Ensure File Integrity Through Signature Validation
Files with digital signatures or checksums must be verified at system boundaries to ensure integrity.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2023
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Files imported or exported via gateways or CDSs that have a digital signature or cryptographic checksum are validated.
Source: ASD Information Security Manual (ISM)
Plain language
This control ensures that when files are transferred in or out of your organisation, they're checked for authenticity using digital signatures or checksums. This matters because if files are tampered with during transfer, it could lead to data corruption, security breaches, or even legal issues if sensitive information is involved.
Why it matters
If signatures or checksums aren’t validated at gateways/CDSs, tampered or malicious files can pass unnoticed, leading to compromise or data leakage.
Operational notes
At each gateway/CDS, automatically verify digital signatures or cryptographic checksums on import/export and alert/quarantine files that fail validation.
Implementation tips
- The IT team should establish a process for verifying digital signatures and checksums on all files crossing system boundaries. They can do this by installing and configuring software that automatically checks these signatures whenever a file is imported or exported.
- System owners should ensure staff are trained to recognise and report any files that fail signature checks. Regular training sessions with practical examples can help staff quickly identify and escalate these issues to the IT team.
- Managers should set up regular reviews of the file integrity checking process to ensure it remains effective. Hold monthly meetings to discuss any failed checks and improvements needed in the verification process.
- Procurement teams must ensure that any new gateway or file transfer solution supports digital signature and checksum verification. They should specify this requirement during the purchasing process by consulting with vendors and verifying product capabilities.
- HR should ensure clear communication of policies regarding file integrity to all employees. This can be done by incorporating information about digital signatures and checksums into the onboarding process and presenting it in an accessible format like an easy-to-read guide or a quick reference card.
Audit / evidence tips
-
Ask: records of file integrity checks conducted in the last six months
Good: record will show regular checks with documented results, including any incidents of failed checks and corrective actions taken
-
Good: demonstration will show the software accurately identifying and flagging files that do not pass the checks
-
Ask: the training materials used for staff education on file integrity verification
-
Ask: procurement documents for recent file transfer systems purchases
Good: procurement record will clearly show that verification capabilities were considered essential
Cross-framework mappings
How ISM-0677 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Supports (2) | ||
| Annex A 5.14 | ISM-0677 requires that files crossing system boundaries via gateways or CDSs have their digital signatures or cryptographic checksums val... | |
| Annex A 8.24 | ISM-0677 requires validation of digital signatures or cryptographic checksums for files imported or exported through gateways or CDSs | |