Secure Facilities for Non-Classified Systems
Ensure non-classified systems are located in secure buildings to prevent unauthorised access.
Plain language
Imagine if your office was left unlocked overnight. Anyone could walk in and take things. Non-classified systems need to be in secure buildings to prevent unauthorised access. If we don’t secure them, we risk someone tampering with our systems or stealing important data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Non-classified systems are secured in suitably secure facilities.
Why it matters
If non-classified systems aren’t in secure facilities, unauthorised physical access can enable theft, tampering or outages, disrupting operations.
Operational notes
Confirm the facility’s locks, visitor controls and access logs work as intended, and review who can enter areas housing non-classified systems.
Implementation tips
- Business managers should ensure that the building housing non-classified systems is secure. They can do this by checking that locks, alarms, and surveillance cameras are installed and working properly. Regularly testing these security measures can help identify weak points.
- Office managers should identify where non-classified systems are kept and lock these areas. This could mean using lockable server rooms or secure cabinets for smaller devices. Ensure that only authorised staff have keys or access codes.
- Security personnel should conduct regular patrols around the facility, focusing on entry points. Set scheduled times for these checks and keep a log of each patrol. This can deter unauthorised attempts to access the facility.
- IT staff should keep an inventory of all non-classified systems and their locations. Maintain this list digitally and update it whenever a system is relocated or replaced. This helps ensure all systems are accounted for and in secure locations.
- Training coordinators should provide staff training on security protocols for non-classified systems. This includes recognising suspicious behaviour and knowing emergency procedures. Conduct training sessions at least annually and after any updates to security measures.
Audit / evidence tips
- AskA list of physical security measures: Request a documented list of security measures in place for the building where non-classified systems are located
- GoodLog has regular entries with authorised personnel signatures
- AskPatrol logs: Review logs of security patrols conducted around the facility
- AskThe inventory list: Request an inventory of non-classified systems and their locations
Cross-framework mappings
How ISM-1973 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.3 | Annex A 7.3 requires physical security for offices, rooms and facilities to be designed and implemented to prevent unauthorised access | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.6 | Annex A 7.6 requires organisations to implement security measures governing activities and behaviours when working in secure areas | |
| Annex A 7.8 | Annex A 7.8 requires equipment to be placed in secure locations and protected from unauthorised access and physical/environmental harm | |
| handshake Supports (2) expand_less | ||
| Annex A 7.2 | Annex A 7.2 requires secure areas to be protected by appropriate entry controls and controlled access points | |
| Annex A 7.4 | ISM-1973 requires non-classified systems to be secured in suitably secure facilities to prevent unauthorised physical access | |
| link Related (1) expand_less | ||
| Annex A 7.5 | Annex A 7.5 requires organisations to implement protections against physical threats (e.g | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.