Use Evaluated Cryptographic Tools for Sensitive Data
Use evaluated cryptographic tools to protect sensitive data on insecure or public networks.
Plain language
When you're sending important info like personal details or business data over the internet or on potentially unsafe networks, you want to make sure no one else can see it. This control is about using special tools that have been tested and approved to keep your data safe when it travels through these risky areas. Without it, sensitive information could be intercepted by someone with bad intentions, leading to identity theft, financial loss, or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P
ISM last updated
Aug 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsOfficial control statement
Cryptographic equipment, applications or libraries that have completed a Common Criteria evaluation against an ASD-endorsed Protection Profile are used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.
Why it matters
Without Common Criteria-evaluated crypto, OFFICIAL: Sensitive/PROTECTED data sent over public or untrusted networks may be intercepted or altered, causing compromise and reportable breaches.
Operational notes
Use only Common Criteria-evaluated crypto against ASD-endorsed Protection Profiles for OFFICIAL: Sensitive/PROTECTED data over public/untrusted networks; verify certificates and approved versions periodically.
Implementation tips
- IT teams should check that existing applications meet the evaluated criteria for cryptographic tools. They can do this by reviewing vendor information or acquiring a list of evaluated products from the Common Criteria portal or the ACSC website.
- Procurement officers need to specify in purchase agreements that cryptographic tools must be evaluated against an endorsed Protection Profile. This can be done by including it as a requirement in tender documents or purchasing guidelines.
- System administrators should set up systems to automatically use these approved cryptographic tools when transmitting sensitive data. This means configuring software settings to always opt for encrypted communication options by default.
- Managers should educate staff about the importance of using secure communication tools. They can run short training sessions explaining why certain applications are used for sending sensitive data and how to verify if a tool is approved.
Audit / evidence tips
- AskA list of cryptographic tools currently in use: Ensure each tool on the list has gone through Common Criteria evaluation GoodIs a complete list where each tool has documentation proving its evaluated status
- AskConfiguration documentation from the IT department: Examine how cryptographic tool settings are configured to default to secure communications GoodIncludes screenshots or settings logs showing encrypted communication as the default
Cross-framework mappings
How ISM-0465 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0465 requires the use of Common Criteria evaluated cryptographic equipment, applications or libraries (against an ASD-endorsed Protec... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.9 | Annex A 7.9 involves protecting assets outside organisational premises | |
| handshake Supports (1) expand_less | ||
| Annex A 8.33 | Annex A 8.33 requires selection and protection of test information to avoid exposure of sensitive data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.