Protect Data with ASD-Approved Cryptographic Protocols
Use approved cryptographic methods to secure data when it's communicated over networks.
Plain language
This control is about using strong, approved methods to scramble your data when it's sent over the internet or other networks. It's important because if you don't encrypt your data properly, it could be intercepted by hackers, leading to theft of sensitive information or identity fraud.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsOfficial control statement
An ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic protocol is used to protect data when communicated over network infrastructure.
Why it matters
Unauthorised access to unencrypted data in transit can lead to data breaches, severely damaging reputation and incurring financial penalties.
Operational notes
Audit network traffic and configurations to ensure only ASD-Approved Cryptographic Protocols (AACP) protect data in transit; disable insecure protocols and ciphers.
Implementation tips
- IT team should confirm that all network communications are using ASD-approved cryptographic protocols. They can do this by reviewing current protocols in use and updating any outdated or unapproved methods to meet ASD standards.
- Managers should ensure that staff who handle sensitive data are aware of the importance of using secure communication methods. This can be done by organising training sessions that explain how data should be handled and why it matters.
- Procurement staff should specify that any new software or systems purchased must support ASD-approved cryptographic protocols. They can achieve this by checking specifications during the purchasing process and consulting with the IT team.
- The system owner should periodically review the organisation’s encryption policies and protocols to ensure ongoing compliance with ASD standards. This review could be scheduled annually and documented to keep a track record of compliance checks.
- The IT team should implement a monitoring system to detect any unencrypted data transmission on the network. They could use tools that alert them to non-compliant communications and then remediate the issues promptly.
Audit / evidence tips
- AskNetwork communication security configurations reports: Request documentation detailing what protocols are currently in use for data transmission GoodWould have only ASD-approved protocols listed with updated versions
- AskTraining attendance records: Request records of training attended by staff on secure communication practices GoodWould show regular training attendance with up-to-date content
- AskProcurement documentation: Request specifications from recent purchases of software and systems GoodWould have explicit mentions of ASD protocol compliance
- AskPolicy review logs: Request copies of encryption policy reviews and updates GoodIncludes a recent review date with notes on any updated measures
- AskMonitoring system output: Request logs or alerts from tools monitoring network traffic for encryption compliance GoodShows active monitoring and no unresolved alerts
Cross-framework mappings
How ISM-0469 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-0469 requires that an ASD-Approved Cryptographic Protocol (or high assurance cryptographic protocol) is used to protect data when it ... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.24 | ISM-0469 requires the use of ASD-Approved Cryptographic Protocols (or high assurance cryptographic protocols) to protect data communicate... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.