Label IT Equipment with Protective Markings
Ensure regular IT equipment is labelled to show its sensitivity level, but this doesn't apply to high assurance equipment.
Plain language
This control is all about marking your IT equipment to show how sensitive the data is that it can handle, except for some high-security gear. It's like putting labels on your office files so everyone knows how careful they need to be. If you don't label equipment, staff might accidentally treat sensitive data casually, leading to security breaches and data loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment usageTopic
Labelling It EquipmentOfficial control statement
IT equipment, with the exception of high assurance IT equipment, is labelled with protective markings reflecting its sensitivity or classification.
Why it matters
Without protective markings on IT equipment, sensitive assets can be mishandled or misrouted, increasing the risk of data exposure and unauthorised access.
Operational notes
Audit equipment labels after deployments, repairs and relocations, and ensure protective markings match the asset’s current sensitivity/classification and records.
Implementation tips
- The IT manager should create a labelling policy: Decide consistent labels for different sensitivity levels like 'Confidential' or 'Public'. Make sure the policy is clear and everyone understands it.
- Office managers should train staff: Organise short sessions to explain why equipment labelling is important and how it should be done. Everyone should know which equipment to label and what labels to use.
- The IT team should apply labels: Physically attach the correct labels to the equipment based on its data sensitivity level. Use durable labels that are easy to read and won’t fall off.
- Regular checks by IT support: Set monthly reminders for IT support to check that labels are still in place and readable, and update them if equipment roles change.
- Procurement officers should coordinate: When new equipment arrives, ensure it’s labelled before going into regular use. Develop a checklist so that labelling isn’t overlooked during setup.
Audit / evidence tips
- AskThe labelling policy document GoodThe policy lists categories like 'Confidential' and gives clear steps for assigning labels
- GoodLabels are on all necessary devices and match the current policy
- AskThem how they decide what labels go on which gear and how often they check labels GoodThey explain the process clearly, including regular checks
- GoodDocuments show equipment was labelled immediately after setup
- GoodRecords show all staff have attended relevant training recently
Cross-framework mappings
How ISM-0294 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.13 | ISM-0294 requires organisations to label IT equipment (excluding high assurance equipment) with protective markings that reflect the equi... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.