Ensure Data Exports are Digitally Signed
Data from SECRET and TOP SECRET systems must be signed by a trusted source before export.
Plain language
When sensitive data needs to be moved from secure systems, it's crucial that this data is 'signed' by a trusted source to confirm it hasn't been tampered with. This is like getting a stamped seal of authenticity, ensuring that what you send is exactly what you meant to, and helps prevent leaks and misuse of sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2025
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Official control statement
Data authorised for export from SECRET and TOP SECRET systems is digitally signed by a trustworthy source.
Why it matters
If SECRET/TOP SECRET exports are not digitally signed, recipients cannot verify integrity or source, enabling tampering and potentially compromising national security.
Operational notes
Digitally sign all SECRET/TOP SECRET exports with trusted keys; validate signatures on receipt and manage certificate/keys to maintain a trustworthy signing source.
Implementation tips
- The IT manager should select a trusted software tool that can digitally sign data. This tool should be easy to use and compatible with the secret and top-secret systems you are using.
- IT staff should set up a process where data scheduled for export is automatically signed before it leaves the secure system. This means setting up scripts or workflows in the tool to ensure signing happens every time.
- Managers should train staff who handle data exports on how to use the digital signing tool. This includes showing them how to initiate a signing process and verify the signature.
- The security officer should design a procedure to periodically check that all data exports are indeed being signed. This could involve reviewing logs or output reports from the signing tool.
- The finance or procurement team should ensure that the chosen digital signing tool is updated regularly. This can be achieved by setting reminders to check for updates or renew licences.
Audit / evidence tips
- AskThe digital signing procedure document: Request the documented process for signing data before export GoodA thorough document outlining each step and the responsible person
- AskLogs showing recent data exports: These logs should record each data export and confirm if they were signed GoodAll entries showing 'signed' status with no exceptions
- AskTo see the list of approved software tools for digital signing: Verify that the list includes tools currently in use and approved by a security officer GoodAn updated list signed by relevant authority with software details like version and approval date
- AskReports on training sessions conducted for staff: Check that all relevant employees have been trained on the digital signing process GoodComplete training records with dates, attendees, and topics covered
- AskEvidence of system checks or audits: Request records of periodic reviews of the digital signing process GoodDetailed audit reports with no unresolved issues
Cross-framework mappings
How ISM-0675 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.14 | ISM-0675 requires that data authorised for export from SECRET and TOP SECRET systems is digitally signed by a trustworthy source to prese... | |
| extension Depends on (1) expand_less | ||
| Annex A 8.24 | ISM-0675 requires exported data from SECRET and TOP SECRET systems to be digitally signed by a trustworthy source, which relies on correc... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.