Assess Authenticity of IT and OT Deliveries
Ensure that software and equipment are genuine before accepting them.
Plain language
This control means you need to make sure any software or equipment you're using is the real deal, not a fake or compromised version. This is important because if you use counterfeit systems, they might have hidden vulnerabilities or malware that can lead to data breaches or system failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The authenticity of operating systems, applications, IT equipment, OT equipment and services are assessed as part of acceptance of products and services.
Why it matters
If deliveries are not authenticated, counterfeit IT/OT systems or software can be introduced, creating hidden vulnerabilities and causing breaches and downtime.
Operational notes
Regularly verify suppliers and perform checks on deliveries to authenticate equipment and software, preventing integration of counterfeit items.
Implementation tips
- Procurement staff should verify authenticity: Before purchasing, they should check that vendors are legitimate by cross-referencing with trusted sources or using accredited suppliers. This prevents buying counterfeit or unauthorised products.
- IT managers should conduct authenticity checks: Use manufacturer-provided tools or contact the vendor to verify serial numbers and product authenticity after delivery. This helps ensure the product hasn't been tampered with or replaced with a knock-off.
- Operations staff should keep records: Document the authenticity verification process, including who did it, how, and when, and store this information securely. This creates a paper trail to prove due diligence.
- Management should establish policies: Develop clear guidelines requiring staff to follow specific steps for authenticity checks. Regular training sessions should reinforce the importance of these procedures.
- IT team should implement monitoring: Use tools to continuously monitor the integrity of installed systems and applications. This can help detect unauthorised changes or tampering after the initial deployment.
Audit / evidence tips
- AskProof of procurement checks: Request records that show how suppliers were verified before purchase GoodIncludes documentation showing criteria used for assessment
- AskRecords of authenticity checks: Request logs or reports from the IT team detailing how software and equipment authenticity was verified GoodIncludes time-stamped verification reports
- AskTraining records: Request attendance logs or training materials on how staff should verify authenticity GoodShows comprehensive training with attendance tracked
- AskPolicy documents: Request the organisation's policy on authenticity verification GoodShows a detailed, regularly updated policy
- AskMonitoring reports: Request a summary of monitoring activities carried out by the IT team GoodIncludes periodic monitoring reports with documented findings
Cross-framework mappings
How ISM-1792 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.21 | ISM-1792 requires organisations to assess the authenticity of operating systems, applications, IT/OT equipment and services as part of ac... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.