Inspect and Decrypt TLS Traffic through Gateways
Gateways decrypt and check TLS internet traffic for safety reasons.
Plain language
This control is about making sure the internet traffic that comes into and goes out of your organisation is safe. It does this by temporarily unlocking secure web traffic at a gateway to check for any potential threats, like viruses or hacking attempts. If left unchecked, harmful data can sneak through and cause major damage, like leaking confidential information or disrupting your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
Web content filtersOfficial control statement
TLS traffic communicated through gateways is decrypted and inspected.
Why it matters
Without TLS decryption and inspection at gateways, malware and data exfiltration can hide in encrypted sessions, bypassing gateway security controls.
Operational notes
Maintain gateway TLS interception certificates/keys, review SSL bypass/exemption lists, and verify decrypted traffic is logged and inspected for threats.
Implementation tips
- The IT team should set up a secure gateway to manage internet traffic. This means selecting a reliable and up-to-date system that can intercept and decrypt the traffic for inspection before it reaches internal systems.
- The IT team must configure the gateway to automatically block suspicious or dangerous content. This involves setting rules for the gateway to identify and stop potential threats, ensuring only safe traffic is allowed through.
- A cybersecurity officer should ensure the gateway is regularly updated. This means keeping the system patched with the latest security updates to defend against new types of cyber threats.
- The IT team should document the process for inspecting and decrypting traffic. Create clear guidelines that describe how the inspection is done, who oversees it, and what happens if a threat is found.
- Managers should conduct regular training for staff to understand the importance of traffic inspection. This helps all employees recognise how this process protects the organisation and encourages them to report any suspicious activity.
Audit / evidence tips
-
Askgateway configuration documents: Request details on how the gateway is set up to filter internet traffic
Goodwould include an updated configuration file with comprehensive rules against different types of threats
-
Goodshows regular activity and appropriate response actions
-
Askthem to explain the decryption and inspection process
Goodwould include a well-understood workflow and recent examples of threat mitigation
-
Aska demonstration of the gateway filtering traffic
Goodshows the gateway actively blocking a test threat
-
Goodincludes recent training sessions and participation records from all staff
Cross-framework mappings
How ISM-0263 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-0263 requires gateways to decrypt and inspect TLS traffic traversing them | |
| handshake Supports (3) expand_less | ||
| Annex A 8.7 | ISM-0263 requires decrypting and inspecting TLS traffic at gateways so that malicious payloads and unsafe content can be detected in encr... | |
| Annex A 8.16 | ISM-0263 requires decryption and inspection of TLS traffic through gateways to enable security visibility into encrypted communications | |
| Annex A 8.24 | ISM-0263 requires that TLS traffic passing through gateways is decrypted and inspected to identify malicious or non-compliant content | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.