Secure Non-Classified Equipment in Safe Containers
Secure non-classified equipment in secure containers to protect against unauthorized physical access.
Plain language
This control is about making sure that equipment like servers or network devices, which are not classified but still important, are kept safe in secure containers. This matters because if someone can physically access this equipment without authorisation, they could steal information, damage it, or disrupt your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Non-classified servers, network devices and cryptographic equipment are secured in suitably secure security containers.
Why it matters
If non-classified servers, network devices or cryptographic equipment are not locked in secure containers, they can be accessed or tampered with, causing data theft and service disruption.
Operational notes
Inspect safe containers routinely (locks, hinges, bolts and tamper evidence), confirm only authorised staff hold keys/combinations, and log access to equipment stored inside.
Implementation tips
- Managers should identify all non-classified equipment in their facilities that need protection. Make a list of items like servers and network devices, then find out where they are currently stored and whether they are adequately secured.
- The IT team should select and install sturdy, lockable cabinets or containers to safeguard the equipment. Ensure these containers are placed in locations that are not easily accessible to unauthorised people, and install locks that have physical keys or password systems only available to those who need access.
- Facility managers should coordinate with security personnel to monitor access to areas containing the secure containers. Use cameras or regular security patrols to deter unauthorised access or tampering.
- IT personnel should regularly audit the contents of the secure containers to ensure all equipment is accounted for. Develop a checklist to verify that each piece of equipment is in place and have explanations ready for any discrepancies.
- Managers should train staff on the importance of physical security and the protocols for accessing secured containers. Offer regular sessions to keep everyone updated on the procedures and the reasons for their importance.
Audit / evidence tips
- AskAn inventory list of all non-classified equipment: Request a comprehensive document detailing each piece of non-classified equipment and its location GoodIs a well-documented list showing each item is accounted for and secured appropriately
- AskTo see the acquisition records for secure containers: Request documentation demonstrating that secure containers were purchased and installed
- AskLogs detailing who accessed the container areas and when GoodConsists of detailed records showing all entries are by authorised personnel
- GoodExample shows all equipment accounted for with actions indicated for any issues found
- AskStaff training records on security protocols: Request evidence of training sessions conducted for staff on accessing secure containers GoodProvides proof of consistent training reinforcing the policy among relevant staff
Cross-framework mappings
How ISM-1975 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.3 | Annex A 7.3 requires physical security controls to protect offices, rooms and facilities from unauthorised access | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.2 | ISM-1975 requires non-classified servers, network devices and cryptographic equipment to be secured in suitably secure security container... | |
| Annex A 7.8 | Annex A 7.8 requires equipment to be sited securely and protected to reduce unauthorised access and physical compromise | |
| handshake Supports (1) expand_less | ||
| Annex A 7.1 | Annex A 7.1 requires organisations to define and use physical security perimeters to protect areas containing information and associated ... | |
| link Related (1) expand_less | ||
| Annex A 7.5 | Annex A 7.5 requires design and implementation of protections against physical threats to infrastructure and equipment | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.