ISM-0479 policy ASD Information Security Manual (ISM)

Avoid Using ECB Mode for Symmetric Encryption

Symmetric encryption should not use ECB mode as it is less secure.

Preventative NC OS P ASD Information Security ManualGuidelines for cryptography cryptography secure by design compliance review awareness training

record_voice_over

Plain language

When we encrypt information, we're scrambling it so that only people with the right key can read it. Think of encryption like a secret code for your private data. This control means we shouldn't use a specific way of scrambling called 'ECB mode' because it's like using the same simple pattern for everything, which makes it easier for criminals to see what's going on in our data - like cracking a repetitive code in a puzzle book.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2021

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for cryptography

Section

ASD-Approved Cryptographic Algorithms

Topic

Using Symmetric Cryptographic Algorithms

Official control statement

Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.

policy ASD Information Security Manual (ISM) ISM-0479

priority_high

Why it matters

Using ECB mode reveals repeated plaintext patterns in ciphertext, enabling traffic analysis and increasing the chance of data compromise.

settings

Operational notes

Prohibit ECB in libraries/configs; enforce AEAD modes (AES-GCM/CCM) and add tests/scans to detect and block ECB usage in builds.

02 - Implement

build

Implementation tips

IT team should review current encryption practices: Identify if any systems use the ECB mode for encryption. Do this by checking current encryption software settings and documentation.
System owners should collaborate with IT: Replace ECB mode if found with a more secure mode, like CBC (Cipher Block Chaining) or GCM (Galois/Counter Mode). Request assistance from cybersecurity experts if needed.
Managers should ensure all staff understand the importance of strong encryption: Organise regular training sessions so employees grasp why certain encryption modes, like ECB, aren't secure.
Procurement should coordinate with IT when purchasing encryption tools: Ensure new products support recommended encryption modes and comply with Australian Signals Directorate (ASD) guidelines.
Compliance officers should establish a regular review schedule: Set up annual or bi-annual reviews of encryption methods used across systems to ensure compliance with security standards.

03 - Audit

fact_check

Audit / evidence tips

AskThe list of encryption methods currently in use: Verify this list with the IT department GoodNo mention of ECB mode in the current methods
GoodIncludes explicit prohibition of ECB mode
AskTraining records GoodReflects regular training sessions that highlight why ECB mode is not suitable
GoodOutcome shows avoidance of ECB mode and usage of recommended modes like CBC or GCM
AskSupplier compliance proof when purchasing encryption products GoodIncludes confirmation that products support secure modes and exclude ECB

04 - Mappings

link

Cross-framework mappings

How ISM-0479 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.24	ISM-0479 requires that symmetric cryptographic algorithms are not used in Electronic Codebook (ECB) mode
handshake Supports (1) expand_less
Annex A 8.27	ISM-0479 requires that symmetric encryption is not implemented using ECB mode to avoid known confidentiality weaknesses (pattern leakage)

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.