Implement Strict IT Equipment Hardening Guidelines
Use the most restrictive security guidelines to secure IT equipment from unauthorised access.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Section
IT equipment usageIT equipment is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure your computers and other IT equipment are as secure as possible by following strict security guidelines. It's important because if these guidelines aren't followed, your systems could be more vulnerable to hackers or unauthorized access, which can lead to data loss or other security breaches.
Why it matters
Failure to apply stringent ASD/vendor hardening guidelines could expose IT systems to unauthorised access, compromising sensitive data and operations.
Operational notes
Baseline builds on ASD and vendor hardening guides; validate regularly and, where guidance conflicts, apply the most restrictive settings and record exceptions.
Implementation tips
- IT team should review the Australian Cyber Security Centre (ACSC) and vendor guidelines: Go through the detailed security recommendations provided by the ACSC and compare them with what the equipment vendors suggest. Always choose the stricter option if there's a conflict.
- Managers should ensure staff are trained in equipment security: Organize regular training sessions to make sure everyone understands the importance of following strict security guidelines and implementation steps.
- The IT team should perform regular security audits: Create a schedule for checking that the security settings on all equipment comply with the most restrictive guidelines available.
- Procurement should purchase compliant equipment: When buying new equipment, ensure it can meet and exceed the existing security guidelines, checking specifications against both ACSC and vendor guidance.
- System owners should document all security settings: Keep a clear record of what hardening measures have been applied to each piece of equipment so there’s no ambiguity in compliance.
Audit / evidence tips
-
Ask: the list of equipment and applied security settings: Request a document detailing each piece of equipment and its current security configurations
Good: includes up-to-date configurations aligned with top security practices
-
Ask: training materials and attendance records: Check the records for any training sessions done on IT security
-
Ask: to see the audit schedule and reports: Review the audit schedule and records of past security audits. Look to see these audits are regular and comprehensive. Positive results should show consistent adherence to the strictest security guidelines
-
Ask: procurement checklists used during purchasing: Evaluate the criteria used when buying new equipment. Ensure the checklist references ASD or stricter vendor guidelines. Good procurement practices include verification of security compliance before purchase
-
Ask: system documentation records: Inspect the documentation for detailed records of security measures applied to all equipment
Cross-framework mappings
How ISM-1858 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Related (12) | ||