Train Users on Secure Use of CDSs
Users must be trained on securely using CDSs before they can access them.
Plain language
Before anyone can use cross domain solutions (CDSs), they need to be trained on how to use them safely. This matters because without proper training, they might accidentally expose sensitive information or allow malicious software to move across secure and less secure areas of the network.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Official control statement
Users are trained on the secure use of CDSs before access is granted.
Why it matters
Without CDS secure-use training, users may unintentionally cause data leakage or transfer malware between security domains.
Operational notes
Require CDS training before granting access; refresh content for CDS procedures and threats, and record completion and assessment results.
Implementation tips
- Managers should organise a training session for all users who need access to CDSs. Partner with a knowledgeable IT professional who can create and deliver the session, focusing on the secure use and unique risks of CDSs.
- The IT team should develop user-friendly training materials on how to securely operate CDSs. Use clear language and concrete examples to illustrate potential risks and best practices for avoiding them.
- HR should maintain a training schedule and track attendance to ensure that all employees who require access to CDSs have completed their training before receiving access credentials.
- System administrators should establish a user certification program so that only trained individuals are granted access to CDSs. Implement a simple online quiz or practical assessment to confirm users have understood the training.
- The IT support team should provide ongoing support and refresher courses to ensure users remain knowledgeable about the secure use of CDSs. Schedule annual reviews of user knowledge and update training materials as needed.
Audit / evidence tips
- AskThe user training schedule and records: Request documentation showing all scheduled training sessions and the list of attendees GoodIncludes well-documented and up-to-date attendance records for all authorised users
- AskA copy of the training materials: Request access to the slides, handouts, or video recordings used in the CDS training sessions
- AskConfirmation of user certification: Request documentation that certifies users have passed training assessments GoodIncludes certificates or records showing active status of user certifications
- AskFollow-up training logs: Request details of any refresher training sessions or support activities provided post-initial training. Check that these activities are conducted regularly. Good evidence is clear records showing ongoing training and support resources
- AskFeedback from training participants: Request summaries of feedback collected from past training sessions GoodShows documented adjustments in response to user feedback
Cross-framework mappings
How ISM-0610 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.3 | ISM-0610 requires users to be trained on the secure use of Cross Domain Solutions (CDSs) before access is granted | |
| handshake Supports (1) expand_less | ||
| Annex A 5.10 | ISM-0610 requires users to be trained on the secure use of CDSs before access is granted | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.