Use Evaluated Cryptographic Tools for Sensitive Data
Use evaluated cryptographic tools to protect sensitive data on insecure or public networks.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
OS, P
🗓️ ISM last updated
Aug 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsCryptographic equipment, applications or libraries that have completed a Common Criteria evaluation against an ASD-endorsed Protection Profile are used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.
Source: ASD Information Security Manual (ISM)
Plain language
When you're sending important info like personal details or business data over the internet or on potentially unsafe networks, you want to make sure no one else can see it. This control is about using special tools that have been tested and approved to keep your data safe when it travels through these risky areas. Without it, sensitive information could be intercepted by someone with bad intentions, leading to identity theft, financial loss, or damage to your reputation.
Why it matters
Without Common Criteria–evaluated crypto, OFFICIAL: Sensitive/PROTECTED data sent over public or untrusted networks may be intercepted or altered, causing compromise and reportable breaches.
Operational notes
Use only Common Criteria–evaluated crypto against ASD-endorsed Protection Profiles for OFFICIAL: Sensitive/PROTECTED data over public/untrusted networks; verify certificates and approved versions periodically.
Implementation tips
-
Look at: software that highlights its security credentials, particularly ones that mention evaluation by the Australian Signals Directorate or ACSC endorsement
- IT teams should check that existing applications meet the evaluated criteria for cryptographic tools. They can do this by reviewing vendor information or acquiring a list of evaluated products from the Common Criteria portal or the ACSC website.
- Procurement officers need to specify in purchase agreements that cryptographic tools must be evaluated against an endorsed Protection Profile. This can be done by including it as a requirement in tender documents or purchasing guidelines.
- System administrators should set up systems to automatically use these approved cryptographic tools when transmitting sensitive data. This means configuring software settings to always opt for encrypted communication options by default.
- Managers should educate staff about the importance of using secure communication tools. They can run short training sessions explaining why certain applications are used for sending sensitive data and how to verify if a tool is approved.
Audit / evidence tips
-
Ask: a list of cryptographic tools currently in use: Ensure each tool on the list has gone through Common Criteria evaluation
Good: is a complete list where each tool has documentation proving its evaluated status
-
Ask: configuration documentation from the IT department: Examine how cryptographic tool settings are configured to default to secure communications
Good: includes screenshots or settings logs showing encrypted communication as the default
Cross-framework mappings
How ISM-0465 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-0465 requires the use of Common Criteria evaluated cryptographic equipment, applications or libraries (against an ASD-endorsed Protec... | |
| Partially overlaps (1) | ||
| Annex A 7.9 | Annex A 7.9 involves protecting assets outside organisational premises | |
| Supports (1) | ||
| Annex A 8.33 | Annex A 8.33 requires selection and protection of test information to avoid exposure of sensitive data | |