ISM-1789 ASD Information Security Manual (ISM)

Verify Authenticity for Delivery Acceptance in Supply Chain

Ensure all software, hardware, and services are genuine before accepting them for use.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for procurement and outsourcing ict supply chain supplier management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

May 2024

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for procurement and outsourcing

Section

Cyber supply chain risk management

Topic

Sourcing Operating Systems, Applications, It Equipment, Ot Equipment and Services

Official control statement

Sufficient spares of critical IT equipment and OT equipment are sourced and kept in reserve.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about making sure that all the software, hardware, and services you receive are exactly what you ordered and not counterfeit or tampered with. It's important because using fake or altered products can lead to security risks, data loss, or even legal problems if the counterfeit products fail or cause harm.

Why it matters

Without sufficient spares for critical IT/OT equipment, failures or supply disruptions can extend outages, delaying recovery and disrupting operations.

Operational notes

Set minimum spare-holding levels for critical IT/OT items based on lead times and failure rates, and review stock regularly to avoid obsolescence.

Implementation tips

Procurement teams should verify suppliers by checking their reliability and reputation. Ensure they are certified through recognised industry standards and have a good track record by reaching out to previous customers for reviews.
IT teams should use hash verification tools. Each piece of software or hardware often comes with a unique code. By comparing this code with the supplier's code, teams can confirm that no tampering has occurred during delivery.
Managers should establish clear guidelines for delivery acceptance. This could involve specifying how goods should be checked upon arrival and assigning experienced staff to inspect deliveries for tampering or discrepancies.
Staff responsible for receiving goods should document the acceptance process. They should record the condition of delivered items, ensuring packaging is intact and matches what was ordered, noting any differences immediately.
IT teams should implement quarantine procedures for new deliveries. Set up a designated area where new IT equipment can be examined and tested before being integrated into the main system to ensure nothing harmful is introduced.

Audit / evidence tips

Ask: records of supplier evaluations

Good: shows documented checks and approvals
Ask: to see the hash verification logs for received software

Good: shows consistent matching logs with no discrepancies
Ask: the organisation's delivery acceptance policy

Good: is a clearly defined policy and records of adherence
Ask: documented reports of any discrepancies found during delivery inspections

Good: includes a complete log of findings and resolutions
Ask: a list of quarantined IT equipment from the last quarter

Good: shows thorough tracking from arrival to clearance

Cross-framework mappings

How ISM-1789 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Related (2)
Annex A 5.19	ISM-1789 necessitates verifying the authenticity of software, hardware, and services prior to their supply chain acceptance
Annex A 5.21	ISM-1789 requires organisations to verify the authenticity of software, hardware, and services before their acceptance