Classify IT Equipment by Data Sensitivity
Label IT equipment based on the sensitivity of the data it handles.
Plain language
This control is about making sure that your computers, phones, and other IT gadgets are set up to handle the level of sensitive data they work with. If not done right, there’s a risk that sensitive information could be exposed, leading to breaches of trust, legal problems, and financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment usageTopic
Classifying It EquipmentOfficial control statement
IT equipment is classified based on the highest sensitivity or classification of data that it is approved for processing, storing or communicating.
Why it matters
If equipment is classified below the data it handles, sensitive data may be stored or transmitted on unsuitable devices, increasing disclosure risk.
Operational notes
Classify each device to the highest data sensitivity it is approved to process/store/transmit, and update labels/records when approvals or usage change.
Implementation tips
- IT personnel should review each piece of IT equipment to determine the most sensitive type of data it can process. They can do this by listing all data types each device handles and checking if the equipment is suitable for its sensitivity level.
- Managers should assign a classification to each device based on the data it handles. This could be as simple as using coloured stickers that represent different levels of sensitivity, like green for public data and red for highly sensitive data.
- System administrators need to ensure that all devices are labelled correctly according to their data sensitivity level. They can achieve this by creating a checklist for labelling devices during their initial setup or regular maintenance.
- The IT team should provide training sessions for staff so they understand what the classifications mean and how to handle devices according to their sensitivity. This could be a quick briefing during team meetings or part of an onboarding program.
- Office managers should keep a record of all equipment classifications in an accessible document. This helps in regularly verifying and updating device statuses as data sensitivity requirements change.
Audit / evidence tips
-
Askthe IT equipment classification register: Request a document or spreadsheet listing all IT equipment and their assigned data sensitivity levels
Goodis a detailed register with classifications matched to device types
-
Askthem how they identify the data sensitivity level of the equipment they use
Goodis staff describing clear procedures for identifying classified devices and understanding what each classification means
-
Goodis seeing a variety of labelled equipment that conforms with documented data sensitivity levels
-
Goodis a policy that aligns with best practices like those advised by the Australian Signals Directorate (ASD)
-
Askrecords of attendance and session content
Goodis a list of recent training sessions, participant names, and a summary of covered topics pertinent to equipment classification
Cross-framework mappings
How ISM-0293 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.13 | ISM-0293 requires IT equipment to be classified (and practically labelled) according to the highest data sensitivity it can process, stor... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-0293 requires IT equipment to be classified based on the highest sensitivity or classification of data it is approved to process, sto... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.