Ensure High Assurance for Peripheral Switches
Peripheral switches used between classified and unclassified systems must undergo a thorough security evaluation.
Plain language
If you have devices that switch connections between highly classified and regular computer systems, it's crucial they undergo a thorough security check. This is to prevent sensitive information from slipping through the cracks and ending up where it shouldn't be.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Evaluated peripheral switches used for sharing peripherals between SECRET or TOP SECRET systems and any non-SECRET or TOP SECRET systems complete a high assurance evaluation.
Why it matters
Failing to ensure high assurance for peripheral switches risks data leaks, where classified information may inadvertently transfer to less secure systems.
Operational notes
Maintain evidence the peripheral switch has passed a high assurance evaluation for SECRET/TOP SECRET sharing; replace any unevaluated model.
Implementation tips
- The IT manager should first identify all peripheral switches currently used between classified and non-classified systems. Make a list of these switches and where they are used within the organisation.
- Procurement should ensure that any new peripheral switches purchased meet high-assurance security standards. Work with verified suppliers and check for certifications that meet local security regulations.
- System owners should organise a high-assurance security evaluation for each switch used in classified environments. This might mean scheduling an appointment with an external security consultant specialised in this field.
- The IT team should document the results of the security evaluations for peripheral switches. Keep a detailed report of findings and any actions taken to address security weaknesses.
- Management should regularly schedule reviews of the security status of these switches, ensuring that no outdated or unassessed hardware remains in use. Set up a calendar reminder for these check-ins and involve the cybersecurity officer in each review.
Audit / evidence tips
- AskA list of all peripheral switches currently in use: This should include details of their usage in classified and unclassified systems GoodA comprehensive list with each switch's installation date and current operational status
- GoodA well-documented report with clear findings and mitigation steps completed
- AskTo see procurement records for these switches: Ensure they include proof of purchase from authorised suppliers who meet security standards GoodVerified procurement processes with a clear chain of custody showing certified equipment was acquired
- GoodScheduled reviews with documented outcomes and plans for the next checks
- AskTo see evidence of actions taken after evaluations: Ensure there is documentation on how vulnerabilities are mitigated or addressed GoodAll vulnerabilities had corresponding actions with proof they have been completed or are in progress
Cross-framework mappings
How ISM-1480 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.19 | ISM-1480 requires evaluated peripheral switches that bridge SECRET/TOP SECRET and lower classifications to undergo a high assurance evalu... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.