Centralise Email Routing via Gateways
Emails are processed through central gateways for improved control and security.
Plain language
Centralising email routing through gateways means directing all your emails through a specific point where they are checked for security risks before reaching your inbox. This is important because it helps catch harmful emails, like those containing viruses or phishing attempts, before they can cause damage to your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Emails are routed via centralised email gateways.
Why it matters
Without centralised email gateways, malicious emails can bypass defences, leading to data breaches and compromised business operations.
Operational notes
Ensure all inbound and outbound email is forced through the centralised gateway (e.g., MX and outbound relay), and block direct SMTP routes that bypass filtering.
Implementation tips
- IT team should set up email gateways: They need to choose a trusted email gateway provider and configure the settings to route all incoming and outgoing emails through this gateway. This ensures that emails are scanned and filtered for threats before they reach your staff.
- Office manager should communicate the change: Inform all employees that their emails will be routed through a central point and explain the benefits like reduced spam and increased security. Use an internal memo or a team meeting to ensure everyone understands the change.
- IT team should integrate security protocols: Ensure that the gateway is configured to apply security measures such as virus scanning and phishing detection. This involves setting rules that automatically quarantine suspicious messages.
- System administrator should monitor gateway performance: Regularly check the email flow and logs for any disruptions or breaches. Use the gateway's reporting tools to ensure it is effectively filtering threats.
- IT team should provide training: Run a training session for staff on recognising email threats and how the gateway works to protect them. Use real-world examples of threats that have been caught by the gateway to illustrate its effectiveness.
Audit / evidence tips
- AskThe email gateway configuration document: Check this document to ensure that all company email accounts are routed through the gateway GoodHas clear documentation showing all email accounts are covered with security parameters appropriately set
- GoodShows consistent threat detection actions over a period
- AskThe incident response report: If a threat was detected, check how it was handled GoodShows a clear, timely response process and resolution for detected threats
- GoodIncludes emails or memos with dates and distributed channels
- AskTo see training attendance records: Check these records to ensure that staff received training about the email gateway and threat recognition GoodIs full attendance and positive feedback from staff
Cross-framework mappings
How ISM-0569 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.20 | Annex A 8.20 requires secure management and control of network architecture and traffic handling to protect information in systems and ap... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.