Skip to content
Control Stack logo Control Stack
ISM-0294 ASD Information Security Manual (ISM)

Label IT Equipment with Protective Markings

Ensure regular IT equipment is labelled to show its sensitivity level, but this doesn't apply to high assurance equipment.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET LabellingEquipment protectionASD Information Security ManualGovernance

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

May 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for information technology equipment

Section

IT equipment usage

Topic

Labelling It Equipment
Official control statement
IT equipment, with the exception of high assurance IT equipment, is labelled with protective markings reflecting its sensitivity or classification.

Source: ASD Information Security Manual (ISM)

Plain language

This control is all about marking your IT equipment to show how sensitive the data is that it can handle, except for some high-security gear. It's like putting labels on your office files so everyone knows how careful they need to be. If you don't label equipment, staff might accidentally treat sensitive data casually, leading to security breaches and data loss.

Why it matters

Without protective markings on IT equipment, sensitive assets can be mishandled or misrouted, increasing the risk of data exposure and unauthorised access.

Operational notes

Audit equipment labels after deployments, repairs and relocations, and ensure protective markings match the asset’s current sensitivity/classification and records.

Implementation tips

  • The IT manager should create a labelling policy: Decide consistent labels for different sensitivity levels like 'Confidential' or 'Public'. Make sure the policy is clear and everyone understands it.
  • Office managers should train staff: Organise short sessions to explain why equipment labelling is important and how it should be done. Everyone should know which equipment to label and what labels to use.
  • The IT team should apply labels: Physically attach the correct labels to the equipment based on its data sensitivity level. Use durable labels that are easy to read and won’t fall off.
  • Regular checks by IT support: Set monthly reminders for IT support to check that labels are still in place and readable, and update them if equipment roles change.
  • Procurement officers should coordinate: When new equipment arrives, ensure it’s labelled before going into regular use. Develop a checklist so that labelling isn’t overlooked during setup.

Audit / evidence tips

  • Ask: the labelling policy document

    Good: the policy lists categories like 'Confidential' and gives clear steps for assigning labels

  • Good: labels are on all necessary devices and match the current policy

  • Ask: them how they decide what labels go on which gear and how often they check labels

    Good: they explain the process clearly, including regular checks

  • Good: documents show equipment was labelled immediately after setup

  • Good: records show all staff have attended relevant training recently

Cross-framework mappings

How ISM-0294 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Supports (1)
Annex A 5.13 ISM-0294 requires organisations to label IT equipment (excluding high assurance equipment) with protective markings that reflect the equi...

Mapping detail

Mapping

Direction

Controls