Ensure Integrity in IT and OT Deliveries
Deliveries of IT and OT systems should be made securely to prevent tampering or integrity loss.
Plain language
This control is about making sure that when you receive technology products or services, like computers or operating systems, they haven't been messed with or damaged before they reach you. If this isn't done properly, you could end up using equipment that doesn't work right, or worse, could be hacked to steal your information or harm your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Operating systems, applications, IT equipment, OT equipment and services are delivered in a manner that maintains their integrity.
Why it matters
Compromised deliveries can lead to tampered systems that expose sensitive data, disrupt operations, or enable cyber attacks.
Operational notes
Verify delivery integrity with hashes/signature checks, keep chain-of-custody records, and validate suppliers and packaging on receipt.
Implementation tips
- Procurement team should ensure trusted vendors: Choose suppliers who have a good track record and can provide secure delivery services for your IT and operational technology (OT) equipment. Check their reputation and ask about their delivery methods to avoid tampering.
- IT team should inspect deliveries: When new equipment arrives, check the packaging for any signs of tampering like broken seals or damaged boxes. If something looks suspicious, don't use the equipment until you're sure it's safe.
- System owner should verify integrity: Before using new systems, perform checks to ensure everything is as expected. This includes running software checks or validation tools provided by the vendor to confirm no changes have occurred during delivery.
- Managers should keep detailed records: Maintain a log of all deliveries received, including dates, vendors, and equipment details. This helps track any issues and shows you're following proper procedures.
- HR and training teams should educate staff: Organise training sessions to teach employees about the importance of secure deliveries and what to do if they spot something wrong. This helps everyone play a part in keeping your systems safe.
Audit / evidence tips
-
Askvendor agreements and contracts: Request documents detailing the terms with vendors regarding secure delivery
Goodincludes clear commitments to secure deliveries
-
Askdelivery records: Request logs of recent equipment deliveries, showing inspection dates and findings
Goodrecord is thorough and highlights how problems are fixed
-
Askto see inspection checklists: Request the form or checklist used by staff to verify the condition of deliveries upon receipt
Goodchecklist details what was checked and how any suspicions were reported
-
Asktraining materials: Request copies of materials used to train staff about the integrity of deliveries
Goodmeans comprehensive training materials are regularly updated
-
Asksoftware validation reports: Request reports showing results of integrity checks or validation testing done on new systems
Goodreport confirms no issues found and matches vendor specifications
Cross-framework mappings
How ISM-1790 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-1790 focuses on ensuring IT/OT deliveries arrive without tampering and with integrity preserved | |
| Annex A 5.21 | ISM-1790 requires operating systems, applications, IT/OT equipment and services to be delivered in a way that maintains integrity and pre... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.22 | ISM-1790 requires that delivered IT/OT systems and services maintain integrity, implying controls such as tamper-evident delivery, verifi... | |
| link Related (1) expand_less | ||
| Annex A 5.8 | Annex A 5.8 requires information security to be integrated into project management so security requirements and checks are applied when d... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.