Secure Non-Classified Equipment in Safe Containers
Secure non-classified equipment in secure containers to protect against unauthorized physical access.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC
🗓️ ISM last updated
Nov 2024
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Non-classified servers, network devices and cryptographic equipment are secured in suitably secure security containers.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that equipment like servers or network devices, which are not classified but still important, are kept safe in secure containers. This matters because if someone can physically access this equipment without authorisation, they could steal information, damage it, or disrupt your business operations.
Why it matters
If non-classified servers, network devices or cryptographic equipment are not locked in secure containers, they can be accessed or tampered with, causing data theft and service disruption.
Operational notes
Inspect safe containers routinely (locks, hinges, bolts and tamper evidence), confirm only authorised staff hold keys/combinations, and log access to equipment stored inside.
Implementation tips
- Managers should identify all non-classified equipment in their facilities that need protection. Make a list of items like servers and network devices, then find out where they are currently stored and whether they are adequately secured.
- The IT team should select and install sturdy, lockable cabinets or containers to safeguard the equipment. Ensure these containers are placed in locations that are not easily accessible to unauthorised people, and install locks that have physical keys or password systems only available to those who need access.
- Facility managers should coordinate with security personnel to monitor access to areas containing the secure containers. Use cameras or regular security patrols to deter unauthorised access or tampering.
- IT personnel should regularly audit the contents of the secure containers to ensure all equipment is accounted for. Develop a checklist to verify that each piece of equipment is in place and have explanations ready for any discrepancies.
- Managers should train staff on the importance of physical security and the protocols for accessing secured containers. Offer regular sessions to keep everyone updated on the procedures and the reasons for their importance.
Audit / evidence tips
-
Ask: an inventory list of all non-classified equipment: Request a comprehensive document detailing each piece of non-classified equipment and its location
Good: is a well-documented list showing each item is accounted for and secured appropriately
-
Ask: to see the acquisition records for secure containers: Request documentation demonstrating that secure containers were purchased and installed
-
Ask: logs detailing who accessed the container areas and when
Good: consists of detailed records showing all entries are by authorised personnel
-
Good: example shows all equipment accounted for with actions indicated for any issues found
-
Ask: staff training records on security protocols: Request evidence of training sessions conducted for staff on accessing secure containers
Good: provides proof of consistent training reinforcing the policy among relevant staff
Cross-framework mappings
How ISM-1975 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 7.3 | Annex A 7.3 requires physical security controls to protect offices, rooms and facilities from unauthorised access | |
| Partially overlaps (2) | ||
| Annex A 7.2 | ISM-1975 requires non-classified servers, network devices and cryptographic equipment to be secured in suitably secure security container... | |
| Annex A 7.8 | Annex A 7.8 requires equipment to be sited securely and protected to reduce unauthorised access and physical compromise | |
| Supports (1) | ||
| Annex A 7.1 | Annex A 7.1 requires organisations to define and use physical security perimeters to protect areas containing information and associated ... | |
| Related (1) | ||
| Annex A 7.5 | Annex A 7.5 requires design and implementation of protections against physical threats to infrastructure and equipment | |