Ensure Data Exports are Digitally Signed
Data from SECRET and TOP SECRET systems must be signed by a trusted source before export.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
S, TS
🗓️ ISM last updated
Aug 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Data authorised for export from SECRET and TOP SECRET systems is digitally signed by a trustworthy source.
Source: ASD Information Security Manual (ISM)
Plain language
When sensitive data needs to be moved from secure systems, it's crucial that this data is 'signed' by a trusted source to confirm it hasn't been tampered with. This is like getting a stamped seal of authenticity, ensuring that what you send is exactly what you meant to, and helps prevent leaks and misuse of sensitive information.
Why it matters
If SECRET/TOP SECRET exports are not digitally signed, recipients cannot verify integrity or source, enabling tampering and potentially compromising national security.
Operational notes
Digitally sign all SECRET/TOP SECRET exports with trusted keys; validate signatures on receipt and manage certificate/keys to maintain a trustworthy signing source.
Implementation tips
- The IT manager should select a trusted software tool that can digitally sign data. This tool should be easy to use and compatible with the secret and top-secret systems you are using.
- IT staff should set up a process where data scheduled for export is automatically signed before it leaves the secure system. This means setting up scripts or workflows in the tool to ensure signing happens every time.
- Managers should train staff who handle data exports on how to use the digital signing tool. This includes showing them how to initiate a signing process and verify the signature.
- The security officer should design a procedure to periodically check that all data exports are indeed being signed. This could involve reviewing logs or output reports from the signing tool.
- The finance or procurement team should ensure that the chosen digital signing tool is updated regularly. This can be achieved by setting reminders to check for updates or renew licenses.
Audit / evidence tips
-
Ask: the digital signing procedure document: Request the documented process for signing data before export
Good: a thorough document outlining each step and the responsible person
-
Ask: logs showing recent data exports: These logs should record each data export and confirm if they were signed
Good: all entries showing 'signed' status with no exceptions
-
Ask: to see the list of approved software tools for digital signing: Verify that the list includes tools currently in use and approved by a security officer
Good: an updated list signed by relevant authority with software details like version and approval date
-
Ask: reports on training sessions conducted for staff: Check that all relevant employees have been trained on the digital signing process
Good: complete training records with dates, attendees, and topics covered
-
Ask: evidence of system checks or audits: Request records of periodic reviews of the digital signing process
Good: detailed audit reports with no unresolved issues
Cross-framework mappings
How ISM-0675 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.14 | ISM-0675 requires that data authorised for export from SECRET and TOP SECRET systems is digitally signed by a trustworthy source to prese... | |
| Depends on (1) | ||
| Annex A 8.24 | ISM-0675 requires exported data from SECRET and TOP SECRET systems to be digitally signed by a trustworthy source, which relies on correc... | |