Proper Handling of Sensitive IT Equipment
Ensure IT equipment is handled based on how sensitive or classified it is.
Plain language
This control is about making sure that the way we handle IT equipment matches how sensitive or classified the information on it is. It's important because mishandling such equipment could lead to leaking sensitive data or compromising important systems, which can cause financial damage and hurt your organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment usageTopic
Handling It EquipmentOfficial control statement
IT equipment is handled in a manner suitable for its sensitivity or classification.
Why it matters
Improper handling of sensitive IT equipment can expose stored data or classified material during transport, storage or disposal, causing a breach.
Operational notes
Define and regularly test procedures for labelling, secure transport, controlled storage and sanitised disposal of sensitive IT equipment, with chain-of-custody.
Implementation tips
- The IT team should classify equipment based on the data it handles. They can use a simple system like 'high', 'medium', and 'low' sensitivity based on what kind of information the equipment accesses and stores.
- Managers should establish handling protocols for each sensitivity level. For example, highly sensitive equipment might need to be kept securely locked or have restricted access to authorised personnel only.
- The procurement team should ensure that new equipment purchases align with the organisation's sensitivity handling requirements. They can do this by referring to the sensitivity classification during the purchasing process.
- Staff handling IT equipment should be trained on sensitivity levels. This can be achieved through regular training sessions where they learn about why different handling procedures are necessary for various equipment.
- The security officers should periodically review how equipment is being handled. They can conduct spot checks and audits to ensure compliance with the established protocols for handling sensitive IT equipment.
Audit / evidence tips
- AskThe equipment sensitivity classification document: Request to see the list or database that classifies the organisation's IT equipment by sensitivity GoodConsistently updated record showing all equipment with assigned sensitivity levels
- AskHandling protocols for different sensitivity levels: Request documents detailing how equipment should be handled based on its classification GoodA guideline document with specific handling protocols for each sensitivity category
- AskTraining records: Request evidence of staff training on handling sensitive IT equipment GoodDated training logs showing completion by relevant staff, covering the necessity and application of handling protocols
- AskEvidence of equipment handling audits: Request recent audit reports on how IT equipment is managed GoodAudit reports highlighting compliance levels and rectifications for any mishandlings
- AskAccess control records: Request logs related to who accesses sensitive equipment GoodAccess logs regularly reviewed, with no unauthorized access incidents
Cross-framework mappings
How ISM-1599 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.10 | ISM-1599 requires IT equipment to be handled in a manner suitable for its sensitivity or classification | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-1599 requires IT equipment handling according to sensitivity or classification | |
| handshake Supports (1) expand_less | ||
| Annex A 7.8 | ISM-1599 requires IT equipment to be handled based on its sensitivity or classification | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-1599 mandates handling IT equipment based on sensitivity or classification | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.