Manage Gateways Between Different Security Domains
Secure shared network components by assigning management to higher security system admins or a trusted third party.
Plain language
When your business uses secure gateways between different networks, like a school connecting to an external education network, the parts these networks share should be managed by someone with a higher security clearance or a trusted outside expert. This matters because it reduces the chance of data breaches or cyber attacks if someone were to exploit these shared points.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
For gateways between networks belonging to different security domains, any shared components are managed by system administrators for the higher security domain or by system administrators from a mutually agreed upon third party.
Why it matters
If shared gateway components between different security domains are not administered by the higher-domain team or an agreed third party, the lower domain may compromise the higher domain.
Operational notes
Ensure any shared gateway components are administered by the higher security domain team or an agreed third party, with documented responsibilities and access controls.
Implementation tips
- Assign a security lead: The business owner or manager should appoint a security lead to oversee the management of gateways. This person could be an internal IT staff member with high security clearance or an external expert like a trusted IT consultancy.
- Engage a trusted third party: If internal expertise is limited, the business manager should contract a professional organization with a solid reputation in cybersecurity to manage the network gateways securely.
- Document management procedures: The IT team should create a clear set of procedures for managing the gateways. This document should detail who is responsible, what tasks they must perform, and how often the maintenance and review should occur.
- Regular security trainings: The HR department should organize cybersecurity training sessions for all staff, emphasizing the importance of properly managing network gateways and recognizing potential threats.
- Establish a review schedule: The IT lead should schedule regular reviews of gateway management practices, with a detailed checklist to ensure every aspect of security is under control. This helps catch any lapses early on.
Audit / evidence tips
-
Aska gateway management policy document: Request the formal document that outlines how gateways between security domains are managed
GoodA comprehensive document listing the roles, responsibilities, and protocols clearly outlined
-
Asksecurity clearance records: Request records or certificates that prove the security clearance level of those managing the gateways
GoodUp-to-date clearance records of all relevant personnel
-
Askto see the contract with the external security company (if used): If a third-party manages the gateway, request to see the contract or service agreement
GoodA detailed contract specifying service scope, roles, security benchmarks, and terms
-
Asktraining records: Request records of security training sessions mentioned for those involved in managing gateways
GoodA log showing regular training sessions and updated training materials
-
Askmaintenance and review logs: Request logbooks or digital records of maintenance checks on gateways
GoodComprehensive logs with regular entries detailing checks and findings
Cross-framework mappings
How ISM-0629 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (5) expand_less | ||
| Annex A 5.21 | ISM-0629 requires trusted administration arrangements for shared components in gateways between different security domains, including the... | |
| Annex A 5.22 | ISM-0629 requires that if gateway components are shared between security domains, their management is controlled by the higher security d... | |
| Annex A 8.2 | ISM-0629 requires that shared gateway components between different security domains are managed by administrators from the higher securit... | |
| Annex A 8.20 | ISM-0629 requires that for gateways between different security domains, any shared components are administered by the higher security dom... | |
| Annex A 8.22 | ISM-0629 addresses governance of gateways that connect different security domains by mandating trusted administration of shared gateway c... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.