Use Only High Assurance Cryptographic Algorithms
Ensure cryptographic tools use only ASD-approved or high-assurance algorithms for security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment, applications and libraries.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that any tools or programs your business uses to secure information only rely on the most trusted and high-quality methods approved by the Australian Signals Directorate (ASD). This is important because using weak or outdated security can leave your information exposed to hackers and cybercriminals, which could lead to data breaches and potential financial and reputational damage.
Why it matters
Using non-high assurance or deprecated cryptography can let attackers decrypt protected data, causing confidentiality loss, breaches, and financial and reputational damage.
Operational notes
Regularly verify crypto libraries and configurations use only ASD-approved/AACA algorithms and approved key sizes; remove deprecated ciphers and protocols from builds.
Implementation tips
-
Ask: the software vendor for documentation or a statement confirming their compliance
- IT teams should review current software and applications to confirm they use high-assurance cryptography. This involves checking the documentation or configuration settings where cryptographic methods are described.
- Managers responsible for procurement should include a requirement for ASD-approved cryptographic algorithms in contracts with software vendors. Clearly specify this requirement in the 'Security Requirements' section of any new software procurement agreements.
- HR should train staff on the importance of using software that complies with these high standards. Organise regular awareness sessions to remind staff why we only trust ASD-approved methods for handling sensitive data.
- System administrators should regularly update software to ensure they are using the latest cryptographic standards. Set reminders for routine checks and software updates to maintain up-to-date security protocols.
Audit / evidence tips
-
Ask: the cryptographic policy document: Request the organisation's policy on using ASD-approved cryptographic algorithms
Good: policy will include clear guidelines on approved tools and practices
-
Ask: vendor compliance reports: Request reports or statements from software vendors verifying the use of ASD-approved algorithms. Check these documents for specifics on the cryptographic methods used. Good reports will mention compliance specifically with ASD criteria
-
Ask: training records: Review records of staff training sessions on cybersecurity and cryptographic awareness
-
Ask: software audit logs: Request logs or reports that show which cryptographic algorithms are in use. Examine these logs for consistency and adherence to approved algorithms. Good logs will show only ASD-approved methods being used consistently
-
Ask: approval records: Request evidence of authorisation for the use of cryptographic tools
Cross-framework mappings
How ISM-0471 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-0471 requires that only AACAs or other high assurance cryptographic algorithms are used by cryptographic equipment, applications and ... | |
| Supports (1) | ||
| Annex A 8.26 | ISM-0471 requires the use of only high assurance cryptographic algorithms in cryptographic equipment, applications and libraries | |