Controlling Access to Critical IT Infrastructure
Ensure keys to server and communication rooms are securely managed.
Plain language
This control is about keeping the keys to important areas like server rooms secure so that only authorised people can access them. If we don't keep these keys safe, unauthorised people might enter these critical areas, potentially damaging equipment, stealing data, or causing service disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled.
Why it matters
Poor control of access keys could allow unauthorised entry to critical infrastructure, leading to data theft, sabotage, or severe operational disruptions.
Operational notes
Audit server room and comms room key registers regularly; revoke access for leavers and investigate missing keys immediately.
Implementation tips
- The facility manager should implement a key logging system to track who takes keys and when. This can be done by setting up a sign-in/sign-out sheet or using an electronic key management system to record these transactions.
- The IT manager should assign a responsible person to oversee server room access. They need to ensure that only authorised personnel are listed and given access, updating the list as roles change within the organisation.
- HR should conduct regular training for staff on the importance of securing key access. This involves setting up brief sessions to inform staff about why key control is critical and how misuse can impact the organisation.
- Security personnel should perform regular checks to make sure keys are stored securely when not in use. This involves routine inspections of the storage facility, ensuring it remains locked and only accessible to authorised staff.
- The manager in charge of security should have a protocol for lost or misplaced keys. This includes a prompt reporting mechanism, reviewing access logs, and changing locks or updating access mechanisms if a key is compromised.
Audit / evidence tips
- AskThe current list of authorised personnel with access to server and communication rooms GoodIs a current, dated list with justified access for each person
- AskRecords of key issuance and returns GoodIs a comprehensive log with names, dates, and times of when keys were issued and returned
- AskTo see the training records on key management for staff GoodProgram will have regular sessions (at least annually) and show that all relevant staff were trained
- AskSecurity inspection reports for the storage location of the keys GoodIs dated inspection logs with follow-up actions noted for any issues found
- AskAbout the procedure for handling lost keys GoodProcedure will show prompt steps taken, with a risk assessment and mitigation plan documented
Cross-framework mappings
How ISM-1074 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.1 | ISM-1074 requires keys or equivalent access mechanisms to server rooms, communications rooms and security containers to be appropriately ... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.2 | Annex A 7.2 requires organisations to protect secure areas through controlled entry and access points | |
| Annex A 7.8 | Annex A 7.8 requires equipment to be positioned and protected to reduce unauthorised access and physical harm | |
| link Related (1) expand_less | ||
| Annex A 7.5 | Annex A 7.5 requires safeguards that protect infrastructure from physical threats and environmental events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.