Verification Required for Exporting Secret Data
Only verified and authorised people or services can handle SECRET or TOP SECRET data exports.
Plain language
This control ensures that only people or services with special approval can handle very sensitive information when it's sent outside the organisation. This is important because if the wrong person gains access, it could lead to data theft, financial loss, or damage to the organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Official control statement
Trustworthy sources for SECRET and TOP SECRET systems are limited to people and services that have been verified and authorised as such by the chief information security officer.
Why it matters
If trustworthy export sources aren’t verified and authorised by the CISO, SECRET/TOP SECRET data can be exfiltrated to untrusted people/services, enabling espionage and major damage.
Operational notes
Maintain a CISO-approved register of verified and authorised people/services permitted to export SECRET/TOP SECRET data, and review access and verification evidence after role or service changes.
Implementation tips
- Managers should identify key staff and services that need access to export SECRET or TOP SECRET data. They should create a list of these people and services and ensure each one is evaluated for trustworthiness by a higher authority like the chief information security officer.
- The IT team needs to set up secure access channels for handling SECRET or TOP SECRET data. This includes using encryption and secure connections to prevent data from being intercepted during transfer.
- Human Resources should conduct background checks on employees who need access to sensitive data to verify their trustworthiness. This can be done through detailed reference checks and possibly security clearance processes.
- The IT department should establish a monitoring system to track and log any exports of SECRET or TOP SECRET data. Using specialised tracking software, they can ensure all data transfers are authorised and secure.
- System administrators must develop a training program for staff on how to handle data securely. This should cover the importance of maintaining confidentiality and the procedures for reporting unauthorised attempts at accessing sensitive data.
Audit / evidence tips
- AskThe list of authorised personnel and services: Request the document detailing who is authorised to handle SECRET or TOP SECRET data GoodThe names matching consistently with those in the logs
- AskRecords that show background checks were done on authorised personnel
- AskThe data transfer logs: Request logs of all SECRET or TOP SECRET data exports GoodLogs that match authorised export activities with no unexplained entries
- AskThe documents outlining procedures for secure data handling GoodComprehensive, up-to-date practices that align with data transferred securely
- AskStaff training records: Request documentation of completed training sessions on secure data handling GoodEvery staff member who handles sensitive data has attended training within the past year
Cross-framework mappings
How ISM-0665 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.2 | ISM-0665 requires that only CISO-verified and authorised people and services can be trusted sources for exporting SECRET and TOP SECRET data | |
| extension Depends on (2) expand_less | ||
| Annex A 5.15 | ISM-0665 requires organisations to control who (people/services) is verified and authorised to export SECRET and TOP SECRET data | |
| Annex A 5.18 | ISM-0665 requires that only CISO-verified and authorised people/services can export SECRET and TOP SECRET data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.