might not protect you properly, leading to data breaches or system failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for evaluated productsSection
Evaluated product usageTopic
Using Evaluated ProductsOfficial control statement
Evaluated products are installed, configured, administered and operated in an evaluated configuration and in accordance with vendor guidance.
Why it matters
Failure to adhere to evaluated settings may lead to exploitable security gaps, invalidating the product's assurance and exposing the organisation to breaches.
Operational notes
Regularly validate evaluated configuration baselines and vendor guidance; use change control, configuration drift monitoring and audits to prevent non-evaluated settings.
Implementation tips
- System administrators should follow the vendor's installation manual and configuration guide for evaluated products. This involves reading the instructions carefully and setting the system up as described, without skipping any steps.
- IT managers should verify that all security settings match the vendor's recommended configurations. This means checking each setting against a list provided by the vendor to ensure compliance.
- The IT team should conduct a training session for staff using these products, making sure they understand how to operate the system effectively. This can be done by running a workshop and providing easy-to-follow user guides.
- Procurement officers need to make sure they have the latest vendor documentation when acquiring evaluated products. This involves contacting the vendor or checking their website for any updates or amendments to manuals and guides.
- Regular audits should be set up by internal auditors to confirm these products are still configured correctly over time. This can be done by scheduling periodic reviews and matching current settings with initial setup documents.
Audit / evidence tips
- AskA copy of the vendor's installation and setup guide: Check that it is the latest version and was used during the product installation GoodShows the guide with notations or electronic marks indicating it was followed step-by-step
- AskTo see system configuration reports: Review these against vendor-recommended settings GoodIncludes a comparison document or spreadsheet showing each setting checked off
- AskThem to describe the materials and any follow-up learning activities GoodIncludes comprehensive training records and user acknowledgments
- GoodObservation shows no deviations from the established procedures
- GoodRecord shows regular audits with documented compliance with vendor guidelines
Cross-framework mappings
How ISM-0289 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.9 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in an evaluated configuration and in accordan... | |
| Annex A 8.19 | Annex A 8.19 requires secure management of software installation on operational systems | |
| handshake Supports (1) expand_less | ||
| Annex A 8.32 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in their evaluated configuration and in accor... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-AH-ML2.5 | ISM-0289 requires evaluated products to be configured, administered and operated in an evaluated configuration and in accordance with ven... | |
| E8-AH-ML2.6 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in an evaluated configuration and in accordan... | |
| E8-AH-ML2.9 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in an evaluated configuration and in accordan... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.