Use Evaluated Crypto for Sensitive Data Encryption
Use approved cryptographic tools to encrypt sensitive or protected data to ensure security.
Plain language
This control is about making sure that when we lock up sensitive or important information with digital 'locks', we use only trusted and approved methods. If these methods aren't followed, there's a risk your confidential information could be unlocked and accessed by people who shouldn't have it, leading to privacy breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsOfficial control statement
Cryptographic equipment, applications or libraries that have completed a Common Criteria evaluation against an ASD-endorsed Protection Profile are used when encrypting media that contains OFFICIAL: Sensitive or PROTECTED data.
Why it matters
Without Common Criteria-evaluated crypto, OFFICIAL:Sensitive/PROTECTED media may be decrypted by attackers, causing breaches and loss.
Operational notes
Maintain an approved list of Common Criteria-evaluated crypto (ASD-endorsed Protection Profiles) and revalidate versions before use.
Implementation tips
- System owners should identify the types of sensitive data they handle. They can do this by creating a list of data categories that are considered sensitive or protected, like customer information or financial details. This helps in understanding what needs to be encrypted at all times.
- The IT team should select cryptographic tools that are evaluated and approved by the appropriate Australian authorities, specifically those that adhere to the Common Criteria standards. This involves researching tools already evaluated against an ASD-endorsed Protection Profile to ensure compliance.
- Procurement staff should collaborate with the IT team during the purchase of new encryption tools and ensure that only those which have been officially endorsed and evaluated are procured. This can be done by checking suppliers' documentation against the approved list of products.
- Managers should arrange for regular training sessions for their staff about the importance of using recommended cryptographic solutions. This includes practical demonstrations and simple real-world analogies to make sure everyone understands the importance of following the rule.
- The compliance officer should regularly review the organisation’s encryption practices and ensure that policies are up to date and align with the latest government standards. This can be done by setting scheduled policy reviews and updating documentation as needed when standards change.
Audit / evidence tips
- AskDocumentation of selected cryptographic tools: Request an inventory of cryptographic solutions used in the organisation GoodShows all tools used are listed and are approved according to government standards
- AskThe procurement records: Check the records that show how cryptographic tools were selected and purchased GoodFinding includes records showing approval and alignment with Common Criteria standards
- AskTraining records: Obtain the schedule and content of recent training sessions on cryptographic practices GoodShows documented training with attendee lists and feedback
- AskEncryption policy documents: Request copies of current encryption policies GoodDocument will clearly list approved methods and align with recent standards
- AskReview meeting notes: Check notes from any strategic meetings regarding encryption practices GoodWill include detailed minutes and action items aligned with policy
Cross-framework mappings
How ISM-0457 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0457 mandates the use of cryptographic equipment, applications or libraries that have completed a Common Criteria evaluation against ... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.9 | Annex A 7.9 requires organisations to safeguard assets taken off-site | |
| handshake Supports (1) expand_less | ||
| Annex A 8.33 | Annex A 8.33 mandates protection and management of test information including preventing disclosure of sensitive data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.