Skip to content
Control Stack logo Control Stack
ISM-0475 ASD Information Security Manual (ISM)

Use P-384 Curve for Secure Digital Signatures

Ensure stronger digital signature security by using ECDSA with a key size of at least 224 bits, ideally the P-384 curve.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED ASD Information Security ManualGovernanceCryptography

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P

🗓️ ISM last updated

Nov 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for cryptography

Section

ASD-Approved Cryptographic Algorithms

Topic

Using the Elliptic Curve Digital Signature Algorithm
Official control statement
When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used, preferably the P-384 curve.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about using a specific method for signing digital documents to ensure they are authentic and haven't been altered. It's important because if digital signatures aren't strong, someone could fake documents, leading to security breaches and potential fraud.

Why it matters

Using ECDSA with too-small keys or weaker curves can enable signature forgery, undermining integrity and trust in signed data and documents.

Operational notes

Regularly verify that ECDSA uses at least a 224-bit key, aiming for P-384, to maintain signature strength and stay compliant.

Implementation tips

  • IT managers should ensure that their systems use the P-384 curve for digital signatures. Do this by reviewing the system settings or consulting with a trusted IT provider to confirm that this curve is used and correctly configured.

  • Ask: vendors for documentation or a demonstration of how their system implements this specific signing method

  • System administrators should regularly update their cryptographic libraries to ensure they support the P-384 curve. This can involve downloading the latest updates from your software provider or checking with the vendor for upgrade instructions.
  • IT security consultants should conduct an annual audit of the company's digital signature processes to verify the use of the P-384 curve. This involves examining software settings and configurations in use across all systems.
  • Training coordinators should conduct training for relevant staff on why using secure digital signatures is crucial. Create materials explaining the risks of not using the P-384 curve, and demonstrate how to check if systems are compliant.

Audit / evidence tips

  • Ask: system configuration files that specify digital signature algorithms

    Good: will show settings explicitly mentioning the P-384 curve being applied

  • Good: includes documentation from the vendor detailing compliance with the P-384 curve requirement

  • Ask: to see records of security audits conducted on digital signature processes

    Good: will include an audit report stating that the P-384 curve is in use and adequately implemented

  • Good: will have records showing regular updates supporting P-384 curve compliance

  • Ask: training records for staff involved in the digital signature process

    Good: is a training schedule or completion certificates for staff showing they understand the importance of using the P-384 curve

Cross-framework mappings

How ISM-0475 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.24 ISM-0475 requires organisations to use sufficiently strong ECDSA parameters for digital signatures (at least 224-bit order/key size, pref...

Mapping detail

Mapping

Direction

Controls