Controlling Access to Critical IT Infrastructure
Ensure keys to server and communication rooms are securely managed.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about keeping the keys to important areas like server rooms secure so that only authorised people can access them. If we don't keep these keys safe, unauthorised people might enter these critical areas, potentially damaging equipment, stealing data, or causing service disruptions.
Why it matters
Poor control of access keys could allow unauthorised entry to critical infrastructure, leading to data theft, sabotage, or severe operational disruptions.
Operational notes
Audit server room and comms room key registers regularly; revoke access for leavers and investigate missing keys immediately.
Implementation tips
- The facility manager should implement a key logging system to track who takes keys and when. This can be done by setting up a sign-in/sign-out sheet or using an electronic key management system to record these transactions.
- The IT manager should assign a responsible person to oversee server room access. They need to ensure that only authorised personnel are listed and given access, updating the list as roles change within the organisation.
- HR should conduct regular training for staff on the importance of securing key access. This involves setting up brief sessions to inform staff about why key control is critical and how misuse can impact the organisation.
- Security personnel should perform regular checks to make sure keys are stored securely when not in use. This involves routine inspections of the storage facility, ensuring it remains locked and only accessible to authorised staff.
- The manager in charge of security should have a protocol for lost or misplaced keys. This includes a prompt reporting mechanism, reviewing access logs, and changing locks or updating access mechanisms if a key is compromised.
Audit / evidence tips
-
Ask: the current list of authorised personnel with access to server and communication rooms
Good: is a current, dated list with justified access for each person
-
Ask: records of key issuance and returns
Good: is a comprehensive log with names, dates, and times of when keys were issued and returned
-
Ask: to see the training records on key management for staff
Good: programme will have regular sessions (at least annually) and show that all relevant staff were trained
-
Ask: security inspection reports for the storage location of the keys
Good: is dated inspection logs with follow-up actions noted for any issues found
-
Ask: about the procedure for handling lost keys
Good: procedure will show prompt steps taken, with a risk assessment and mitigation plan documented
Cross-framework mappings
How ISM-1074 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 7.1 | ISM-1074 requires keys or equivalent access mechanisms to server rooms, communications rooms and security containers to be appropriately ... | |
| Partially overlaps (1) | ||
| Annex A 7.2 | Annex A 7.2 requires secure areas to be protected using appropriate entry controls and controlled access points | |