Maintain Backup Email Gateways to Primary Standards
Alternative email gateways must be kept to the same standards as the main gateway to ensure consistency.
Plain language
Having backup email systems up to the same standards as your primary email system is crucial, so they can step in seamlessly if the main system goes down. Without this, you risk having weak spots that cyber threats could exploit, potentially leading to loss of important messages or data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for emailSection
Email gateways and serversOfficial control statement
Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway.
Why it matters
If backup email gateways aren’t maintained to the same standard as primary, failover may allow mail loss, misrouting or compromise, exposing sensitive data.
Operational notes
Regularly test failover and mail flow via the backup gateway; mirror configs, patches, filtering and logging with primary to prevent drift and gaps.
Implementation tips
- IT team should regularly review backup email configurations: Compare the security settings of backup email gateways to the primary one. Make any necessary changes to ensure they align with the latest security updates and protocols.
- IT team should conduct regular security audits: Schedule audits every six months to evaluate the performance and security of all email gateways. Use a checklist to ensure consistency with primary standards.
- Training team should educate employees: Develop a training session to remind staff about the procedures if switchover to backup email systems occurs. Ensure staff understand the importance of both systems being secure.
- System owners should collaborate with IT advisors: Meet quarterly to discuss any changes in security requirements or updates in threat landscapes that could affect email gateways. Adjust standards accordingly.
- IT team should document all gateway configurations: Keep detailed documentation of the settings and security features of both primary and backup email systems. Store them securely and review them for accuracy and up-to-date information.
Audit / evidence tips
-
Askconfiguration documents of both primary and backup email gateways: Request the technical specifications and setup files
Goodis consistent configurations adhering to current security protocols across both systems
-
Asklogs of security audits conducted on all gateways: Request records of recent security checks
Goodis regular audits resulting in updates or confirmations of security status
-
Askstaff training records on email gateway procedures: Request materials or attendance records from recent training sessions
Goodis comprehensive, regular training that reflects current protocol for using email systems
-
Askincident response records involving email systems: Request documentation of any incident where backup systems were activated
Goodshows smooth transitions with no security compromise or data loss
-
Askmeeting notes between IT and security teams: Request records of discussions on email security strategies
Goodreflects proactive and coordinated security updates
Cross-framework mappings
How ISM-0570 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-0570 requires that any backup or alternative email gateways are maintained to the same security and operational standard as the prima... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.29 | ISM-0570 requires that backup or alternative email gateways are maintained to the same standard as the primary email gateway to avoid sec... | |
| Annex A 5.30 | ISM-0570 requires backup or alternative email gateways to be maintained to the same standard as the primary gateway so failover does not ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.