Request Risk Assessment for Emanation Security
System owners must ask for a security risk assessment when setting up SECRET or TOP SECRET systems.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
S, TS
🗓️ ISM last updated
Mar 2026
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Emanation SecuritySystem owners deploying SECRET or TOP SECRET systems within fixed facilities contact ASD for an emanation security risk assessment.
Source: ASD Information Security Manual (ISM)
Plain language
When setting up classified systems rated as SECRET or TOP SECRET, you need to check with the Australian Signals Directorate for potential security risks from electromagnetic emissions. This is important because data can be intercepted through electromagnetic signals if not properly protected.
Why it matters
Without proper assessment, classified information might leak via electromagnetic signals, risking national security and sensitive data exposure.
Operational notes
Keep communication lines open with ASD for updates on best practices. Regularly review and refresh training to keep team knowledge current.
Implementation tips
- System owners should identify all systems within the organisation that handle SECRET or TOP SECRET information. Make a comprehensive list of these systems, noting down the types of information they handle and their physical locations in your facilities.
- System owners need to contact the ASD to request an emanation security threat assessment for each system identified. Visit the ASD website to find the appropriate contact information or seek guidance from your organisation's security advisor if available.
- Owners should coordinate with their IT team to gather technical details and prepare for the ASD assessment. Ensure that you have documented how the systems are set up, including any measures already in place to prevent emissions leaks.
- The IT team should accompany the system owner during the ASD assessment. This allows for detailed discussions about existing security controls and provides an opportunity to ask for any immediate advice or feedback from the ASD experts.
- After the assessment, system owners should work with the IT team to implement any recommendations provided by the ASD. Develop a follow-up action plan that prioritises critical actions and set timelines for completion, keeping records of all steps taken.
Audit / evidence tips
-
Ask: a copy of the list of systems handling SECRET or TOP SECRET information
Good: includes a dated list, reviewed recently, that accurately reflects current systems
-
Ask: any security reports issued by the ASD after their assessments. Review whether the reports identify specific risks and offer actionable recommendations
Good: report will clearly outline potential risks and suggest practical solutions or improvements
-
Good: action plan is well-structured with a timeline and accountability for follow-up
Cross-framework mappings
How ISM-1137 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| Annex A 7.1 | ISM-1137 necessitates contacting ASD for an emanation security threat assessment for high-security systems | |
| Annex A 7.6 | ISM-1137 requires system owners of SECRET or TOP SECRET systems to contact ASD for an emanation threat assessment | |
| Supports (1) | ||
| Annex A 5.5 | ISM-1137 requires system owners deploying SECRET or TOP SECRET systems in fixed facilities to contact ASD for an emanation security threa... | |