Ensure S/MIME 3.0 or Later is Used
Only use S/MIME version 3.0 or later for secure email communications.
Plain language
Imagine sending an important letter through the post. You'd want to make sure only the person it's meant for can open it, right? Using the right version of S/MIME (3.0 or later) for your emails is like sealing that letter - it protects the contents so only the intended person can read it. If you use an older version, it's like sending your letter with a faulty lock, and others could read or even change your message.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
Versions of S/MIME earlier than S/MIME version 3.0 are not used for S/MIME connections.
Why it matters
Using S/MIME versions earlier than 3.0 can weaken email protection, enabling message interception, downgrade attacks, or tampering.
Operational notes
Configure mail clients/servers to require S/MIME v3.0+ only; disable older S/MIME options and confirm in client/server settings.
Implementation tips
- Email administrators should check the current email system settings to ensure S/MIME is enabled and set to version 3.0 or later. Start by reviewing the email system's encryption settings and confirm the version number in the documentation or system settings.
- The IT team should conduct regular training for staff to explain how S/MIME works and why the specific version is important. This can be done through workshops where they demonstrate how to check if an email is encrypted properly using the right S/MIME version.
- Procurement should ensure that when purchasing email software or services, the products support S/MIME 3.0 or later. This involves checking technical specifications and confirming with vendors that their product meets this requirement.
- System owners should collaborate with IT to perform periodic checks on emails sent from the organisation to ensure they are encrypted with the correct version of S/MIME. This involves using email testing tools or scripts that can check the security features of outgoing emails.
- Network administrators should integrate continuous monitoring systems to alert if any email traffic does not conform to the proper S/MIME version. Set up alerts through existing monitoring tools to flag emails that do not meet the encryption standards.
Audit / evidence tips
-
Askthe configuration settings of the email system: Request documentation or screen captures that show the S/MIME setup
Goodis the presence of settings showing S/MIME 3.0 or later is the default
-
Askrecords of email security training sessions: Request the dates and content of any training held to educate staff on S/MIME
Goodregularly scheduled training with updated content on secure email practices
-
Askpurchase records of email software: Request documentation for software purchases related to email systems
Goodincludes clear vendor confirmation on product capabilities and specifications meeting the control
-
Asklogs or reports from email security tests: Request logs showing the results of tests conducted on outgoing emails for S/MIME compliance
Goodincludes consistent reports showing adherence to the S/MIME version requirement
-
Askto see alerts from the network monitoring system regarding email encryption: Request a demonstration or printout of alerts related to email traffic's encryption status
Goodis a lack of recent alerts, signifying compliance with S/MIME 3.0 or later
Cross-framework mappings
How ISM-0490 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.14 | ISM-0490 requires organisations to prevent the use of S/MIME versions earlier than 3.0 for secure email connections | |
| Annex A 8.24 | ISM-0490 requires organisations to only use S/MIME version 3.0 or later, preventing weak/obsolete cryptographic message protection in email | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.