Authorisation of Secret Data Exports
Ensure data from high-security systems is checked and approved before export.
Plain language
This control is about making sure that whenever data is taken out of highly secure systems, like those marked SECRET or TOP SECRET, it gets checked and approved by someone we trust first. This is important because if sensitive data leaks, it could cause real harm, like identity theft or a threat to national security.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trustworthy source beforehand.
Why it matters
If SECRET/TOP SECRET exports aren’t reviewed and authorised, sensitive data may be released, causing compromise, national security harm and loss of trust.
Operational notes
Maintain a current list of trustworthy reviewers and require documented pre-export review and authorisation for all data leaving SECRET/TOP SECRET systems.
Implementation tips
- The IT team should work with department heads to create a formal process for data export approval. This involves setting up clear steps, like filling out a data export request form and identifying who in leadership will give the final approval. Clearly outline this process in a document and share it with everyone involved.
- Managers need to designate trustworthy employees who have the responsibility to approve data exports. This involves selecting people who understand the importance of data security and have a good track record. It's also essential that these employees have the adequate security clearances needed to review sensitive data.
- The security team should regularly provide training on recognising sensitive data and understanding the risks associated with exporting it. Sessions should include real-world examples and how breaches have affected other organisations. Information should be made easy to understand so that everyone, even non-technical staff, gets the message.
- Human Resources (HR) should establish a system that periodically reviews the list of employees who are authorised to approve data exports. This includes ensuring these employees are still in good legal standing and understanding current security protocols. HR should work closely with the security team to update this list as necessary.
- System owners should use encryption to protect sensitive data files meant for export. This means converting the information into a code to prevent unauthorised access, even if the data falls into the wrong hands. Implement tools and software that handle encryption as part of the data export pipeline.
Audit / evidence tips
-
Askthe data export approval documents: Request copies of forms or emails that show who approved each data export and what data was included
Goodwill include clear authorisation records showing the approver's name, date, and approval details
-
Askto see the training records for staff involved in data export processes: Review attendance records and training materials
Goodincludes dated records of training sessions and signed acknowledgments by attendees
-
Goodis a regularly updated document with dates of review and a clear change management process
-
Aska demonstration of the data encryption process: Observe the encryption being applied to sensitive data meant for export
Goodshows strong, current encryption practices according to industry standards
-
Goodshows a clear, actionable incident response plan that is periodically tested and updated
Cross-framework mappings
How ISM-0664 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.12 | ISM-0664 requires that exports from SECRET and TOP SECRET systems are reviewed and authorised by a trustworthy source prior to release | |
| handshake Supports (1) expand_less | ||
| Annex A 5.15 | ISM-0664 requires that any data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trustworthy source before exp... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.