Protect Network Devices in Public Areas
Ensure network devices in public areas are secure from damage and unauthorised access.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsPhysical security is implemented to protect network devices in public areas from physical damage or unauthorised access.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about keeping network devices safe when they're in public places, like a lobby or shared office space. The idea is to prevent anyone from damaging them or accessing them without permission. If these devices aren't protected, someone might tamper with them, allowing access to important information or even disrupting the entire network.
Why it matters
If network devices in public areas are not physically secured, they can be tampered with or stolen, causing outages and data compromise.
Operational notes
Regularly inspect locks, cabinets and mounting for public-area network devices, and promptly repair damage to prevent tampering or unauthorised access.
Implementation tips
- Facilities management should secure network devices by physically mounting them. Use lockable cabinets or enclosures to house routers and switches in public areas, making sure they are firmly attached to walls or secure surfaces.
- IT staff should regularly check that security measures are intact. Schedule monthly inspections to ensure devices remain securely housed and that locks or other securing mechanisms have not been tampered with.
- Office managers should limit physical access to network devices. Place devices in areas that are monitored by cameras or in areas only accessible to authorised personnel, such as locked rooms or behind reception desks with staff present.
- The IT team should install surveillance cameras to monitor devices. Position cameras to clearly view all devices in public spaces, ensuring recordings are regularly reviewed and stored according to your organisation's security policy.
- Procurement should purchase tamper-evident seals for devices. Apply seals to entry points on network devices to easily identify if someone has attempted to open or tamper with them.
Audit / evidence tips
-
Ask: inspection logs: Request monthly inspection reports from the IT team
Good: is a log showing inspections occurred as planned, with any issues promptly addressed
-
Ask: camera footage access: Request access to surveillance footage covering public network devices
Good: includes recent footage with clear resolution and documented storage routines
-
Ask: access records: Request logs of who has access to the areas where the devices are located
Good: record shows only approved personnel have had access, with documented sign-ins or electronic access logs
-
Ask: records of security incidents: Request documentation of any security incidents involving network devices in public areas
Good: details no incidents, or if incidents occurred, they were resolved with corrective measures taken
-
Ask: purchase records of security equipment: Request documents relating to procurement of locks, cabinets, and surveillance systems
Good: shows purchased items have been installed as planned and are in use
Cross-framework mappings
How ISM-1296 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 7.3 | ISM-1296 requires physical security to protect network devices located in public areas from physical damage or unauthorised access | |
| Annex A 7.8 | ISM-1296 requires physical security to protect network devices in public areas against tampering, theft, or damage | |
| Partially overlaps (4) | ||
| Annex A 7.1 | ISM-1296 requires physical security measures to protect network devices located in public areas from physical damage or unauthorised access | |
| Annex A 7.2 | ISM-1296 requires physical security to prevent unauthorised access to network devices in public areas and to reduce the likelihood of tam... | |
| Annex A 7.5 | ISM-1296 requires protecting network devices in public areas from physical damage and unauthorised access | |
| Annex A 8.20 | ISM-1296 requires physical protections for network devices in public areas to prevent physical damage or unauthorised physical access | |
| Supports (2) | ||
| Annex A 7.4 | ISM-1296 requires implementing physical security to protect network devices in public areas from unauthorised access and physical damage | |
| Annex A 7.12 | Annex A 7.12 requires cables carrying power or data to be protected from interception, interference, or damage | |