Ensure All Web Access Uses Proxies
All web access must go through web proxies to control and monitor internet use.
Plain language
This control means that whenever you or your servers access the internet, they should go through a web proxy. Think of a proxy as a filter that checks what is being accessed online. If this isn't done, risky websites could be accessed without any checks, which might lead to security breaches or improper use of company data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
All web access, including that by internal servers, is conducted through web proxies.
Why it matters
Without enforced web proxy use, users and servers may browse directly to malicious sites, bypass filtering/logging, and enable malware or data loss.
Operational notes
Monitor proxy logs for anomalies, validate all egress web traffic (including servers) is forced through the proxy, and block direct Internet access at firewalls.
Implementation tips
- The IT team should configure all internet connections through a web proxy. They can do this by setting up a central proxy server that all devices must use to access the web. This ensures every request to visit a website is checked and logged.
- Business managers should ensure awareness of this policy among employees. They can host a meeting explaining why internet access is filtered and how it protects both the organisation and its employees from online threats.
- System administrators should regularly update the proxy server rules. They can achieve this by reviewing available updates to the proxy software and applying necessary updates to keep the system secure.
- Procurement should ensure any new systems or servers adhere to this requirement. They should include the use of web proxies as a mandatory requirement in any purchase of systems that access the internet.
- The IT manager should conduct regular training sessions for network and system users. Training should cover the reasons for using proxies, how they work, and what users should expect in terms of web access and monitoring.
Audit / evidence tips
- AskThe internet usage policy: This document should state that all traffic goes through a web proxy GoodIs clear criteria and steps that meet this requirement
- GoodIs complete settings showing all internet traffic is covered
- AskHow they configure and maintain the proxy server GoodIs staff confidently explaining ongoing management and the benefits of using proxies
- GoodIs the seamless but secure connection after proxy verification
- GoodProvides evidence of regular checked and updated logs
Cross-framework mappings
How ISM-0260 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.23 | ISM-0260 requires that all web access, including from internal servers, be routed through web proxies for control and monitoring | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-AH-ML1.2 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.