Avoid Using ECB Mode for Symmetric Encryption
Symmetric encryption should not use ECB mode as it is less secure.
Plain language
When we encrypt information, we're scrambling it so that only people with the right key can read it. Think of encryption like a secret code for your private data. This control means we shouldn't use a specific way of scrambling called 'ECB mode' because it's like using the same simple pattern for everything, which makes it easier for criminals to see what's going on in our data - like cracking a repetitive code in a puzzle book.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.
Why it matters
Using ECB mode reveals repeated plaintext patterns in ciphertext, enabling traffic analysis and increasing the chance of data compromise.
Operational notes
Prohibit ECB in libraries/configs; enforce AEAD modes (AES-GCM/CCM) and add tests/scans to detect and block ECB usage in builds.
Implementation tips
- IT team should review current encryption practices: Identify if any systems use the ECB mode for encryption. Do this by checking current encryption software settings and documentation.
- System owners should collaborate with IT: Replace ECB mode if found with a more secure mode, like CBC (Cipher Block Chaining) or GCM (Galois/Counter Mode). Request assistance from cybersecurity experts if needed.
- Managers should ensure all staff understand the importance of strong encryption: Organise regular training sessions so employees grasp why certain encryption modes, like ECB, aren't secure.
- Procurement should coordinate with IT when purchasing encryption tools: Ensure new products support recommended encryption modes and comply with Australian Signals Directorate (ASD) guidelines.
- Compliance officers should establish a regular review schedule: Set up annual or bi-annual reviews of encryption methods used across systems to ensure compliance with security standards.
Audit / evidence tips
-
Askthe list of encryption methods currently in use: Verify this list with the IT department
GoodNo mention of ECB mode in the current methods
-
Goodincludes explicit prohibition of ECB mode
-
Asktraining records
Goodreflects regular training sessions that highlight why ECB mode is not suitable
-
Goodoutcome shows avoidance of ECB mode and usage of recommended modes like CBC or GCM
-
Asksupplier compliance proof when purchasing encryption products
Goodincludes confirmation that products support secure modes and exclude ECB
Cross-framework mappings
How ISM-0479 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0479 requires that symmetric cryptographic algorithms are not used in Electronic Codebook (ECB) mode | |
| handshake Supports (1) expand_less | ||
| Annex A 8.27 | ISM-0479 requires that symmetric encryption is not implemented using ECB mode to avoid known confidentiality weaknesses (pattern leakage) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.