Implement Emanation Security Mitigation Recommendations
System owners must follow emanation security advice to protect their systems.
Plain language
Emanation security is all about stopping unwanted signals or interference from leaking out of your equipment, which could be picked up by others. If someone captures these signals, they might see sensitive information or even cause system disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
System ownersOfficial control statement
System owners, in consultation with each system’s authorising officer, determine the system boundary, business criticality, and security and resilience objectives for each system based on an assessment of the impact if it were to be compromised or attacked.
Why it matters
Without these protections, sensitive business data could be captured from your equipment's signals, leading to data breaches or operational disruption.
Operational notes
Regularly check and update equipment for emanation security compliance, ensuring all shielding measures remain effective and up-to-date.
Implementation tips
- System owners should arrange a meeting with the authorising officer to identify the boundaries of the system. This involves understanding which parts of the system are crucial for the business and where potential risks might exist. It can be as simple as drawing up a list of assets, data, and applications that need protection.
- System owners should assess the business importance of their system alongside the authorising officer. They can do this by discussing what aspects of the system are vital for daily operations or revenue generation. It's important to identify how much disruption or data loss would impact the business.
- The security team should assist the system owner in determining the security objectives for the system. This means deciding what kind of protection is most important, like ensuring data confidentiality or system availability. They can use straightforward scenarios to simulate potential compromise scenarios and evaluate impacts.
- The IT department should document the system boundaries and security objectives agreed upon. This involves writing a summary of the discussions and decisions made in the review meeting, capturing the critical elements identified. This documentation should be kept accessible for future reference or updates.
- System owners need to conduct regular reviews of the system boundaries and security objectives with the authorising officer and IT team. Set a timeline, like annually or biannually, to reassess any changes in the business environment that might affect risk assessment. Updates should be documented and signed off by the authorising officer.
Audit / evidence tips
-
Askthe meeting minutes or summary document: Request the documentation from the meeting between the system owner and authorising officer
Goodshows comprehensive notes, including identified key assets and potential impact if compromised
-
Aska business impact analysis report: Request to see documents detailing assessed business criticality and impact
-
Askthe security objectives statement: Request the document that outlines specific security goals for the system
Goodstatement includes concrete, understandable goals with reasons for their prioritisation
-
Askthe system boundaries documentation: Request the documented outline showing what parts of the system need protection
Gooddocument is clear, concise, and signed off by involved parties
-
Askrecords of the regular review meetings: Request logs or reports from follow-up meetings assessing changes in risk
Goodrecord shows continuous engagement and updates aligned with organisational changes
Cross-framework mappings
How ISM-1633 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| Annex A 5.15 | ISM-1633 requires system owners and authorising officers to determine the system boundary, business criticality and security objectives b... | |
| Annex A 5.30 | ISM-1633 requires defining system boundaries, criticality and security objectives based on impact if compromised | |
| Annex A 7.1 | ISM-1633 requires the organisation to determine the system boundary and security objectives based on compromise impact | |
| Annex A 8.22 | ISM-1633 requires determining system boundaries and security objectives in line with impact of compromise | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.