ISM-0664 ASD Information Security Manual (ISM)

Authorisation of Secret Data Exports

Ensure data from high-security systems is checked and approved before export.

Preventative SECRET TOP SECRET ASD Information Security ManualGuidelines for data transfers access control cryptography

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

S, TS

🗓️ ISM last updated

Aug 2025

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for data transfers

Section

Data transfers

Topic

Authorising Export of Data

Official control statement

Data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trustworthy source beforehand.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about making sure that whenever data is taken out of highly secure systems, like those marked SECRET or TOP SECRET, it gets checked and approved by someone we trust first. This is important because if sensitive data leaks, it could cause real harm, like identity theft or a threat to national security.

Why it matters

If SECRET/TOP SECRET exports aren’t reviewed and authorised, sensitive data may be released, causing compromise, national security harm and loss of trust.

Operational notes

Maintain a current list of trustworthy reviewers and require documented pre-export review and authorisation for all data leaving SECRET/TOP SECRET systems.

Implementation tips

The IT team should work with department heads to create a formal process for data export approval. This involves setting up clear steps, like filling out a data export request form and identifying who in leadership will give the final approval. Clearly outline this process in a document and share it with everyone involved.
Managers need to designate trustworthy employees who have the responsibility to approve data exports. This involves selecting people who understand the importance of data security and have a good track record. It's also essential that these employees have the adequate security clearances needed to review sensitive data.
The security team should regularly provide training on recognising sensitive data and understanding the risks associated with exporting it. Sessions should include real-world examples and how breaches have affected other organisations. Information should be made easy to understand so that everyone, even non-technical staff, gets the message.
Human Resources (HR) should establish a system that periodically reviews the list of employees who are authorised to approve data exports. This includes ensuring these employees are still in good legal standing and understanding current security protocols. HR should work closely with the security team to update this list as necessary.
System owners should use encryption to protect sensitive data files meant for export. This means converting the information into a code to prevent unauthorised access, even if the data falls into the wrong hands. Implement tools and software that handle encryption as part of the data export pipeline.

Audit / evidence tips

Ask: the data export approval documents: Request copies of forms or emails that show who approved each data export and what data was included

Good: will include clear authorisation records showing the approver's name, date, and approval details
Ask: to see the training records for staff involved in data export processes: Review attendance records and training materials

Good: includes dated records of training sessions and signed acknowledgments by attendees
Good: is a regularly updated document with dates of review and a clear change management process
Ask: a demonstration of the data encryption process: Observe the encryption being applied to sensitive data meant for export

Good: shows strong, current encryption practices according to industry standards
Good: shows a clear, actionable incident response plan that is periodically tested and updated

Cross-framework mappings

How ISM-0664 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially overlaps (1)
Annex A 8.12	ISM-0664 requires that exports from SECRET and TOP SECRET systems are reviewed and authorised by a trustworthy source prior to release
Supports (1)
Annex A 5.15	ISM-0664 requires that any data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trustworthy source before exp...