Restrict Data Flows with Authorised Gateways
Gateways should block any data transfers not specifically approved.
Plain language
This control means that any data transfers in your organisation should only happen through pre-approved routes to prevent sensitive information from leaking out. It's like having a secure gate that only opens for visitors you've personally invited. Without this, your confidential data could end up in the wrong hands, leading to privacy breaches and loss of trust from customers and partners.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Gateways only allow explicitly authorised data flows.
Why it matters
If gateways don’t restrict data flows to authorised routes, unauthorised transfers can cause data leakage, breaches and loss of trust.
Operational notes
Regularly review gateway rules/ACLs and the approved data-flow list so only explicitly authorised flows are permitted; remove obsolete paths.
Implementation tips
- The IT team should map out all the data pathways that the business currently uses. They need to document this by creating a network diagram showing where data enters and leaves the organisation, and note any potential risks. This ensures you know exactly where sensitive information travels.
- Managers should decide which data flows are essential. They can work with the IT team to identify which data transfers are necessary for business operations and which are not. This can be achieved through meetings where business processes are reviewed to determine the essential data flows.
- The IT team should configure gateways to restrict data flows. They should use firewall rules or similar technologies to ensure that only approved data paths are operational, and block all others. This is done by setting up software or hardware that checks the data’s 'destination address' and 'sender' before allowing it to pass.
- System owners should implement a regular review system for data flow approvals. They must set up a schedule, perhaps quarterly, to revisit and authorise existing data pathways. This can involve checking logs and reports generated by the gateways to affirm that only authorised paths are used.
- The HR team should train staff on the importance of data flow restrictions. Organise training sessions to ensure that all employees understand why certain data flows are restricted and what to do if they suspect unauthorised transfers. Use real-world scenarios to make the impact relatable.
Audit / evidence tips
-
Askthe data flow approval documentation: Request a record of all authorised data flows including who approved them. Look to see that every pathway has a documented business reason and authorising signature
Goodis a complete list with dates, reasons, and approvers’ details
-
Askto see the network diagram: Request to view the organisational data flow map
Gooddiagram will show current data pathways with highlighted approved routes
-
Askthe firewall or gateway configuration report: Request documentation of the firewall rules or gateway settings
Goodincludes logs that confirm only the sanctioned data flows are being used
-
Asklogs of recent data flow activity: Request logs or reports that show recent data flows through the gateways
Goodshows regular blocking of unauthorised attempts, with time stamps and alerts
-
Askabout employee awareness programs: Request evidence of recent training sessions on data flow policies
Goodis a documented training program that notes participant understanding and feedback
Cross-framework mappings
How ISM-0631 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-0631 requires gateways to only allow explicitly authorised data flows and to block all other transfers | |
| handshake Supports (2) expand_less | ||
| Annex A 8.22 | ISM-0631 requires gateways to enforce explicitly authorised data flows and block all unauthorised transfers | |
| Annex A 8.33 | Annex A 8.33 requires management of test information to avoid unauthorised disclosure or misuse | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.