Ensuring Strong RSA Modulus for Digital Security
Use a minimum 2048-bit RSA modulus for better security in digital signatures and key transport.
Plain language
This control is about making sure your digital communications and important data are kept secure by using strong keys for encryption. Imagine if the lock on your front door was weak and easily breakable; similarly, a weak encryption key makes it easier for hackers to steal your information. By using a 2048-bit RSA modulus or, even better, a 3072-bit, you’re essentially adding a strong lock to your digital data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using RSA for digital signatures, and transporting encryption session keys (and similar keys), a modulus of at least 2048 bits is used, preferably 3072 bits.
Why it matters
Using RSA keys under 2048 bits for signatures or session key transport can be factored, allowing forgery, decryption of session keys and data compromise.
Operational notes
Inventory RSA use (signing and session key transport), enforce ≥2048-bit modulus (prefer 3072), and rotate/replace any keys below this threshold.
Implementation tips
- IT team should assess current encryption practices: The IT team needs to review all current systems where RSA is used to make sure the encryption keys are at least 2048 bits. They can do this by checking system configurations and discussing key lengths with software vendors.
- Procurement should require strong modulus standards: When purchasing new software or systems that involve encryption, procurement officers should include a requirement for at least 2048-bit RSA modulus in their contracts. They can do this by adding specific language to purchase agreements and contracts.
- System administrators need to configure settings: System administrators should change settings in the systems they manage to ensure that RSA keys are at least 2048 bits in length. This would involve going into system security settings and adjusting any predefined key lengths.
- Security officers should provide training: Security officers should organise training sessions for IT staff about the importance of strong RSA moduli and how to implement them. This can be done through workshops or online training modules.
- IT team should monitor compliance: Assign a member of the IT team to regularly check systems for compliance with the 2048-bit requirement. They can do this by setting reminders to perform periodic reviews of encryption practices and documenting any changes.
Audit / evidence tips
- AskEncryption policy documents: Request the organisational policy that details encryption standards, including the minimum RSA modulus size GoodIs a policy document that clearly states this requirement with recent review dates
- GoodIs screenshot evidence or logs showing compliance with this key length
- AskProcurement documentation that outlines the encryption requirements for new software purchases GoodIs a checklist or requirement list that includes this specification
- GoodIncludes dated training materials and attendance records
- AskRecent monitoring or audit reports that check compliance with the RSA modulus requirement GoodIs a detailed report showing regular reviews and outcomes
Cross-framework mappings
How ISM-0476 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0476 requires that RSA used for digital signatures and key transport uses a modulus of at least 2048 bits (preferably 3072 bits) to m... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.