On-Site Maintenance by Cleared Technicians
IT equipment maintenance and repairs must be done on-site by technicians with appropriate security clearances.
Plain language
When IT equipment like computers and servers need fixing or maintenance, the work must be done on-site by technicians who have the right security clearance. This is crucial because it prevents unauthorised people from accessing sensitive information on your devices, which could lead to data breaches or misuse of confidential information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Maintenance and repairs of IT equipment is carried out on site by an appropriately cleared technician.
Why it matters
Using uncleared technicians for on-site maintenance can enable unauthorised access to systems, leading to compromise or data exfiltration.
Operational notes
Confirm technician clearances before each visit, supervise on-site work, and record all maintenance actions in logs for later audit.
Implementation tips
- Managers should verify their technicians' security clearances before any on-site work begins. Request a copy of each technician's security clearance documentation and ensure it's valid and up-to-date.
- Office managers need to schedule maintenance during times that minimise disruption. Coordinate with the cleared technicians to find times when their equipment can be serviced without affecting office workflow.
- IT administrators should ensure only cleared technicians are on hand for maintenance tasks. Maintain a checklist of authorised technicians allowed to perform work on sensitive systems and restrict access to only those cleared.
- Procurement staff should update contracts to include the requirement for cleared technicians for any services involving on-site maintenance. Ensure suppliers understand this requirement and provide proof of technician clearances when services are contracted.
- Security officers should supervise or delegate staff to monitor the on-site maintenance work of technicians. Set up a logbook for recording when maintenance happens, who performed it, and what was done, ensuring records are kept securely.
Audit / evidence tips
-
Asktechnician security clearance records: Request to see the documentation proving the technicians have appropriate clearances
Goodis a register or folder containing up-to-date clearance documents for all relevant technicians
-
Goodobservation shows the process occurring as per the guidelines without unauthorised personnel present
-
Askhow they ensure suppliers provide cleared technicians
Goodexplains the validation process and any supporting contractual documentation
-
Goodlog captures the technician’s name, clearance check, and work done detailed accurately
Cross-framework mappings
How ISM-0305 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.13 | ISM-0305 requires maintenance and repairs of IT equipment to be performed on-site by an appropriately cleared technician to manage securi... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.21 | ISM-0305 requires organisations to ensure maintenance and repairs occur on-site and are performed by appropriately cleared technicians, r... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.