Secure Classified Equipment in Suitable Security Containers
Keep classified IT equipment in secure containers based on their classification and location's security zone.
Plain language
This control is about keeping sensitive IT equipment, like servers and network devices, safe from unauthorised access by storing them in secure containers. It matters because if these items are not properly protected, someone could tamper with them, leading to data breaches, loss of sensitive information, or disruptions to business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Classified servers, network devices and cryptographic equipment are secured in security containers suitable for their classification taking into account the combination of security zones they reside in.
Why it matters
If classified servers, network devices or crypto gear aren’t stored in suitable security containers, they can be accessed or tampered with, causing classified data compromise and service disruption.
Operational notes
Regularly inspect security containers for tampering, confirm locks/alarms work, and verify containers are rated suitable for the equipment’s classification and zone combination.
Implementation tips
- Business owners should work with an IT consultant to identify which IT equipment is classified and where it should be stored securely. The consultant can help create a list of all classified equipment and assess the current storage situation.
- Facilities managers should arrange to acquire the right security containers for equipment storage. This could involve researching suppliers who offer security-rated safes or cabinets and ensuring they match the security classification needed.
- IT teams should ensure the secure containers are installed correctly. This means verifying that the containers are placed in the right location and are properly anchored, if necessary, to prevent easy removal.
- Office managers should maintain a log of who has access to the secure containers and conduct regular checks. This involves creating a sign-out sheet and regularly cross-referencing it with recorded access times.
- Security personnel should conduct regular audits of the storage containers to ensure they remain compliant with the security classification requirements. This involves physically inspecting the containers for any signs of tampering and verifying that all seals and locks are intact.
Audit / evidence tips
- AskThe inventory list of classified equipment: Request a detailed list of all servers and devices that are considered classified GoodA list that matches the number of items stored securely and accurately noted classifications
- AskTo see the procurement records for security containers: Request receipts or orders for containers that match the classification rating required GoodDocuments showing purchase of appropriately rated containers for the relevant equipment
- AskAccess logs to secure containers: Request to see the logbook or electronic records of access attempts GoodConsistently filled records with correct details and no unauthorised access noted
- AskTo see the security inspection reports: Request the most recent checklists or reports from inspections of the containers GoodUp-to-date inspection reports with no outstanding issues and signed off by a responsible officer
- AskAbout security policy documentation: Request a copy of the policy governing secure storage GoodDetailed instructions tailored to the organisation's needs and recently reviewed
Cross-framework mappings
How ISM-1530 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | ISM-1530 requires classified servers, network devices and cryptographic equipment to be physically secured in security containers appropr... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-1530 requires organisations to select security containers suitable for the classification of the equipment and the security zones in ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.