Transport of Keyed Cryptographic Equipment
Cryptographic equipment is moved securely depending on the sensitivity of its keys.
Plain language
Transporting cryptographic equipment safely and securely is crucial because it often holds sensitive keys that can unlock sensitive information. If these keys fall into the wrong hands, it could lead to unauthorised access and potential data breaches, harming your business's reputation and financial security.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsOfficial control statement
Keyed cryptographic equipment is transported based on the sensitivity or classification of its keying material.
Why it matters
If keyed cryptographic equipment is transported without safeguards matching the key material classification, keys may be exposed, enabling decryption and unauthorised system access.
Operational notes
Transport keyed cryptographic equipment using controls matched to the keying material classification (e.g., courier/escort, tamper-evident packaging), and maintain documented chain-of-custody at each handover.
Implementation tips
- The IT manager should assess the sensitivity of the cryptographic equipment before transport. This involves reviewing the classification level of the keying material and consulting any relevant policies or guidelines on its sensitivity.
- Logistics personnel responsible for equipment movement should ensure secure transport methods are used, such as sealed delivery containers or using trusted couriers. They should verify that all personnel handling the equipment have appropriate clearances.
- Before transport, the security officer should document a transport plan that outlines who is responsible for the delivery, the route taken, and the estimated delivery time. This document should be shared with all relevant parties.
- The system owner should conduct a briefing for all transport personnel, highlighting the importance of maintaining the integrity and security of the equipment. This should include emergency contacts and procedures if the equipment is compromised.
- After delivery, the receiving party - often the intended IT or security team - should inspect the equipment for any signs of tampering. They should communicate acceptance and confirm that the equipment arrived as expected, intact and secure.
Audit / evidence tips
- AskThe equipment transport log: Request the logs detailing the transportation of cryptographic equipment GoodIncludes comprehensive logs with all details and no unexplained gaps
- AskSecurity clearance records of personnel involved: Request to see the clearance levels of those who handled the cryptographic equipment
- AskThe transport plan document: Request the documented transport plan used for the equipment GoodContains a clearly defined plan that all parties signed off on
- AskDelivery confirmation: Request evidence of the final delivery confirmation GoodConfirmation indicates that the equipment was received intact and securely
- AskIncident reports regarding transport: Request any incident reports related to equipment transport GoodProtocol has no incidents reported, or if there are, they are resolved with clear steps taken
Cross-framework mappings
How ISM-0501 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.13 | ISM-0501 requires keyed cryptographic equipment to be transported according to the sensitivity/classification of its keying material | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-0501 requires transport controls for keyed cryptographic equipment to be selected based on the sensitivity/classification of the keyi... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.