Restrict Sensitive Emails to Verified Recipients
Sensitive emails must not go to groups unless all recipients' nationalities are confirmed.
Plain language
This control ensures that emails with sensitive Australian government data are only sent to people whose nationalities we know and trust. It matters because sending such emails to unknown or unverified recipients could lead to information ending up in the wrong hands, risking national security or privacy breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Emails containing Australian Eyes Only, Australian Government Access Only or Releasable To data are not sent to email distribution lists unless the nationality of all members of email distribution lists can be confirmed.
Why it matters
Sending AEO/AGAO/REL data to distribution lists without confirming every member’s nationality can disclose sensitive information to ineligible recipients and breach policy.
Operational notes
Regularly audit distribution list membership and maintain evidence of each member’s confirmed nationality before allowing AEO/AGAO/REL emails to be sent to the list.
Implementation tips
- IT team should set up guidelines for email distribution: Make sure only verified individuals are part of email groups allowed to receive sensitive information. Use a checklist to update and confirm each recipient's nationality for these groups.
- HR should coordinate with IT to maintain employee nationality records: Keep a secure database that records the nationality of all employees. Ensure this information is up-to-date and accessible only to authorised personnel.
- Managers should regularly review the composition of email distribution lists: Conduct quarterly checks to confirm all group members are verified according to company policies. Work with IT to remove people whose nationality cannot be confirmed.
- System administrators should configure email systems to flag or block sensitive emails: Use email settings to alert senders if their message includes sensitive data and is addressed to an unverified email group. This can prevent accidental misdelivery.
- Office manager should train staff on email sensitivity protocols: Organise training sessions to explain the risks of sending sensitive emails to unverified recipients. Use real-world examples to highlight the importance of following these guidelines.
Audit / evidence tips
-
Askthe email distribution list policy: Request a document outlining procedures for verifying recipient nationalities
Goodpolicy will clearly define steps and responsible parties
-
Askhow they verify and record employee nationality
Goodincludes a secure, well-maintained database and a regular audit process
-
Goodinstance shows thorough cross-checking with HR records
-
Aska demonstration of how the email system alerts staff sending sensitive data to unverified groups. Verify if alerts are functioning and based on current distribution lists
-
Askemployees about email training received: During interviews, ask staff about sessions on handling sensitive emails
Goodcomes from staff who recall key training points and understand compliance
Cross-framework mappings
How ISM-0269 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.18 | ISM-0269 requires restricting dissemination of specific sensitive information in email by ensuring only verified-nationality recipients i... | |
| handshake Supports (1) expand_less | ||
| Annex A 6.1 | ISM-0269 requires that distribution list recipients of AEO/AGAO/Releasable To emails have confirmable nationalities before sending | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-0269 requires enforcing handling rules for specific sensitive classifications by preventing sending to distribution lists unless reci... | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires organisations to define and implement rules controlling access to information based on business and security requir... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.