Maintain a Register for Medical Devices in Secure Areas
Keep an updated list of approved medical devices for secure areas like SECRET and TOP SECRET zones.
Plain language
This control is about keeping a detailed list of approved medical devices that can be used in highly secure areas like those storing TOP SECRET information. It's important because unauthorised devices could introduce risks, such as data leaks or security breaches, which could have serious consequences for your organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
An authorised medical device register for SECRET and TOP SECRET areas is developed, implemented, maintained and verified on a regular basis.
Why it matters
An incomplete medical device register could allow unauthorised devices, risking data leaks from SECRET and TOP SECRET areas.
Operational notes
Regularly verify the medical device register against current authorisations for SECRET/TOP SECRET areas, and remove any devices no longer approved.
Implementation tips
- Facility Managers should create a centralised list of medical devices approved for use in secure areas. Start by identifying every device currently in these areas and consulting with security teams to determine which are truly necessary and pose minimal risk.
- Security Officers should ensure that any new medical device being introduced is approved before use. This involves reviewing the device’s specifications and potential security risks, and gaining clearance from the authorising management level.
- IT Personnel should regularly update the register, adding new devices and removing obsolete ones. Set a quarterly reminder to cross-check the physical presence of devices against the list and update accordingly.
- The Compliance Officer should verify that the register is regularly maintained. Schedule reviews to confirm updates are made after each audit or when changes occur, such as device upgrades or new protocols.
- Training Coordinators should brief relevant staff on why it's important to keep the register accurate. Run workshops explaining the security implications of unlisted devices and procedures for ensuring compliance.
Audit / evidence tips
-
Askthe current medical device register: Request the document listing all approved devices for secured areas
Goodregister will be up-to-date, complete with no missing devices, and have clear approval notations
-
Askto see the approval process documentation: Request records showing how devices were approved to enter secure areas
Goodprocess is documented with clear criteria and approvals from an authorised manager
-
Askthe device update logs: Request the document or report showing when and how the register is updated
Goodlog will have consistent, timely updates with changes noted correctly
-
Askstaff about their training on device protocols: Request details or records of training sessions held regarding the device register’s importance and maintenance
-
Askincident reports involving medical devices: Request any incident logs concerning unauthorised devices in secure areas
Goodincludes detailed incident reports and measures taken to prevent recurrence
Cross-framework mappings
How ISM-2007 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.9 | ISM-2007 requires an authorised, maintained, and regularly verified register of approved medical devices for SECRET and TOP SECRET areas | |
| handshake Supports (1) expand_less | ||
| Annex A 7.2 | ISM-2007 requires organisations to control medical devices in SECRET and TOP SECRET areas by maintaining and verifying an authorised devi... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.