Document Device Settings for Critical and High-Value Servers
Keep records of settings for important servers and network devices to ensure strong network security.
Plain language
This control is about keeping detailed records of the settings for important servers and network devices. Proper documentation helps ensure you can quickly restore systems if something goes wrong, like a cyber attack or system failure. Without these records, it could take longer to fix issues, leading to downtime and potential loss of data.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationTopic
Network DocumentationOfficial control statement
Network documentation includes device settings for all critical servers, high-value servers, network devices and network security appliances.
Why it matters
Without documented settings for critical and high-value servers, incident recovery and rebuilds are slower, increasing downtime and risk of data loss.
Operational notes
Record and version device settings for critical/high-value servers, network devices and security appliances; validate during change windows so rebuilds restore known-good configs.
Implementation tips
- The IT team should maintain an up-to-date inventory of all critical and high-value servers. This means having a list that includes each server's purpose, location, and key settings. They can use a simple spreadsheet or a specialised software tool to keep everything organised.
- Managers should ensure that documentation processes are formally established. This means setting up clear guidelines on how and when settings should be recorded or updated. These guidelines should be communicated to everyone involved, ensuring consistency in documentation.
- IT staff should regularly back up configuration settings for servers and network devices. This involves saving the current settings file to a secure location so that it can be used for recovery if needed. This backup should be part of a regular schedule, like weekly or after every major change.
- System administrators should review and update server documentation whenever changes are made. This means every time a significant change occurs, such as installing a new application or updating software, the documentation must reflect these changes to remain accurate.
- Business owners should ensure their IT team performs periodic audits of the documentation. This involves reviewing the documentation to check that all critical systems are accounted for and that no discrepancies exist between what's on the document and what's in reality. This helps to identify areas that may need attention.
Audit / evidence tips
-
Askthe server inventory list: Request to see the detailed list of servers and devices
Goodis a comprehensive list that matches the current hardware and configurations used by the organisation
-
Askthe latest backup record: Obtain the records confirming backups of device settings
Goodis recent backups stored securely with a documented schedule showing regular intervals
-
Asklogs or tracking documents showing when settings were last updated. Verify that recent and past changes are documented
Goodis a tracking system with timestamps and change descriptions, showing it is actively maintained
-
Askthe guidelines on documentation standards: Request the written guidelines or policies regarding the documentation of server settings
Goodis a clear, accessible document that outlines processes and responsible parties
-
Askrecords showing reviews or audits of the documentation
Goodis periodic audit reports with actionable insights and confirmation of no major discrepancies
Cross-framework mappings
How ISM-1912 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.9 | Annex A 8.9 requires organisations to document and maintain configurations for systems and to keep them under review | |
| handshake Supports (2) expand_less | ||
| Annex A 8.20 | ISM-1912 requires organisations to document device settings for critical and high-value servers, network devices and security appliances | |
| Annex A 8.21 | ISM-1912 requires network documentation to include device settings for critical and high-value servers and network/security devices | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.