Ensure Secure Access to Critical Infrastructure
Make sure rooms with servers and security equipment are always locked or secured.
Plain language
This control is about making sure that rooms with important servers and security equipment are always locked or under control. It matters because if these rooms aren’t secure, unauthorised people could tamper with equipment, steal data, or disrupt critical operations, causing financial and reputational harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Server rooms, communications rooms and security containers are not left in unsecured states.
Why it matters
Unlocked server rooms risk unauthorised access, leading to potential data breaches, equipment tampering, and operational disruptions.
Operational notes
Routinely verify server room/communications room doors and security containers are locked; review access logs and investigate anomalies promptly.
Implementation tips
- Facility Managers should check all server and equipment rooms are secured. They can install reliable locks and access systems, such as passcodes or keycards, and make sure only authorised staff have access.
- IT Teams need to monitor access to these rooms. They should set up cameras and review footage regularly to spot any unauthorised entries.
- Office Managers might conduct regular checks to confirm that locks and security cameras are working properly. This means setting aside time each week to do a quick walk-through and note anything that seems unusual or broken.
- Security Staff should log any visits to server rooms. They can keep a sign-in sheet or digital log requiring staff to record every entry, making it easier to track who accessed the room and when.
- Management should enforce security policies and provide training. They need to ensure all staff understand the importance of securing these areas and the potential consequences of neglecting this duty.
Audit / evidence tips
-
Askaccess logs to the server rooms: Request the record of who accessed the room, especially any physical logbooks or digital access logs
Goodis a regularly updated log with restricted access entries and no suspicious activity
-
Askto see any training materials provided to staff: Request copies of any training and awareness materials given to employees regarding locking and securing equipment rooms
Goodincludes detailed documents outlining best practices and protocols staff are expected to follow
-
Askabout security incident reports: Request any reports regarding past security breaches or attempted unauthorised access
Goodincludes a report with analysis of incidents and documented follow-up actions to prevent recurrence
-
Askmaintenance records of physical security systems: Request records showing regular checks and maintenance of locks and surveillance systems
Goodshows consistent maintenance logs with few significant repair needs or incidents
-
Aska security policy document: Request the document outlining the organisation's policy on physical security
Goodincludes a comprehensive policy document with well-defined responsibilities and escalation procedures
Cross-framework mappings
How ISM-0813 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.3 | Annex A 7.3 requires the design and implementation of physical security for offices, rooms and facilities to prevent unauthorised access | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.2 | Annex A 7.2 requires secure areas to be protected by appropriate entry controls and managed access points so only authorised people can e... | |
| Annex A 7.8 | Annex A 7.8 requires secure siting and physical protection of equipment to prevent unauthorised access or interference | |
| handshake Supports (1) expand_less | ||
| Annex A 7.1 | Annex A 7.1 requires security perimeters to be defined and used to protect areas containing information and associated assets | |
| link Related (1) expand_less | ||
| Annex A 7.5 | Annex A 7.5 requires organisations to design and implement protections against physical and environmental threats to infrastructure | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.