Secure Configuration of High Assurance IT Equipment
Ensure high-grade IT gear is set up and operated per ASD standards for security.
Plain language
This control is about ensuring that any high-grade IT equipment in your organisation is set up and used following the standards set by the Australian Signals Directorate (ASD). This matters because if the equipment isn't configured properly, it could lead to security vulnerabilities, making it easier for hackers to access sensitive information or disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for evaluated productsSection
Evaluated product usageTopic
Using Evaluated ProductsOfficial control statement
High assurance IT equipment is installed, configured, administered and operated in an evaluated configuration and in accordance with ASD guidance.
Why it matters
If high assurance equipment is not operated in its evaluated configuration, security claims may not hold, enabling compromise of protected information and services.
Operational notes
Regularly confirm the device matches its evaluated build (firmware, patches, settings); disable non-evaluated functions and tightly restrict admin access per ASD guidance.
Implementation tips
- The IT team should ensure all high assurance IT equipment is installed according to the guidance from the Australian Signals Directorate (ASD). They can do this by carefully reading the ASD's detailed setup instructions and following each step when setting up new equipment.
- The procurement team should check that any high assurance IT equipment they purchase is ASD-certified for evaluated configurations. They can do this by consulting the ASD's Evaluated Products List (EPL) before making any purchase decisions.
- System administrators should periodically review the configuration of high assurance IT equipment. They should compare the current settings to those in the ASD guidelines and update them if there are any discrepancies.
- Managers should regularly schedule training for staff who manage high assurance equipment to ensure they understand ASD requirements and know how to implement them. This can be done through workshops or online training sessions.
- The organisation's leadership should ensure that there is a policy in place requiring all high assurance IT equipment to be configured as per ASD guidance before being put into operation. This policy should be documented and communicated clearly to relevant staff.
Audit / evidence tips
-
Askthe equipment configuration documentation: Request the setup manuals or guides used by IT staff during installation
Goodshows that the documented steps match ASD's evaluated configurations
-
Goodis that all equipment in use appears on the ASD's list of approved products
-
Askthem how they ensure configurations are compliant with ASD guidelines
Goodis that they can describe specific ASD-required configurations and demonstrate familiarity with ASD standards
-
Goodsetup follows ASD guidelines comprehensively without shortcuts
-
Goodincludes recent training sessions attended by staff, especially those directly involved with high assurance equipment
Cross-framework mappings
How ISM-0290 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.9 | ISM-0290 requires high assurance IT equipment to be installed, configured, administered and operated in an evaluated configuration and in... | |
| handshake Supports (3) expand_less | ||
| Annex A 7.13 | ISM-0290 requires high assurance IT equipment to be administered and operated in an evaluated configuration in accordance with ASD guidance | |
| Annex A 8.8 | ISM-0290 requires high assurance IT equipment to be configured and operated in an evaluated configuration following ASD guidance | |
| Annex A 8.19 | ISM-0290 requires high assurance IT equipment to be installed and operated in an evaluated configuration consistent with ASD guidance | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-AH-ML2.1 | ISM-0290 requires high assurance IT equipment to be configured and operated in an evaluated configuration consistent with ASD guidance | |
| E8-AH-ML2.6 | ISM-0290 requires high assurance IT equipment to be installed and configured in an evaluated configuration in accordance with ASD guidance | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.