Implement Emanation Security Measures for Systems
System owners follow security advice to protect against information leaks from electronic devices.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
S, TS
🗓️ ISM last updated
Mar 2026
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Emanation SecurityRecommended actions contained within emanation security mitigation advice issued for systems are implemented by system owners.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about keeping information that comes from electronic devices secure so it doesn't get accidentally leaked. Imagine if someone nearby could pick up valuable information from your computer without even touching it—that's the risk if this isn't managed.
Why it matters
Without this control, sensitive company data could be intercepted without any physical break-in, leading to potential data breaches and business harm.
Operational notes
Regularly review and update device lists and protection methods to keep up with changing technology and emerging threats.
Implementation tips
- System owners should consult with their IT team to understand which equipment can emit harmful signals. Begin by creating an inventory of systems that might be susceptible, then categorise each based on the type of emissions they produce.
- The IT team should implement shields and filters on equipment identified as a risk. Use specialised materials and techniques, such as installing devices in shielded rooms or using enclosures that block emissions.
- Managers should train staff on the importance of TEMPEST measures. Organise a training session to explain why it's critical to prevent emissions and demonstrate simple practices that help minimise risks, like ensuring devices are turned off after use in secure spaces.
- Procurement officers should ensure that new equipment purchases include TEMPEST-certified products. Check product specifications for compliance with TEMPEST standards before purchasing and avoid buying from vendors that cannot guarantee this compliance.
- The security team should regularly review and update TEMPEST protection measures. Schedule quarterly reviews to ensure that the measures are still effective and note any changes in technology or working environments that might require an adjustment to existing protections.
Audit / evidence tips
-
Ask: the equipment emissions inventory: Request to see the list that identifies all equipment assessed for emissions
Good: a comprehensive list with recent dates and clear categories based on risk levels
-
Ask: documentation on shielding measures: Request descriptions or photographs of how equipment has been shielded
-
Ask: training records: Request logs from any training sessions or awareness activities
-
Ask: procurement records of TEMPEST-compliant equipment: Request purchase orders or receipts for recent equipment
-
Ask: recent review records: Request reports from any audit or review relating to TEMPEST measures
Cross-framework mappings
How ISM-1885 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 8.12 | ISM-1885 requires system owners to implement emanation security mitigation advice to reduce the risk of information leakage via electroma... | |
| Supports (2) | ||
| Annex A 7.6 | ISM-1885 requires system owners to implement TEMPEST requirement statements to reduce the risk of electromagnetic/emanations-based inform... | |
| Annex A 8.27 | ISM-1885 requires implementation of system-specific TEMPEST requirements to prevent unintended information disclosure via compromising em... | |