Managing Encryption Access for IT Equipment and Media
IT systems are treated according to their original sensitivity when accessed using encryption.
Plain language
This control is about ensuring that when you use encrypted devices or storage, they are treated with the same security precautions as when they were originally secured. If not followed, you could accidentally expose sensitive information because people might assume these items are always safe without checking the security settings they're using.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsOfficial control statement
When a user authenticates to the encryption functionality of IT equipment or media, it is treated in accordance with its original sensitivity or classification until the user deauthenticates from the encryption functionality.
Why it matters
If users stay authenticated to encryption, equipment/media must be treated at original classification; mishandling can cause classified data exposure.
Operational notes
Ensure devices/media remain handled at their original classification while users are authenticated to encryption; require prompt deauthentication when finished.
Implementation tips
- System owners should ensure all IT equipment and media with encryption are classified accurately based on their original sensitivity. This can be done by reviewing the classification documents and confirming they match the device's purpose and data type.
- The IT team should configure devices to require user authentication before accessing encrypted data. Set up login prompts and passwords that align with the original sensitivity level and data classification standards.
- Managers should implement clear policies for deauthentication from encrypted devices or media. This involves instructing users to log out or detach access when finished, ensuring security is maintained when devices are idle.
- HR should conduct regular training on encryption importance and usage for all employees accessing sensitive equipment. Training materials should cover how to authenticate and deauthenticate properly and the reasons for these practices.
- Procurement should coordinate with IT to acquire encryption solutions that support required authentication mechanisms. When selecting products, verify that they allow easy implementation of existing classification levels.
Audit / evidence tips
- AskEquipment classification records: Request the documentation detailing the original sensitivity classification of IT devices and media GoodAll devices are listed with accurate classification and matching current security practices
- GoodLogs show all interactions with encryption functions and maintain accuracy
- AskThe security policy documents: Request policies outlining procedures for encryption and access control GoodPolicies are clear, comprehensive, and specifically cover authentication and deauthentication steps
- GoodRecent, widespread training with clear agendas covering required encryption practices
- AskDevice procurement lists: Obtain lists of all encrypted devices with details on their authentication capabilities GoodDevices capable of supporting authentication and classification requirements
Cross-framework mappings
How ISM-0462 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.10 | ISM-0462 requires that authenticating to encryption does not reduce the sensitivity/classification of IT equipment or media while the use... | |
| Annex A 8.3 | ISM-0462 requires that when a user authenticates to encryption on IT equipment or media, the equipment/media is treated at its original s... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-0462 requires that organisations treat IT equipment or media according to its original sensitivity/classification during the period a... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.