Secure Facilities Based on System Classification
Ensure classified systems are in facilities suitable for their security needs.
Plain language
This control ensures that systems with classified information are stored in secure environments that match their level of sensitivity. This is important because if these systems are in facilities that don't meet their security needs, sensitive data could be stolen or tampered with, leading to privacy breaches and potentially damaging the organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Classified systems are secured in facilities that meet the requirements for a security zone suitable for their classification.
Why it matters
Facilities that do not meet the required security zone for the system’s classification can enable unauthorised physical access, leading to classified data compromise and reputational harm.
Operational notes
Confirm the facility’s security zone matches the system classification (e.g., barriers, access control, alarms, visitor controls) and revalidate after changes to location or classification.
Implementation tips
- Facilities Manager should assess each facility: Determine the security classification of systems housed in each location. Evaluate if the facility meets the necessary security criteria for the system's classification level, such as physical barriers or surveillance.
- IT Manager should coordinate with security personnel: Develop protocols that match the security requirements for classified systems in each facility. Ensure that all access points have the appropriate locks or entry systems aligned with the system's classification.
- Security Team should conduct regular inspections: Schedule inspections to check that the facilities remain compliant with necessary security standards. If deficiencies are found, take immediate action to enhance physical security measures such as installing security cameras or alarm systems.
- Operations Manager should train staff: Organise regular training sessions to educate staff about the importance of maintaining the security of classified systems. Provide clear instructions on how to properly access these areas and reinforce the protocols that need to be followed.
- Executive Team should review security policies: Regularly review and update facility security policies to align with current threats and regulatory requirements. Ensure that any changes are swiftly communicated and implemented across the organisation.
Audit / evidence tips
-
Askthe facility security plan: Request documentation detailing the security measures in place at each facility housing classified systems
Goodis detailed documentation that aligns with the level of system classification
-
Askaccess control logs: Request logs or records of who has accessed the facilities where classified systems are housed
Goodincludes records demonstrating adherence to access protocols
-
Askinspection reports: Request recent reports from internal or external facility inspections
Goodis a report demonstrating ongoing compliance and rectified issues
-
Asktraining records: Request evidence of staff training sessions related to securing classified systems
Goodincludes recent and relevant training records with high attendance and comprehensive content
-
Askincident response records: Request logs of any security incidents related to facility access
Goodis a well-documented log showing prompt and effective responses to any breaches
Cross-framework mappings
How ISM-0810 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| Annex A 7.1 | ISM-0810 requires that facilities hosting classified systems meet the requirements of an appropriate security zone for the classification | |
| Annex A 7.2 | ISM-0810 requires classified systems to be hosted in facilities that meet the requirements for a security zone appropriate to their class... | |
| Annex A 7.3 | Annex A 7.3 requires physical security for offices, rooms and facilities to be designed and implemented | |
| Annex A 7.5 | ISM-0810 requires classified systems to be secured within facilities that meet security zone requirements suitable for the system’s class... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.6 | Annex A 7.6 requires organisations to design and implement security measures for working in secure areas to protect sensitive activities ... | |
| Annex A 7.8 | Annex A 7.8 requires secure siting and protection of equipment to prevent physical compromise | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.