Ensure Secure Email Transmission via Gateways
Emails should be sent through secure and encrypted channels using central gateways.
Plain language
This control ensures that when you're sending or receiving emails, they're going through a central system that makes sure they're both encrypted and authenticated. It matters because if emails aren't transmitted securely, sensitive information could be exposed to cybercriminals, leading to data breaches and loss of trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
When users send or receive emails, an authenticated and encrypted channel is used to route emails via their organisation's centralised email gateways.
Why it matters
Without secure email gateways, intercepted emails expose sensitive data, risking breaches and damaging organisational trust.
Operational notes
Regularly verify central email gateway routing and enforce authenticated, encrypted transport (e.g. TLS) for inbound and outbound mail.
Implementation tips
- Email service providers should make sure all outgoing and incoming emails pass through a secured central gateway. This can be done by setting up your email accounts and settings so all email traffic is automatically routed through this gateway.
- IT managers should configure the central email gateways to enforce encryption. They can do this by enabling Transport Layer Security (TLS) settings which scramble the email data during transmission.
- Business owners should ensure their staff are using approved email services only. They can do this by communicating to employees which email systems are authorised and spot-checking to make sure personal accounts aren't being used.
- System administrators should regularly update the gateway software to protect against new vulnerabilities. This involves checking for updates from the software vendor and applying them as soon as possible.
- IT departments should implement and test the gateway's authentication systems regularly. This means setting up a process where emails are checked for valid sending and receiving parties, and holding periodic security tests to ensure everything works correctly.
Audit / evidence tips
-
Askthe email gateway configuration settings: Obtain documentation showing how email traffic is routed and encrypted
Goodincludes a specified encryption method like TLS and a clear routing path through the gateway
-
Goodshows consistent updates aligned with vendor recommendations
-
Aska sample of email traffic logs from the gateway: Examine how email data is encrypted and authenticated during transmission
Goodshows logs indicating all emails go through the gateway with encryption
-
Goodfeatures documented attendance and policy acknowledgment
-
Askto see the list of approved email services: Verify the list against used accounts
Goodconfirms only authorised services are in active use
Cross-framework mappings
How ISM-0571 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.14 | ISM-0571 requires emails to be sent and received via an organisation's centralised email gateways using authenticated and encrypted channels | |
| handshake Supports (1) expand_less | ||
| Annex A 8.24 | ISM-0571 requires emails to traverse authenticated and encrypted channels via centralised email gateways | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.