Escort Unauthorised Technicians for IT Repairs
Ensure unauthorised IT repair technicians are escorted by a qualified person to protect data and equipment integrity.
Plain language
This control ensures that any technician who isn't properly authorised and trained doesn't work alone on your IT systems. It matters because without supervision, a technician might accidentally or purposely expose or alter sensitive data, leading to possibly severe consequences like data breaches, financial loss, or reputational damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
If an appropriately cleared technician is not used to undertake maintenance or repairs of IT equipment, the technician is escorted by someone who: - is appropriately cleared and briefed - takes due care to ensure that data is not disclosed - takes all responsible measures to ensure the integrity of the IT equipment - has the authority to direct the technician - is sufficiently familiar with the IT equipment to understand the work being performed.
Why it matters
Unescorted or unmanaged external technicians may access or alter systems, causing data disclosure, malware insertion, or tampering during repairs.
Operational notes
If using uncleared technicians, assign a cleared escort who can direct work, monitor actions, and prevent data access or equipment tampering.
Implementation tips
- Office managers should identify and document staff members who have the required security clearance and training to escort unauthorised technicians. This involves checking existing training records or certifications and confirming their validity.
- IT team leaders should create a clear process for escorting unauthorised technicians. This entails developing a checklist that the escort should follow, including what areas have access restrictions and any specific protocol with equipment handling.
- HR should update job descriptions and responsibilities for roles that require escorting technicians. This means including the need for clearance, specific briefing details, and explicit authority over visiting technicians in the documentation.
- Supervisors should brief the escorting staff on specific tasks and expectations before each maintenance session. This involves conducting a short meeting where the nature of the repair and potential risks to data or equipment are discussed.
- Procurement officers should ensure that contracts with external IT service providers include conditions for supervision. This includes stipulating that technicians provided by the supplier must be reintroduced to escort protocols each visit, ensuring compliance with the organisation’s policies.
Audit / evidence tips
-
Askthe list of cleared staff members responsible for escorting technicians
Goodhas complete, up-to-date records confirming their eligibility to escort
-
Goodlog shows consistent records of escort presence and clear documentation of each task attended
-
Askabout specific tasks they monitored and any issues encountered
Goodshows clear awareness of their responsibilities and understanding of how to protect data during maintenance
-
Askto observe an active escort during a technician visit
Goodobservation shows strict adherence to the organisation's data protection protocols, reflecting detailed supervision
-
Goodcontract explicitly states escort protocols and penalties for failure to comply
Cross-framework mappings
How ISM-0306 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.2 | Annex A 7.2 requires secure areas to be protected by entry controls so only authorised people can enter | |
| handshake Supports (1) expand_less | ||
| Annex A 7.13 | Annex A 7.13 mandates correct maintenance of equipment for preserving information security | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.