Implement Emanation Security Measures for Systems
System owners follow security advice to protect against information leaks from electronic devices.
Plain language
This control is about keeping information that comes from electronic devices secure so it doesn't get accidentally leaked. Imagine if someone nearby could pick up valuable information from your computer without even touching it—that's the risk if this isn't managed.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Emanation securityOfficial control statement
Recommended actions contained within emanation security mitigation advice issued for systems are implemented by system owners.
Why it matters
Without this control, sensitive company data could be intercepted without any physical break-in, leading to potential data breaches and business harm.
Operational notes
Regularly review and update device lists and protection methods to keep up with changing technology and emerging threats.
Implementation tips
- System owners should consult with their IT team to understand which equipment can emit harmful signals. Begin by creating an inventory of systems that might be susceptible, then categorise each based on the type of emissions they produce.
- The IT team should implement shields and filters on equipment identified as a risk. Use specialised materials and techniques, such as installing devices in shielded rooms or using enclosures that block emissions.
- Managers should train staff on the importance of TEMPEST measures. Organise a training session to explain why it's critical to prevent emissions and demonstrate simple practices that help minimise risks, like ensuring devices are turned off after use in secure spaces.
- Procurement officers should ensure that new equipment purchases include TEMPEST-certified products. Check product specifications for compliance with TEMPEST standards before purchasing and avoid buying from vendors that cannot guarantee this compliance.
- The security team should regularly review and update TEMPEST protection measures. Schedule quarterly reviews to ensure that the measures are still effective and note any changes in technology or working environments that might require an adjustment to existing protections.
Audit / evidence tips
-
Askthe equipment emissions inventory: Request to see the list that identifies all equipment assessed for emissions
Gooda comprehensive list with recent dates and clear categories based on risk levels
-
Askdocumentation on shielding measures: Request descriptions or photographs of how equipment has been shielded
-
Asktraining records: Request logs from any training sessions or awareness activities
-
Askprocurement records of TEMPEST-compliant equipment: Request purchase orders or receipts for recent equipment
-
Askrecent review records: Request reports from any audit or review relating to TEMPEST measures
Cross-framework mappings
How ISM-1885 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.12 | ISM-1885 requires system owners to implement emanation security mitigation advice to reduce the risk of information leakage via electroma... | |
| handshake Supports (2) expand_less | ||
| Annex A 7.6 | ISM-1885 requires system owners to implement TEMPEST requirement statements to reduce the risk of electromagnetic/emanations-based inform... | |
| Annex A 8.27 | ISM-1885 requires implementation of system-specific TEMPEST requirements to prevent unintended information disclosure via compromising em... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.