Develop and Maintain Approved IT Configurations
Ensure IT equipment is set up with approved configurations to enhance security.
Plain language
This control is about making sure all your computer and IT devices are set up in a way that's been officially approved to keep your business safe from cyber threats. If your hardware and software settings aren’t configured correctly, it makes it easier for hackers and malware to cause trouble, potentially leading to data breaches or loss of sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment usageOfficial control statement
Approved configurations for IT equipment are developed, implemented and maintained.
Why it matters
If approved configuration baselines aren’t maintained, systems drift into insecure states, creating gaps and inconsistent hardening that can be exploited for unauthorised access.
Operational notes
Define approved baseline builds, deploy via configuration management, and routinely verify against the baseline; investigate and remediate drift and only apply changes via approved change control.
Implementation tips
- IT team should document approved configurations: They need to write down specific settings for all IT equipment like computers, servers, and routers. This might include settings such as password policies and firewall rules. Once documented, these should be reviewed by someone experienced and shared with all relevant staff.
- System owners should ensure devices are configured correctly: The person responsible for each piece of IT equipment should make sure they follow the documented settings exactly. They can use a simple checklist and verify each device, asking the IT team for help if needed.
- Managers should provide training: Make sure everyone in the organisation who uses IT equipment knows why these configurations are important. Run training sessions every few months where the IT team explains how the configurations protect the organisation.
- IT team should implement regular checks: Set up a routine, like quarterly checks, where the IT team reviews a sample of equipment to ensure they still match the approved configurations. Use an easy-to-follow list and keep track of any changes.
- Management should endorse the configuration policies: Have a meeting where managers formally approve the documented configurations and commit to supporting adherence. During this meeting, they should discuss the importance of configurations and agree on how they’ll promote consistent use.
Audit / evidence tips
-
Askthe configuration documentation: Request to see the written records of the approved settings for IT equipment
Goodis a well-structured document that covers each type of device used, with settings clearly laid out
-
Askthe training logs: Request records that show when and how staff were trained on IT configurations
Goodis a series of regular sessions with good attendance and covered topics matching the importance of the configurations
-
Askevidence of implementation: Request examples where the approved settings were applied to devices
Goodis devices matching the documented configurations closely
-
Askabout review and update processes: Request information on how configuration settings are kept current
Goodis a routine process for updating the configurations based on recent security advice from the ACSC (Australian Cyber Security Centre)
-
Asklogging and monitoring records: Request logs that show any changes made to device configurations
Goodis consistent logs with authorised actions only, reviewed regularly to identify any unexpected changes
Cross-framework mappings
How ISM-1913 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.8 | ISM-1913 requires approved configurations for IT equipment to be developed, implemented and maintained | |
| handshake Supports (1) expand_less | ||
| Annex A 7.13 | Annex A 7.13 mandates correct equipment maintenance for information security | |
| link Related (1) expand_less | ||
| Annex A 8.9 | ISM-1913 requires approved configurations for IT equipment to be developed, implemented and maintained | |
E8
| Control | Notes | Details |
|---|---|---|
| extension Depends on (1) expand_less | ||
| E8-AH-ML2.5 | E8-AH-ML2.5 requires implementing a defined Microsoft Office configuration that prevents OLE package activation | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.