Secure Physical Access for Classified Equipment
Ensure physical security for critical equipment based on its classification.
Plain language
This guideline ensures that crucial pieces of technology, like servers and devices used for secure communications, are kept in secure rooms suited to their importance. If this isn't done, there's a risk of unauthorised people physically accessing these devices, potentially leading to theft, tampering, or disruption of services, which can result in the loss of sensitive information or harm to the organisation's operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Classified servers, network devices and cryptographic equipment are secured in server rooms or communications rooms that meet the requirements for a security zone suitable for their classification.
Why it matters
Without secure, classified-rated server/comms rooms, classified servers and crypto gear may be accessed or removed, causing data compromise and service disruption.
Operational notes
Ensure classified servers, network devices and crypto equipment stay within approved security zones; review room certification, access lists and entry logs when changes occur.
Implementation tips
- Facilities manager should ensure that rooms housing critical equipment meet security requirements by coordinating with a security consultant. They can do this by inspecting current facilities to ensure locks, access controls, and monitoring systems such as CCTV are properly installed and operational.
- The IT team should keep an updated inventory of all classified equipment locations. This involves regularly verifying the presence and proper positioning of devices on site and maintaining a detailed log of any relocations or changes.
- Security personnel should conduct routine checks to ensure only authorised personnel have access to secure areas. This can be achieved by conducting unannounced spot checks and reviewing access logs regularly to identify any anomalies.
- Management should establish a clear policy stating who can access classified equipment, ensuring staff understand the importance of these areas. This could involve creating a document that lists authorised personnel and providing regular training sessions on access protocols.
- Procurement teams should purchase security systems that meet Australian Government security standards. They should evaluate suppliers based on their ability to provide systems that include features like robust access control, tamper alerts, and remote monitoring capabilities.
Audit / evidence tips
-
Askthe security policy document covering physical access controls
Goodincludes specific protocols matching the classification level and sign-off by the security manager
-
Goodhas logs that align with authorised user lists and no unexplained access instances
-
Aska recent security audit report of the classified equipment areas
Goodshows no major findings or has documented corrective actions for issues found
-
Goodincludes records of recent, regular training sessions underscoring the importance of security protocols
-
Goodshows consistent maintenance as per manufacturer and security policy guidelines
Cross-framework mappings
How ISM-1053 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.1 | ISM-1053 requires classified ICT and cryptographic equipment to be located in secure server/communications rooms that satisfy security zo... | |
| Annex A 7.3 | Annex A 7.3 requires physical security for offices, rooms and facilities to be designed and implemented to control physical access | |
| sync_alt Partially overlaps (3) expand_less | ||
| Annex A 7.2 | ISM-1053 requires classified servers, network devices and cryptographic equipment to be secured in server/communications rooms meeting th... | |
| Annex A 7.4 | ISM-1053 requires classified servers, network devices and cryptographic equipment to be housed in secure rooms that meet security zone re... | |
| Annex A 7.8 | Annex A 7.8 requires equipment to be sited securely and protected to reduce physical threats and unauthorised access | |
| handshake Supports (1) expand_less | ||
| Annex A 5.15 | ISM-1053 requires classified servers, network devices and cryptographic equipment to be secured within appropriately classified security ... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-1053 requires physical security measures (security zones for server/communications rooms) to be suitable for the classification of th... | |
| link Related (1) expand_less | ||
| Annex A 7.5 | Annex A 7.5 addresses implementing protections against physical threats to infrastructure and equipment | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.