Use Only High Assurance Cryptographic Algorithms
Ensure cryptographic tools use only ASD-approved or high-assurance algorithms for security.
Plain language
This control is about making sure that any tools or programs your business uses to secure information only rely on the most trusted and high-quality methods approved by the Australian Signals Directorate (ASD). This is important because using weak or outdated security can leave your information exposed to hackers and cybercriminals, which could lead to data breaches and potential financial and reputational damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment, applications and libraries.
Why it matters
Using non-high assurance or deprecated cryptography can let attackers decrypt protected data, causing confidentiality loss, breaches, and financial and reputational damage.
Operational notes
Regularly verify crypto libraries and configurations use only ASD-approved/AACA algorithms and approved key sizes; remove deprecated ciphers and protocols from builds.
Implementation tips
-
Askthe software vendor for documentation or a statement confirming their compliance
- IT teams should review current software and applications to confirm they use high-assurance cryptography. This involves checking the documentation or configuration settings where cryptographic methods are described.
- Managers responsible for procurement should include a requirement for ASD-approved cryptographic algorithms in contracts with software vendors. Clearly specify this requirement in the 'Security Requirements' section of any new software procurement agreements.
- HR should train staff on the importance of using software that complies with these high standards. Organise regular awareness sessions to remind staff why we only trust ASD-approved methods for handling sensitive data.
- System administrators should regularly update software to ensure they are using the latest cryptographic standards. Set reminders for routine checks and software updates to maintain up-to-date security protocols.
Audit / evidence tips
-
Askthe cryptographic policy document: Request the organisation's policy on using ASD-approved cryptographic algorithms
Goodpolicy will include clear guidelines on approved tools and practices
-
Askvendor compliance reports: Request reports or statements from software vendors verifying the use of ASD-approved algorithms. Check these documents for specifics on the cryptographic methods used. Good reports will mention compliance specifically with ASD criteria
-
Asktraining records: Review records of staff training sessions on cybersecurity and cryptographic awareness
-
Asksoftware audit logs: Request logs or reports that show which cryptographic algorithms are in use. Examine these logs for consistency and adherence to approved algorithms. Good logs will show only ASD-approved methods being used consistently
-
Askapproval records: Request evidence of authorisation for the use of cryptographic tools
Cross-framework mappings
How ISM-0471 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0471 requires that only AACAs or other high assurance cryptographic algorithms are used by cryptographic equipment, applications and ... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.26 | ISM-0471 requires the use of only high assurance cryptographic algorithms in cryptographic equipment, applications and libraries | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.