ISM-0631 policy ASD Information Security Manual (ISM)

Restrict Data Flows with Authorised Gateways

Gateways should block any data transfers not specifically approved.

Preventative NC OS P ASD Information Security ManualGuidelines for gateways network security firewalls

record_voice_over

Plain language

This control means that any data transfers in your organisation should only happen through pre-approved routes to prevent sensitive information from leaking out. It's like having a secure gate that only opens for visitors you've personally invited. Without this, your confidential data could end up in the wrong hands, leading to privacy breaches and loss of trust from customers and partners.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Feb 2022

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for gateways

Section

Gateways

Topic

Implementing Gateways

Official control statement

Gateways only allow explicitly authorised data flows.

policy ASD Information Security Manual (ISM) ISM-0631

priority_high

Why it matters

If gateways don’t restrict data flows to authorised routes, unauthorised transfers can cause data leakage, breaches and loss of trust.

settings

Operational notes

Regularly review gateway rules/ACLs and the approved data-flow list so only explicitly authorised flows are permitted; remove obsolete paths.

02 — Implement

build

Implementation tips

The IT team should map out all the data pathways that the business currently uses. They need to document this by creating a network diagram showing where data enters and leaves the organisation, and note any potential risks. This ensures you know exactly where sensitive information travels.
Managers should decide which data flows are essential. They can work with the IT team to identify which data transfers are necessary for business operations and which are not. This can be achieved through meetings where business processes are reviewed to determine the essential data flows.
The IT team should configure gateways to restrict data flows. They should use firewall rules or similar technologies to ensure that only approved data paths are operational, and block all others. This is done by setting up software or hardware that checks the data’s 'destination address' and 'sender' before allowing it to pass.
System owners should implement a regular review system for data flow approvals. They must set up a schedule, perhaps quarterly, to revisit and authorise existing data pathways. This can involve checking logs and reports generated by the gateways to affirm that only authorised paths are used.
The HR team should train staff on the importance of data flow restrictions. Organise training sessions to ensure that all employees understand why certain data flows are restricted and what to do if they suspect unauthorised transfers. Use real-world scenarios to make the impact relatable.

03 — Audit

fact_check

Audit / evidence tips

Askthe data flow approval documentation: Request a record of all authorised data flows including who approved them. Look to see that every pathway has a documented business reason and authorising signature

Goodis a complete list with dates, reasons, and approvers’ details
Askto see the network diagram: Request to view the organisational data flow map

Gooddiagram will show current data pathways with highlighted approved routes
Askthe firewall or gateway configuration report: Request documentation of the firewall rules or gateway settings

Goodincludes logs that confirm only the sanctioned data flows are being used
Asklogs of recent data flow activity: Request logs or reports that show recent data flows through the gateways

Goodshows regular blocking of unauthorised attempts, with time stamps and alerts
Askabout employee awareness programs: Request evidence of recent training sessions on data flow policies

Goodis a documented training program that notes participant understanding and feedback

04 — Mappings

link

Cross-framework mappings

How ISM-0631 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.20	ISM-0631 requires gateways to only allow explicitly authorised data flows and to block all other transfers
handshake Supports (2) expand_less
Annex A 8.22	ISM-0631 requires gateways to enforce explicitly authorised data flows and block all unauthorised transfers
Annex A 8.33	Annex A 8.33 requires management of test information to avoid unauthorised disclosure or misuse

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.