Verify Authenticity for Delivery Acceptance in Supply Chain
Ensure all software, hardware, and services are genuine before accepting them for use.
Plain language
This control is about making sure that all the software, hardware, and services you receive are exactly what you ordered and not counterfeit or tampered with. It's important because using fake or altered products can lead to security risks, data loss, or even legal problems if the counterfeit products fail or cause harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Sufficient spares of critical IT equipment and OT equipment are sourced and kept in reserve.
Why it matters
Without sufficient spares for critical IT/OT equipment, failures or supply disruptions can extend outages, delaying recovery and disrupting operations.
Operational notes
Set minimum spare-holding levels for critical IT/OT items based on lead times and failure rates, and review stock regularly to avoid obsolescence.
Implementation tips
- Procurement teams should verify suppliers by checking their reliability and reputation. Ensure they are certified through recognised industry standards and have a good track record by reaching out to previous customers for reviews.
- IT teams should use hash verification tools. Each piece of software or hardware often comes with a unique code. By comparing this code with the supplier's code, teams can confirm that no tampering has occurred during delivery.
- Managers should establish clear guidelines for delivery acceptance. This could involve specifying how goods should be checked upon arrival and assigning experienced staff to inspect deliveries for tampering or discrepancies.
- Staff responsible for receiving goods should document the acceptance process. They should record the condition of delivered items, ensuring packaging is intact and matches what was ordered, noting any differences immediately.
- IT teams should implement quarantine procedures for new deliveries. Set up a designated area where new IT equipment can be examined and tested before being integrated into the main system to ensure nothing harmful is introduced.
Audit / evidence tips
-
Askrecords of supplier evaluations
Goodshows documented checks and approvals
-
Askto see the hash verification logs for received software
Goodshows consistent matching logs with no discrepancies
-
Askthe organisation's delivery acceptance policy
Goodis a clearly defined policy and records of adherence
-
Askdocumented reports of any discrepancies found during delivery inspections
Goodincludes a complete log of findings and resolutions
-
Aska list of quarantined IT equipment from the last quarter
Goodshows thorough tracking from arrival to clearance
Cross-framework mappings
How ISM-1789 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (2) expand_less | ||
| Annex A 5.19 | ISM-1789 necessitates verifying the authenticity of software, hardware, and services prior to their supply chain acceptance | |
| Annex A 5.21 | ISM-1789 requires organisations to verify the authenticity of software, hardware, and services before their acceptance | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.