Ensure Off-site IT Repairs Are Conducted at Approved Facilities
IT equipment sent for repair off-site must be taken to facilities that can handle its security level.
Plain language
When you send your IT equipment out for a fix, like a broken computer or server, it’s vital to ensure it's going to a repair facility that can handle its level of confidentiality. If this isn’t done, there's a risk that sensitive data could be exposed or misused, leading to privacy breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
IT equipment maintained or repaired off site is done so at facilities approved for handling the sensitivity or classification of the IT equipment.
Why it matters
Repair at unapproved facilities risks exposure of classified data, enabling compromise or espionage and causing financial and reputational harm.
Operational notes
Maintain an approved list of off-site repair facilities by classification, and re-validate partner clearances and secure handling requirements before each repair.
Implementation tips
- The manager or IT lead should create a list of approved repair facilities that meet security standards. They can do this by reviewing each facility’s security certifications and previous track record with handling sensitive equipment, ensuring their processes align with necessary privacy and data protection regulations.
- Procurement teams should ensure that any contracts or agreements with repair facilities include clear clauses about security and confidentiality standards specific to the types of equipment being handled. This can be done during the negotiation phase by stipulating the need for secure handling procedures as part of the service agreement.
- IT staff should verify the classification level of the equipment before sending it for off-site repairs. They can do this by consulting with data security officers to ensure the necessary handling procedures align with the equipment’s security classification.
- The security officer should establish a protocol for transporting the equipment to and from the repair facility. This could include using secure, company-approved courier services and ensuring the physical protection of the devices during transit.
- Training should be provided to all relevant staff by HR to ensure they understand the importance of using approved facilities for off-site repairs. This training can be part of regular security awareness programs and should highlight real-life risks and consequences of not following these protocols.
Audit / evidence tips
-
Aska list of currently approved repair facilities
Goodlist will be up-to-date and include valid certifications matching your equipment's security needs
-
Goodagreement will explicitly state the security obligations of the facility and describe how they manage classified data
-
Askthem how they determine which facilities are appropriate for different security levels
Goods will show awareness of security classifications and reliance on the approved list
-
Goodprocess ensures that equipment is securely packed and handed to approved couriers
Cross-framework mappings
How ISM-0310 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.13 | ISM-0310 requires that IT equipment maintained or repaired off site is handled only at facilities approved for the equipment’s sensitivit... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.21 | ISM-0310 requires organisations to ensure off-site IT repairs are conducted only at facilities approved to handle the asset’s classification | |
| Annex A 5.22 | ISM-0310 requires that off-site maintenance/repairs occur only at approved facilities suitable for the equipment’s classification | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.