Ensure Network Devices Have Trusted Firmware
Network devices must be installed with trusted firmware before their first use to prevent security risks.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Network devices are flashed with trusted firmware before they are used for the first time.
Source: ASD Information Security Manual (ISM)
Plain language
Before you use network devices like routers or switches, you should make sure they have trusted software installed. This is crucial because if you use them with untrusted software, it could have hidden problems that let attackers get into your network, leading to data breaches and privacy issues.
Why it matters
Using network devices with untrusted firmware risks allowing attackers to exploit hidden vulnerabilities, leading to potential breaches and data loss.
Operational notes
Before first use, flash devices with vendor-approved firmware, then verify image integrity (hash/signature) and record firmware versions for audit.
Implementation tips
- IT team should verify firmware integrity: Before installing any network device, ensure the IT team checks the firmware to see if it comes from a reputable source. This can involve downloading firmware only from the official site of the manufacturer and double-checking its authenticity with verification tools.
- Procurement should select reputable vendors: Ensure that the procurement team selects network devices from manufacturers known for high security standards. This may involve researching customer reviews, checking the company's reputation in the cybersecurity field, and reviewing any published security reports.
- IT team should set up a process for firmware updates: Establish a procedure for regularly checking and updating the firmware of all network devices. This includes scheduling regular updates, testing updates on a non-critical device first, and keeping records of each update.
- Manager should conduct training sessions: Ensure staff involved with network devices know how to handle firmware updates and the risks of using unverified software. Conduct annual training sessions, which can include instructions on what firmware is, why it needs to be trusted, and how to verify it.
- IT team should document firmware checks: Create and maintain a log for each device that records when the firmware was last checked or updated. Include the version number, source of the firmware, and verification results.
Audit / evidence tips
-
Ask: firmware verification documentation: Request to see records showing where each network device's firmware was sourced and verified
Good: Complete records with detailed steps showing checks were performed before device use
-
Ask: device vendor selection criteria: Request the criteria used by procurement to choose network device vendors
Good: Documented criteria highlighting vendor reputation and specific security behaviours considered in the selection
-
Ask: training records of IT staff: Request to see a list of training sessions held for IT staff regarding firmware management
Good: Training records showing regular and comprehensive training on firmware verification processes
-
Ask: the process document for firmware updates: Request the procedure or policy that outlines how firmware updates are managed
Good: A detailed, up-to-date document outlining precise steps and responsible parties
-
Ask: samples of firmware update logs: Request logs of a few randomly chosen devices to review past update activities
Good: Consistent logs indicating regular updates, with verified sources and no gaps in records
Cross-framework mappings
How ISM-1800 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| Annex A 5.19 | ISM-1800 requires network devices to be flashed with trusted firmware before first use, which helps counter risks arising from vendor or ... | |
| Annex A 5.21 | ISM-1800 requires flashing network devices with trusted firmware before first use to reduce the likelihood of supply chain or pre-comprom... | |
| Annex A 8.20 | ISM-1800 requires network devices to be flashed with trusted firmware before they are used for the first time, reducing the risk of compr... | |
| Partially overlaps (1) | ||
| Annex A 8.19 | ISM-1800 requires network devices to be flashed with trusted firmware before first use to prevent introduction of compromised device soft... | |
E8
| Control | Notes | Details |
|---|---|---|
| Supports (1) | ||
| E8-PO-ML3.3 | ISM-1800 requires network devices to begin operation with trusted firmware to avoid running compromised or tampered code | |