Ensure Internet Access via Organisation's Gateway
Mobile devices and computers access the internet through the organisation's secure gateway, not directly.
Plain language
All internet traffic from your organisation's mobile devices and computers should go through a secure, central point - your internet gateway. This is crucial because if devices connect directly to the internet, they could fall prey to attacks or data leaks that a gateway might prevent.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Enterprise mobilityOfficial control statement
Mobile devices and desktop computers access the internet via an organisation’s internet gateway rather than via a direct connection to the internet.
Why it matters
If you don't use a secure internet gateway, your devices may be exposed to cyber threats and data breaches, compromising sensitive information.
Operational notes
Regularly audit and update how devices connect to the internet, ensuring compliance with the gateway policy to maintain security.
Implementation tips
- IT team should purchase and set up a VPN service: Choose a reputable VPN provider that supports both desktop and mobile devices. Install the VPN software on all devices used by employees and configure it to always connect to the internet via the VPN.
- Managers should inform employees: Communicate to employees why VPN use is important and how they should use it for all work-related internet activities. Conduct a short training session or send easy-to-understand instructions via email.
- System administrators should enable automatic VPN connections: Ensure all organisation devices are set to automatically connect to the VPN when accessing the internet. This can often be set up in the device's network settings or through the VPN software itself.
- Procurement should ensure VPN compatibility: When purchasing new devices, confirm that they are compatible with your chosen VPN service and its software. Check with the vendor or your IT team to avoid issues with essential security setups.
- IT team should monitor VPN usage: Set up regular checks to ensure that employees' devices are connecting through the VPN. Use network monitoring tools to verify secure connections and address any issues promptly.
Audit / evidence tips
- AskThe VPN service agreement: Request a copy of the contract or terms of use with the VPN provider
- AskDevice configuration records: Request logs or records showing devices are set up to use the VPN
- AskEmployee training materials: Request the materials or records from the VPN training session
- AskNetwork monitoring reports: Request reports that track VPN connection activity
- AskThe process documentation on handling VPN failures: Request the procedure document that details what happens if the VPN fails or can't be connected
Cross-framework mappings
How ISM-0874 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-0874 requires mobile devices and desktop computers to access the internet via the organisation’s internet gateway rather than directly | |
| handshake Supports (2) expand_less | ||
| Annex A 8.22 | ISM-0874 requires endpoints to access the internet through a VPN to the organisation’s internet gateway, centralising egress and inspecti... | |
| Annex A 8.23 | ISM-0874 requires all user devices to route internet access through the organisation’s gateway instead of direct connections | |
| link Related (1) expand_less | ||
| Annex A 8.1 | Annex A 8.1 requires organisations to protect information accessible via endpoint devices such as laptops and mobiles | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML1.3 | ISM-0874 requires mobile devices and desktop computers to access the internet via a VPN connection to the organisation’s internet gateway... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.