Protect Network Devices in Public Areas
Ensure network devices in public areas are secure from damage and unauthorised access.
Plain language
This control is about keeping network devices safe when they're in public places, like a lobby or shared office space. The idea is to prevent anyone from damaging them or accessing them without permission. If these devices aren't protected, someone might tamper with them, allowing access to important information or even disrupting the entire network.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Physical security is implemented to protect network devices in public areas from physical damage or unauthorised access.
Why it matters
If network devices in public areas are not physically secured, they can be tampered with or stolen, causing outages and data compromise.
Operational notes
Regularly inspect locks, cabinets and mounting for public-area network devices, and promptly repair damage to prevent tampering or unauthorised access.
Implementation tips
- Facilities management should secure network devices by physically mounting them. Use lockable cabinets or enclosures to house routers and switches in public areas, making sure they are firmly attached to walls or secure surfaces.
- IT staff should regularly check that security measures are intact. Schedule monthly inspections to ensure devices remain securely housed and that locks or other securing mechanisms have not been tampered with.
- Office managers should limit physical access to network devices. Place devices in areas that are monitored by cameras or in areas only accessible to authorised personnel, such as locked rooms or behind reception desks with staff present.
- The IT team should install surveillance cameras to monitor devices. Position cameras to clearly view all devices in public spaces, ensuring recordings are regularly reviewed and stored according to your organisation's security policy.
- Procurement should purchase tamper-evident seals for devices. Apply seals to entry points on network devices to easily identify if someone has attempted to open or tamper with them.
Audit / evidence tips
- AskInspection logs: Request monthly inspection reports from the IT team GoodIs a log showing inspections occurred as planned, with any issues promptly addressed
- AskCamera footage access: Request access to surveillance footage covering public network devices GoodIncludes recent footage with clear resolution and documented storage routines
- AskAccess records: Request logs of who has access to the areas where the devices are located GoodRecord shows only approved personnel have had access, with documented sign-ins or electronic access logs
- AskRecords of security incidents: Request documentation of any security incidents involving network devices in public areas GoodDetails no incidents, or if incidents occurred, they were resolved with corrective measures taken
- AskPurchase records of security equipment: Request documents relating to procurement of locks, cabinets, and surveillance systems GoodShows purchased items have been installed as planned and are in use
Cross-framework mappings
How ISM-1296 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.3 | ISM-1296 requires physical security to protect network devices located in public areas from physical damage or unauthorised access | |
| Annex A 7.8 | ISM-1296 requires physical security to protect network devices in public areas against tampering, theft, or damage | |
| sync_alt Partially overlaps (5) expand_less | ||
| Annex A 7.1 | ISM-1296 requires physical security measures to protect network devices located in public areas from physical damage or unauthorised access | |
| Annex A 7.2 | ISM-1296 requires physical security to prevent unauthorised access to network devices in public areas and to reduce the likelihood of tam... | |
| Annex A 7.5 | ISM-1296 requires protecting network devices in public areas from physical damage and unauthorised access | |
| Annex A 7.6 | Annex A 7.6 concerns security within secure areas, not public spaces | |
| Annex A 8.20 | ISM-1296 requires physical protections for network devices in public areas to prevent physical damage or unauthorised physical access | |
| handshake Supports (2) expand_less | ||
| Annex A 7.4 | ISM-1296 requires implementing physical security to protect network devices in public areas from unauthorised access and physical damage | |
| Annex A 7.12 | Annex A 7.12 requires cables carrying power or data to be protected from interception, interference, or damage | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.