Skip to content
Control Stack logo Control Stack
ISM-0874 ASD Information Security Manual (ISM)

Ensure Internet Access via Organisation's Gateway

Mobile devices and computers access the internet through the organisation's secure gateway, not directly.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for communications systemsinternet accessnetwork securityMarch 2026 ISM Update

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Mar 2026

✏️ Control Stack last updated

23 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for communications systems

Section

Enterprise Mobility

Topic

Connecting Mobile Devices and Desktop Computers to the Internet
Official control statement
Mobile devices and desktop computers access the internet via an organisation's internet gateway rather than via a direct connection to the internet.

Source: ASD Information Security Manual (ISM)

Plain language

All internet traffic from your organisation's mobile devices and computers should go through a secure, central point - your internet gateway. This is crucial because if devices connect directly to the internet, they could fall prey to attacks or data leaks that a gateway might prevent.

Why it matters

If you don't use a secure internet gateway, your devices may be exposed to cyber threats and data breaches, compromising sensitive information.

Operational notes

Regularly audit and update how devices connect to the internet, ensuring compliance with the gateway policy to maintain security.

Implementation tips

  • IT team should purchase and set up a VPN service: Choose a reputable VPN provider that supports both desktop and mobile devices. Install the VPN software on all devices used by employees and configure it to always connect to the internet via the VPN.
  • Managers should inform employees: Communicate to employees why VPN use is important and how they should use it for all work-related internet activities. Conduct a short training session or send easy-to-understand instructions via email.
  • System administrators should enable automatic VPN connections: Ensure all organisation devices are set to automatically connect to the VPN when accessing the internet. This can often be set up in the device's network settings or through the VPN software itself.
  • Procurement should ensure VPN compatibility: When purchasing new devices, confirm that they are compatible with your chosen VPN service and its software. Check with the vendor or your IT team to avoid issues with essential security setups.
  • IT team should monitor VPN usage: Set up regular checks to ensure that employees' devices are connecting through the VPN. Use network monitoring tools to verify secure connections and address any issues promptly.

Audit / evidence tips

  • Ask: the VPN service agreement: Request a copy of the contract or terms of use with the VPN provider

  • Ask: device configuration records: Request logs or records showing devices are set up to use the VPN

  • Ask: employee training materials: Request the materials or records from the VPN training session

  • Ask: network monitoring reports: Request reports that track VPN connection activity

  • Ask: the process documentation on handling VPN failures: Request the procedure document that details what happens if the VPN fails or can't be connected

Cross-framework mappings

How ISM-0874 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.20 ISM-0874 requires mobile devices and desktop computers to access the internet via the organisation’s internet gateway rather than directly
Supports (2)
Annex A 8.22 ISM-0874 requires endpoints to access the internet through a VPN to the organisation’s internet gateway, centralising egress and inspecti...
Annex A 8.23 ISM-0874 requires all user devices to route internet access through the organisation’s gateway instead of direct connections
Related (1)
Annex A 8.1 Annex A 8.1 requires organisations to protect information accessible via endpoint devices such as laptops and mobiles

E8

Control Notes Details
Partially overlaps (1)
E8-RA-ML1.3 ISM-0874 requires mobile devices and desktop computers to access the internet via a VPN connection to the organisation’s internet gateway...

Mapping detail

Mapping

Direction

Controls