Maintain Non-Networked IT Equipment Register
Regularly keep a list of IT equipment that is not connected to networks.
Plain language
This control is about making sure that all your IT equipment that isn't connected to any network, like a printer or a standalone computer, is listed and checked regularly. If you don't do this, you could easily forget about devices that might store sensitive information but aren't protected by your network's security measures, leading to data breaches or loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment usageTopic
It Equipment RegistersOfficial control statement
A non-networked IT equipment register is developed, implemented, maintained and verified on a regular basis.
Why it matters
Unregistered non-networked devices may retain sensitive data; if lost, stolen or decommissioned improperly, this can cause unauthorised disclosure.
Operational notes
Update and reconcile the non-networked IT equipment register at set intervals; record owner, location and status, and physically verify devices against the register.
Implementation tips
- Managers should designate someone in the office to maintain a list of all non-networked IT equipment. They can do this by walking around the office periodically to note down each piece of equipment, like projectors or offline desktops, and update the list.
- The IT team should regularly update this list with any new equipment added to or removed from the office. They can ensure this by setting a monthly reminder to check for new purchases or equipment disposals.
- Procurement officers should inform the designated person whenever new IT equipment is purchased. This can be done by adding a step in the purchasing process where they email the details of the new equipment to the responsible person.
- Office staff should be made aware of the importance of reporting any changes to IT equipment status. Conduct brief training sessions to explain why keeping the equipment list up-to-date is crucial for security.
- The list should be stored in a shared location, like a central folder or cloud document, where it can be easily accessed and updated by authorised personnel. Ensure there is a backup of this list in case of data loss.
Audit / evidence tips
-
Askto see the register of non-networked IT equipment: Request this document from the person responsible for maintaining it
Goodincludes complete, clear entries with information about who maintains the list and how often it's updated
-
Askabout the process for adding new equipment to the register: Request a demonstration or explanation of how new items are recorded
Goodshows the procedure is simple, easy to follow, and regularly communicated to relevant staff
-
Askhow often the register is reviewed: Inquire about regular checks or audits on the list
Goodconfirms that reviews are done routinely and changes to the list are documented
-
Gooddemonstrates ongoing communication and training about the importance of keeping the list current
-
Askif there is a backup of the register: Request to see the location of any backup copies. Check the date of the last backup and who is responsible for it
Goodshows that backups are performed regularly, and copies are securely stored
Cross-framework mappings
How ISM-1869 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.9 | ISM-1869 requires an organisation to develop, implement, maintain and regularly verify a register of non-networked IT equipment | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.