Securing Non-Classified IT Equipment in Secure Rooms
Non-classified IT equipment should be placed in secure rooms to prevent unauthorized physical access.
Plain language
This control is about making sure that non-classified IT equipment like servers or network gear is kept in secure rooms. This is important to prevent unauthorised people from physically accessing them, which could lead to data breaches, equipment damage, or disruptions in service.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Non-classified servers, network devices and cryptographic equipment are secured in suitably secure server rooms or communications rooms.
Why it matters
Without secure server/comms rooms, unauthorised access to servers, network or cryptographic gear can enable tampering, outages and data compromise.
Operational notes
Restrict and log entry to server/comms rooms; review access lists regularly; ensure racks/cabinets are locked and equipment is physically secured.
Implementation tips
- Facility managers should identify server or communications rooms that need enhanced security. Start by listing all equipment that needs such protection and assess current security measures for each location.
- IT teams should ensure secure access control to these rooms. They can do this by installing key card systems or biometric locks which monitor and restrict access to authorised personnel only.
- Office managers should regularly review the list of authorised personnel. They should schedule monthly reviews and update access rights based on changes in staff roles or employment status.
- The security team should install surveillance cameras in and around the secure rooms. Ensure cameras cover all entry points and maintain regular checks to verify recordings are stored properly and accessible if needed.
- An external security consultant should conduct annual audits of the physical security measures. This includes assessing any potential vulnerabilities in the physical security controls and making recommendations for improvement.
Audit / evidence tips
-
Askthe list of rooms designated as secure
GoodA comprehensive list with clear identification measures for securing each room
-
Asklogs showing who accessed the secure rooms in the last month
GoodDetailed logs that match access rights, with no unauthorised entries
-
Askthe maintenance records of surveillance equipment
GoodRecent and regular maintenance records that show cameras are operational
-
Askthe list of people authorised to access secure rooms
GoodA controlled list with justified, regularly updated permissions
-
Askthe security audit report conducted by an external consultant
GoodA thorough report with clear findings and evidence of follow-up actions
Cross-framework mappings
How ISM-1974 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.1 | ISM-1974 requires non-classified servers, network devices, and cryptographic equipment to be secured in suitably secure server rooms or c... | |
| Annex A 7.3 | Annex A 7.3 requires an organisation-wide approach to designing and implementing physical security for offices, rooms and facilities | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.8 | Annex A 7.8 requires that equipment is securely placed and physically protected | |
| handshake Supports (1) expand_less | ||
| Annex A 7.4 | Annex A 7.4 requires continuous monitoring of premises to detect unauthorised physical access | |
| extension Depends on (1) expand_less | ||
| Annex A 7.2 | ISM-1974 requires non-classified servers, network devices, and cryptographic equipment to be secured in suitably secure server rooms or c... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.