Assess Authenticity of IT and OT Deliveries
Ensure that software and equipment are genuine before accepting them.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
The authenticity of operating systems, applications, IT equipment, OT equipment and services are assessed as part of acceptance of products and services.
Source: ASD Information Security Manual (ISM)
Plain language
This control means you need to make sure any software or equipment you're using is the real deal, not a fake or compromised version. This is important because if you use counterfeit systems, they might have hidden vulnerabilities or malware that can lead to data breaches or system failures.
Why it matters
If deliveries are not authenticated, counterfeit IT/OT systems or software can be introduced, creating hidden vulnerabilities and causing breaches and downtime.
Operational notes
Regularly verify suppliers and perform checks on deliveries to authenticate equipment and software, preventing integration of counterfeit items.
Implementation tips
- Procurement staff should verify authenticity: Before purchasing, they should check that vendors are legitimate by cross-referencing with trusted sources or using accredited suppliers. This prevents buying counterfeit or unauthorised products.
- IT managers should conduct authenticity checks: Use manufacturer-provided tools or contact the vendor to verify serial numbers and product authenticity after delivery. This helps ensure the product hasn't been tampered with or replaced with a knock-off.
- Operations staff should keep records: Document the authenticity verification process, including who did it, how, and when, and store this information securely. This creates a paper trail to prove due diligence.
- Management should establish policies: Develop clear guidelines requiring staff to follow specific steps for authenticity checks. Regular training sessions should reinforce the importance of these procedures.
- IT team should implement monitoring: Use tools to continuously monitor the integrity of installed systems and applications. This can help detect unauthorised changes or tampering after the initial deployment.
Audit / evidence tips
-
Ask: proof of procurement checks: Request records that show how suppliers were verified before purchase
Good: includes documentation showing criteria used for assessment
-
Ask: records of authenticity checks: Request logs or reports from the IT team detailing how software and equipment authenticity was verified
Good: includes time-stamped verification reports
-
Ask: training records: Request attendance logs or training materials on how staff should verify authenticity
Good: shows comprehensive training with attendance tracked
-
Ask: policy documents: Request the organisation's policy on authenticity verification
Good: shows a detailed, regularly updated policy
-
Ask: monitoring reports: Request a summary of monitoring activities carried out by the IT team
Good: includes periodic monitoring reports with documented findings
Cross-framework mappings
How ISM-1792 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.21 | ISM-1792 requires organisations to assess the authenticity of operating systems, applications, IT/OT equipment and services as part of ac... | |