Ensure Use of High Assurance Cryptographic Protocols
Ensure only approved secure cryptographic protocols are used in equipment and software.
Plain language
To keep your data safe, you need to make sure that any systems or software you use are using the strongest locks available, known as high assurance cryptographic protocols. These are like super-secure codes that protect information so that only the right people can see it. If you don't use them, it's like having a flimsy lock on your front door, making it easier for hackers to break in and steal sensitive data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
Only AACPs or high assurance cryptographic protocols are used by cryptographic equipment, applications and libraries.
Why it matters
Failure to use high assurance cryptographic protocols can lead to data breaches, exposing sensitive information to unauthorised access.
Operational notes
Audit systems to ensure only AACPs/high assurance protocols (e.g., TLS 1.2/1.3) are enabled, disable deprecated suites, and validate libraries are configured to enforce them.
Implementation tips
- The IT team should check each piece of software and system to ensure they are using approved cryptographic protocols. This can be done by reviewing the software documentation or user settings to confirm which protocols are being used.
- System owners should meet with IT professionals to identify which cryptographic protocols are approved and ensure these are implemented. They should document these protocols and regularly update them as per ASD guidelines.
- Managers should organise training sessions for staff, especially those in IT, to help them understand what high assurance cryptographic protocols are and why they're important. They can use resources from the Australian Cyber Security Centre (ACSC) to ensure everyone is aware of the latest standards.
- Procurement teams should ensure that any new software or hardware purchased can support high assurance cryptographic protocols. They should include this requirement in procurement contracts and verify vendor guarantees or specifications.
- The cyber security officer should conduct regular reviews to verify compliance with this control. This involves auditing systems periodically to ensure only high assurance cryptographic protocols are in use, using tools or trusted third-party reviews if necessary.
Audit / evidence tips
-
Aska list of all cryptographic protocols currently in use on critical systems: Review this list to ensure it aligns with a documented list of approved protocols from ASD
Goodshows all systems using only protocols specified in the ASD-approved list
-
Goodshows clear contract terms and vendor compliance statements
-
Goodsetup has these protocols activated by default and non-approved protocols blocked
-
Askto see reports from security audits or third-party assessments: Verify these reports include checks on cryptographic protocol usage in systems
Goodreport offers clear evidence that current protocols match approved ones and highlight corrective actions if needed
Cross-framework mappings
How ISM-0481 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0481 requires that only approved high assurance cryptographic protocols (e.g | |
| handshake Supports (4) expand_less | ||
| Annex A 5.14 | ISM-0481 requires the use of high assurance cryptographic protocols in cryptographic components to protect data in transit and related cr... | |
| Annex A 8.9 | ISM-0481 requires systems to use only high assurance cryptographic protocols, which typically must be enforced via configuration (e.g | |
| Annex A 8.25 | ISM-0481 requires that cryptographic software and libraries only use approved high assurance cryptographic protocols | |
| Annex A 8.26 | ISM-0481 requires that applications and libraries use only approved high assurance cryptographic protocols | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.