Implement Strict IT Equipment Hardening Guidelines
Use the most restrictive security guidelines to secure IT equipment from unauthorised access.
Plain language
This control is about making sure your computers and other IT equipment are as secure as possible by following strict security guidelines. It's important because if these guidelines aren't followed, your systems could be more vulnerable to hackers or unauthorized access, which can lead to data loss or other security breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment usageOfficial control statement
IT equipment is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
Why it matters
Failure to apply stringent ASD/vendor hardening guidelines could expose IT systems to unauthorised access, compromising sensitive data and operations.
Operational notes
Baseline builds on ASD and vendor hardening guides; validate regularly and, where guidance conflicts, apply the most restrictive settings and record exceptions.
Implementation tips
- IT team should review the Australian Cyber Security Centre (ACSC) and vendor guidelines: Go through the detailed security recommendations provided by the ACSC and compare them with what the equipment vendors suggest. Always choose the stricter option if there's a conflict.
- Managers should ensure staff are trained in equipment security: Organize regular training sessions to make sure everyone understands the importance of following strict security guidelines and implementation steps.
- The IT team should perform regular security audits: Create a schedule for checking that the security settings on all equipment comply with the most restrictive guidelines available.
- Procurement should purchase compliant equipment: When buying new equipment, ensure it can meet and exceed the existing security guidelines, checking specifications against both ACSC and vendor guidance.
- System owners should document all security settings: Keep a clear record of what hardening measures have been applied to each piece of equipment so there’s no ambiguity in compliance.
Audit / evidence tips
-
Askthe list of equipment and applied security settings: Request a document detailing each piece of equipment and its current security configurations
Goodincludes up-to-date configurations aligned with top security practices
-
Asktraining materials and attendance records: Check the records for any training sessions done on IT security
-
Askto see the audit schedule and reports: Review the audit schedule and records of past security audits. Look to see these audits are regular and comprehensive. Positive results should show consistent adherence to the strictest security guidelines
-
Askprocurement checklists used during purchasing: Evaluate the criteria used when buying new equipment. Ensure the checklist references ASD or stricter vendor guidelines. Good procurement practices include verification of security compliance before purchase
-
Asksystem documentation records: Inspect the documentation for detailed records of security measures applied to all equipment
Cross-framework mappings
How ISM-1858 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| link Related (12) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.