Secure Facilities for Classified Systems
Classified systems are kept in secure locations fitting their classification level.
Plain language
This control is about making sure that classified systems—those that handle sensitive information—are stored in locations that match their security needs. Imagine if you kept your life savings under a mattress instead of in a secure bank; unprotected systems are just as vulnerable, risking data breaches and serious consequences for your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO oversees the development, implementation and maintenance of their organisation's cyber security awareness training program.
Why it matters
Without CISO oversight of security awareness training, personnel might mishandle classified systems, raising the risk of data breaches and operational disruptions.
Operational notes
Have the CISO approve the awareness plan and review completion rates, test results and incident trends quarterly; update modules to address identified gaps.
Implementation tips
- Facilities Manager should ensure that the locations where classified systems are stored have the right security measures. This could mean installing physical barriers like locked doors or security guards, based on the system's classification level.
- IT Team should work with security experts to identify what specific security zone requirements are needed for systems in each classification level. This could include physical access control systems or surveillance cameras to monitor important areas.
- System Owners must regularly review and verify that their classified systems are still in suitable secure locations. This involves checking for any changes in physical infrastructure that might impact security.
- HR with Facilities Manager should provide training to staff on the importance of maintaining these secure environments. Run sessions to explain why certain areas are restricted and how breaches could impact the business.
- Leadership should support the implementation of security zones by allocating budget and resources. This could include funding for physical security upgrades or hiring extra security personnel to monitor the areas.
Audit / evidence tips
-
Aska copy of the security plan for each classified system: Request detailed documents that outline the security zones
Goodmeans a clear, dated plan specifying all necessary security measures
-
Askaccess logs: Obtain access logs for physical locations where classified systems are housed
Goodshows logs that match authorised access only
-
Goodincludes signatures from the facilities or security team and is regularly reviewed
-
Asksurveillance reports: Get the last three months' worth of surveillance records from areas storing classified systems
Goodresult shows continuous, documented surveillance checks
Cross-framework mappings
How ISM-0735 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.3 | ISM-0735 requires classified systems to be kept in secure locations appropriate to their classification level, focusing on facility-level... | |
| sync_alt Partially overlaps (4) expand_less | ||
| Annex A 7.1 | ISM-0735 requires classified systems to be kept in secure locations appropriate to their classification level, which typically depends on... | |
| Annex A 7.5 | ISM-0735 addresses keeping classified systems in secure locations suitable for their classification, which includes ensuring the environm... | |
| Annex A 7.6 | ISM-0735 requires classified systems to be housed in secure locations commensurate with their classification, implying controlled environ... | |
| Annex A 7.8 | ISM-0735 requires classified systems to be kept in secure locations appropriate to their classification level, addressing the physical pr... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.