Skip to content
Control Stack logo Control Stack
ISM-1633 ASD Information Security Manual (ISM)

Implement Emanation Security Mitigation Recommendations

System owners must follow emanation security advice to protect their systems.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for gatewaysequipmentMarch 2026 ISM Update

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Mar 2026

✏️ Control Stack last updated

23 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for gateways

Section

System Owners

Topic

Protecting Systems and Their Resources
Official control statement
System owners, in consultation with each system's authorising officer, determine the system boundary, business criticality, and security and resilience objectives for each system based on an assessment of the impact if it were to be compromised or attacked.

Source: ASD Information Security Manual (ISM)

Plain language

Emanation security is all about stopping unwanted signals or interference from leaking out of your equipment, which could be picked up by others. If someone captures these signals, they might see sensitive information or even cause system disruptions.

Why it matters

Without these protections, sensitive business data could be captured from your equipment's signals, leading to data breaches or operational disruption.

Operational notes

Regularly check and update equipment for emanation security compliance, ensuring all shielding measures remain effective and up-to-date.

Implementation tips

  • System owners should arrange a meeting with the authorising officer to identify the boundaries of the system. This involves understanding which parts of the system are crucial for the business and where potential risks might exist. It can be as simple as drawing up a list of assets, data, and applications that need protection.
  • System owners should assess the business importance of their system alongside the authorising officer. They can do this by discussing what aspects of the system are vital for daily operations or revenue generation. It's important to identify how much disruption or data loss would impact the business.
  • The security team should assist the system owner in determining the security objectives for the system. This means deciding what kind of protection is most important, like ensuring data confidentiality or system availability. They can use straightforward scenarios to simulate potential compromise scenarios and evaluate impacts.
  • The IT department should document the system boundaries and security objectives agreed upon. This involves writing a summary of the discussions and decisions made in the review meeting, capturing the critical elements identified. This documentation should be kept accessible for future reference or updates.
  • System owners need to conduct regular reviews of the system boundaries and security objectives with the authorising officer and IT team. Set a timeline, like annually or biannually, to reassess any changes in the business environment that might affect risk assessment. Updates should be documented and signed off by the authorising officer.

Audit / evidence tips

  • Ask: the meeting minutes or summary document: Request the documentation from the meeting between the system owner and authorising officer

    Good: shows comprehensive notes, including identified key assets and potential impact if compromised

  • Ask: a business impact analysis report: Request to see documents detailing assessed business criticality and impact

  • Ask: the security objectives statement: Request the document that outlines specific security goals for the system

    Good: statement includes concrete, understandable goals with reasons for their prioritisation

  • Ask: the system boundaries documentation: Request the documented outline showing what parts of the system need protection

    Good: document is clear, concise, and signed off by involved parties

  • Ask: records of the regular review meetings: Request logs or reports from follow-up meetings assessing changes in risk

    Good: record shows continuous engagement and updates aligned with organisational changes

Cross-framework mappings

How ISM-1633 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Supports (4)
Annex A 5.15 ISM-1633 requires system owners and authorising officers to determine the system boundary, business criticality and security objectives b...
Annex A 5.30 ISM-1633 requires defining system boundaries, criticality and security objectives based on impact if compromised
Annex A 7.1 ISM-1633 requires the organisation to determine the system boundary and security objectives based on compromise impact
Annex A 8.22 ISM-1633 requires determining system boundaries and security objectives in line with impact of compromise

Mapping detail

Mapping

Direction

Controls