Seek Approval for High Assurance IT Repairs
Get ASD's approval before repairing sensitive IT systems.
Plain language
Before you fix any crucial IT equipment that's designed to keep sensitive information safe, you need to get the go-ahead from the Australian Signals Directorate (ASD). This is essential because fixing things without approval might unintentionally create security gaps, leaving your data exposed or misused.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
ASD's approval is sought before undertaking any maintenance or repairs to high assurance IT equipment.
Why it matters
If ASD approval isn’t obtained before repairing high assurance IT equipment, unauthorised changes may weaken assurance and expose classified data.
Operational notes
Before any repair on high assurance IT equipment, obtain ASD approval, then record who performed the work, what was changed, and approvals granted.
Implementation tips
- IT managers should compile a list of all high assurance IT equipment that falls under this control. This involves identifying equipment like secure servers or encryption devices. Keep the list updated and make sure it's easily accessible for all relevant staff.
- Before any maintenance work is done, IT staff should contact ASD for approval. Use a standardised request form that clearly describes the equipment and the nature of the repairs needed. This helps ensure there's a clear record of the request and approval process.
- System owners should coordinate with the maintenance team to schedule repairs. Ensure that enough time is allocated for ASD to review and approve the request. This prevents delays and complies with the control requirements.
- Staff involved in equipment maintenance should be trained on the policy that requires ASD approval for repairs. Offer regular training sessions and include this requirement in your onboarding process for new employees.
- The IT department should keep records of all communications with ASD regarding repair approvals. This includes emails, documents, and any other materials. This ensures transparency and aids in future audits.
Audit / evidence tips
- AskThe list of high assurance IT equipment: Request documentation identifying the relevant equipment GoodList includes equipment names, locations, and last update date
- AskTo see the repair request form submitted to ASD: Request a sample of recent requests GoodForm is well-documented with equipment details and repair nature clearly outlined
- AskCommunications logs between IT and ASD: Request records of approvals or denials from ASD GoodLog shows consistent follow-ups and ASD's approval before repairs
- AskAbout the training schedule for staff: Request evidence of training sessions regarding repair protocols
- AskEvidence of follow-up reviews post-repair: Request a report showing post-repair evaluations GoodIncludes evaluations showing equipment integrity post-repair
Cross-framework mappings
How ISM-1079 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.32 | ISM-1079 requires ASD approval before performing maintenance or repairs on high assurance IT equipment | |
| handshake Supports (1) expand_less | ||
| Annex A 7.13 | Annex A 7.13 requires proper equipment maintenance to ensure security | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.