Secure Facilities Based on System Classification
Ensure classified systems are in facilities suitable for their security needs.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
OS, P, S, TS
🗓️ ISM last updated
Nov 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsClassified systems are secured in facilities that meet the requirements for a security zone suitable for their classification.
Source: ASD Information Security Manual (ISM)
Plain language
This control ensures that systems with classified information are stored in secure environments that match their level of sensitivity. This is important because if these systems are in facilities that don't meet their security needs, sensitive data could be stolen or tampered with, leading to privacy breaches and potentially damaging the organisation's reputation.
Why it matters
Facilities that do not meet the required security zone for the system’s classification can enable unauthorised physical access, leading to classified data compromise and reputational harm.
Operational notes
Confirm the facility’s security zone matches the system classification (e.g., barriers, access control, alarms, visitor controls) and revalidate after changes to location or classification.
Implementation tips
- Facilities Manager should assess each facility: Determine the security classification of systems housed in each location. Evaluate if the facility meets the necessary security criteria for the system's classification level, such as physical barriers or surveillance.
- IT Manager should coordinate with security personnel: Develop protocols that match the security requirements for classified systems in each facility. Ensure that all access points have the appropriate locks or entry systems aligned with the system's classification.
- Security Team should conduct regular inspections: Schedule inspections to check that the facilities remain compliant with necessary security standards. If deficiencies are found, take immediate action to enhance physical security measures such as installing security cameras or alarm systems.
- Operations Manager should train staff: Organise regular training sessions to educate staff about the importance of maintaining the security of classified systems. Provide clear instructions on how to properly access these areas and reinforce the protocols that need to be followed.
- Executive Team should review security policies: Regularly review and update facility security policies to align with current threats and regulatory requirements. Ensure that any changes are swiftly communicated and implemented across the organisation.
Audit / evidence tips
-
Ask: the facility security plan: Request documentation detailing the security measures in place at each facility housing classified systems
Good: is detailed documentation that aligns with the level of system classification
-
Ask: access control logs: Request logs or records of who has accessed the facilities where classified systems are housed
Good: includes records demonstrating adherence to access protocols
-
Ask: inspection reports: Request recent reports from internal or external facility inspections
Good: is a report demonstrating ongoing compliance and rectified issues
-
Ask: training records: Request evidence of staff training sessions related to securing classified systems
Good: includes recent and relevant training records with high attendance and comprehensive content
-
Ask: incident response records: Request logs of any security incidents related to facility access
Good: is a well-documented log showing prompt and effective responses to any breaches
Cross-framework mappings
How ISM-0810 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (4) | ||
| Annex A 7.1 | ISM-0810 requires that facilities hosting classified systems meet the requirements of an appropriate security zone for the classification | |
| Annex A 7.2 | ISM-0810 requires classified systems to be hosted in facilities that meet the requirements for a security zone appropriate to their class... | |
| Annex A 7.3 | Annex A 7.3 requires physical security for offices, rooms and facilities to be designed and implemented | |
| Annex A 7.5 | ISM-0810 requires classified systems to be secured within facilities that meet security zone requirements suitable for the system’s class... | |
| Partially overlaps (1) | ||
| Annex A 7.8 | Annex A 7.8 requires equipment to be sited securely and protected against unauthorised access and physical harm | |