Disable Unused IPv6 on Dual-Stack Devices
Turn off IPv6 capabilities on network devices unless they are actively being used.
Plain language
This control is about turning off IPv6 on devices that use both older and newer internet protocols unless the newer one is needed. This is important because leaving extra connections open on your network can expose your business to unnecessary risks, such as cyber-attacks that target unused pathways.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
IPv6 functionality is disabled in dual-stack network devices unless it is being used.
Why it matters
If IPv6 remains enabled but unused on dual-stack devices, attackers can exploit IPv6 paths to bypass IPv4 controls, enabling unauthorised access.
Operational notes
Audit dual-stack devices for IPv6 use; if not required, disable IPv6 on interfaces and OS stacks, and confirm monitoring and firewall rules cover any remaining IPv6.
Implementation tips
- System administrators should identify devices with IPv6 capabilities that are not currently being utilised. This involves listing all dual-stack devices and confirming which ones actively use IPv6. If IPv6 isn’t needed, it can be disabled to reduce potential vulnerabilities.
- IT teams should update device configuration settings to disable IPv6 where it's not required. They can do this by accessing device management interfaces and following manufacturer instructions for disabling IPv6.
- Network managers should regularly review the network infrastructure to ensure IPv6 remains disabled on unused devices. Set a regular schedule to check network configurations and verify if IPv6 has been activated only where necessary.
- Business owners should consult with IT support to understand the implications of IPv6 on their network. Arrange a meeting to discuss the business's internet protocol needs and ensure staff understand why disabling IPv6 can enhance security.
- IT staff should document the current configuration of all dual-stack devices, noting whether IPv6 has been disabled. This documentation helps in maintaining a clear record of network health and assists in future audits.
Audit / evidence tips
-
Aska listing of all dual-stack devices in use by the organisation
Gooddisplays a comprehensive device list with clear indicators showing IPv6 disabled where not needed
-
Goodreveals that IPv6 is only enabled on devices where it’s documented as necessary
-
Askregular review logs of network configurations tied to IPv6 usage. Check if a consistent review schedule is present and adhered to, and IPv6 status is recorded
Goodshows these reviews happen as scheduled with findings acted upon
-
Askmeeting minutes or communication notes where IPv6 usage is discussed
Goodincludes documented discussions with action points for updating settings if needed
-
Goodshows staff are informed and understand their role in ensuring network security
Cross-framework mappings
How ISM-0521 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-0521 requires IPv6 functionality to be disabled on dual-stack network devices unless IPv6 is actively used, reducing the attack surfa... | |
| link Related (1) expand_less | ||
| Annex A 8.20 | Annex A 8.20 requires networks and network devices to be securely configured and controlled to protect information and reduce attack surface | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.