Use HACE for Encrypting Sensitive Media
HACE ensures the encryption of media with SECRET or TOP SECRET data is secure.
Plain language
This control ensures that if you have secret or top secret information on any digital media, it's encrypted properly to keep it safe. This matters because if the information is not encrypted, it could get into the wrong hands, leading to secrets being exposed, causing serious security risks and potential harm to your business or mission.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsOfficial control statement
HACE is used when encrypting media that contains SECRET or TOP SECRET data.
Why it matters
Failure to use HACE to encrypt SECRET or TOP SECRET media can enable compromise if the media is lost, stolen or accessed without authorisation.
Operational notes
Verify all SECRET/TOP SECRET removable media is encrypted with HACE before issue, transport or disposal; record checks and remediate any non-HACE media.
Implementation tips
- The IT team should identify all media that might contain secret or top secret information. They can do this by conducting an inventory check of devices and storage media in use across the organisation, focusing on those used for sensitive tasks.
- IT managers need to ensure that appropriate encryption software is installed and configured on identified devices. They should choose government-approved encryption solutions recommended by the Australian Cyber Security Centre (ACSC) for high-assurance needs.
- Data handlers, such as employees dealing with sensitive information, must be trained on the importance of encryption. Provide them with hands-on sessions to show how to use encryption tools correctly to secure files before storing or transmitting them.
- System administrators should regularly review and update encryption software to guard against vulnerabilities. Set up a monthly task to check for and apply updates, ensuring the encryption remains strong and reliable.
- The IT security team should set up monitoring to detect any storage devices that do not have encryption enabled. Implement alerts to notify the team in real-time if unencrypted media is detected, so they can act swiftly to secure it.
Audit / evidence tips
- AskThe inventory of devices and storage media containing sensitive information GoodIncludes a comprehensive list with clear indications of all encrypted media
- GoodResult shows complete deployment records and compliance with national standards
- AskTo see the training records for staff handling sensitive media. Look to confirm that they have received training on encryption practices within the last year GoodIs a schedule of completed sessions with attendee lists and topics covered
- GoodOutcome shows consistent updates without large gaps, confirming ongoing encryption reliability
- AskTo see the monitoring reports on unencrypted media detection GoodReport shows quick identification and resolution of issues, with minimal unencrypted exposure
Cross-framework mappings
How ISM-0460 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0460 requires that HACE is used when encrypting media that contains SECRET or TOP SECRET data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.