Assess Integrity of Delivered IT and OT Products
Check the integrity of IT and OT products before accepting them to ensure they're safe and reliable.
Plain language
Before you accept new IT gadgets or systems into your business, it's crucial to make sure they are safe and trustworthy. If you skip this step, you might end up with faulty or compromised equipment that could put your data at risk or lead to expensive downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The integrity of operating systems, applications, IT equipment, OT equipment and services are assessed as part of acceptance of products and services.
Why it matters
Failing to assess delivered product integrity enables supply-chain tampering or counterfeit IT/OT gear, leading to compromise, outages and costly rework.
Operational notes
At acceptance, verify provenance, serials and tamper seals; validate vendor signatures/hashes and firmware integrity, and quarantine any delivery anomalies.
Implementation tips
- Procurement team should include a security assessment clause in contracts: Specify in every purchase contract that IT and OT (operational technology) products must undergo a security check before acceptance. This ensures vendors are aware of and adhere to your security expectations from the start.
- IT team should inspect all new technology arrivals: Before connecting new equipment, software, or systems to your existing network, conduct a detailed inspection to spot any tampering or unexpected alterations. This can include checking software versions and verifying device seals and packaging.
- HR or management should train relevant staff on recognition: Host a short workshop to educate staff about the importance of inspecting delivered technology and how to recognise potential red flags in deliveries. This will empower them to act as the first line of defence.
- The IT department should maintain an inventory record: Start and regularly update a log of all incoming IT and OT products, noting their condition, supplier details, and inspection results. Keeping track of this information can help quickly identify and resolve any issues.
- Management should schedule regular review meetings: Hold periodic meetings with relevant teams, including procurement and IT, to review and discuss recent deliveries, any inspection findings, and improvements in procedures. Document outcomes for future reference.
Audit / evidence tips
-
Askthe vendor contracts: Verify they include a clause requiring integrity checks for all IT and OT products
Goodis contracts with a clear security assessment requirement
-
Goodhas comprehensive entries without gaps
-
Asktraining records: Review the records to confirm staff have been trained on delivery checks
Goodincludes documented evidence of staff participation in training sessions
-
Goodshows regular meetings with actionable outcomes
-
Askexamples of inspection reports: Examine these for completeness and depth in checking products
Goodhas detailed reports, indicating thorough inspections were conducted
Cross-framework mappings
How ISM-1791 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-1791 requires organisations to assess the integrity of delivered IT/OT operating systems, applications, equipment and services as par... | |
| Annex A 5.21 | ISM-1791 requires integrity assessment of delivered IT/OT products and services before acceptance | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.29 | ISM-1791 requires assessing the integrity of delivered IT and OT products and services as part of acceptance | |
| handshake Supports (1) expand_less | ||
| Annex A 8.30 | Annex A 8.30 requires the organisation to direct, monitor and review outsourced system development activities to maintain security and qu... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.