Develop and Maintain IT Equipment Management Policy
Organisations must create and sustain a policy for managing IT equipment.
Plain language
Having a policy to manage your IT equipment is like creating a rulebook for all the computers, printers, and other tech gear in your organisation. It ensures everyone knows how to properly use, care for, and replace equipment. Without it, you risk damaged devices, wasted money, and security breaches that could harm your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment usageOfficial control statement
An IT equipment management policy is developed, implemented and maintained.
Why it matters
Without an IT equipment management policy, devices can go untracked, increasing loss/theft risk, data exposure, and service disruption.
Operational notes
Maintain a current IT equipment register (owner, location, status, disposal) and reconcile it regularly to quickly identify missing or unauthorised devices.
Implementation tips
- The office manager should draft an IT equipment policy. This involves listing all types of equipment, defining their proper use, maintenance schedules, and replacement procedures. Use a simple document template to ensure all key aspects are covered.
- The IT team should review the draft policy. They can provide expertise on technical specifications and necessary security measures. This can be done in a meeting where they go through the draft and suggest enhancements.
- Management should approve the policy. This involves reading through the document and ensuring it aligns with business goals and budget constraints. They should also sign off on it to formally enforce the policy.
- The HR team should integrate the policy into employee onboarding. They need to ensure new staff receive the policy and understand it. This can be done by including it in the induction pack and running a short briefing session.
- All staff should receive training on the policy. Regular workshops or online training sessions should be set up to explain the policy in detail. This helps to make sure everyone knows how to follow the rules and why doing so is important.
Audit / evidence tips
-
Askthe written IT equipment management policy document
Goodpolicy will be comprehensive, easy to understand, and updated within the last year
-
Goodlist will show each item’s current status and last inspection date
-
Askmaintenance records for IT equipment
-
Goodtraining record will cover all staff and regularly update their knowledge
-
Askmanagement approval records of the policy
Goodshows that management has reviewed and sanctioned the policy, reflecting their commitment to its enforcement
Cross-framework mappings
How ISM-1551 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.1 | ISM-1551 requires an organisation to develop, implement and maintain a specific topic policy for IT equipment management | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.10 | ISM-1551 requires an organisation to maintain an IT equipment management policy to govern how IT equipment is handled and controlled | |
| handshake Supports (4) expand_less | ||
| Annex A 5.4 | ISM-1551 requires an organisation to develop, implement and maintain an IT equipment management policy to govern how equipment is managed... | |
| Annex A 5.9 | Annex A 5.9 requires developing and maintaining an inventory of information, associated assets, and owners | |
| Annex A 5.36 | ISM-1551 requires the organisation to implement and maintain an IT equipment management policy | |
| Annex A 5.37 | ISM-1551 requires an organisation to establish and maintain a policy for managing IT equipment | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.