Regular Testing for Security of Gateways
Gateways are tested every six months and after changes to ensure they meet security standards.
Plain language
This control is about regularly testing the security of gateways, like your internet router, to ensure they're safely configured. If this testing isn't done, hackers might exploit weaknesses to access your systems, leading to data breaches or service disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Gateways undergo testing following configuration changes, and at regular intervals no more than six months apart, to validate they conform to expected security configurations.
Why it matters
Failure to test gateways regularly can leave insecure configurations undetected, enabling intrusion via network entry points and causing outages or data compromise.
Operational notes
Test gateways after configuration changes and at least every six months; review findings promptly and remediate any deviations from approved secure configurations.
Implementation tips
- The IT team should schedule regular gateway security tests every six months. Use a calendar reminder to ensure these tests happen on time, and keep a checklist of tests to run to make sure no steps are missed.
- After any changes to the gateway's settings, the IT team should repeat the security testing process. This involves checking that new settings haven't unintentionally created vulnerabilities; use a step-by-step guide to verify each setting aligns with security best practices.
- System owners should collaborate with the IT team to document a testing protocol. This protocol should clearly outline the tests to run, including any software tools used for vulnerability scanning.
- Management should ensure that resources, including trained personnel and software tools, are available for these gateway security tests. This may involve budgeting for software subscriptions that help identify security holes.
- The IT team should maintain detailed records of each test, including what was tested, when, and what the results were. Store these logs in a secure location and review them regularly to identify and address recurring issues.
Audit / evidence tips
- AskTo see the gateway testing schedule: Confirm there is a documented plan showing when each gateway test is due GoodIncludes specific test dates already marked for the year
- AskThe change management log: Ensure it includes records of all configuration changes made to gateways GoodIs complete documentation showing tests were done post-change
- GoodIs a well-documented protocol that references national standards
- AskThe budget report related to gateway security: Review it to see allocations for testing resources and software tools GoodShows clear funding dedicated to regular testing processes
Cross-framework mappings
How ISM-1037 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.36 | ISM-1037 requires gateways to be tested after changes and at least every six months to validate conformance to expected security configur... | |
| Annex A 8.9 | ISM-1037 requires gateways to be tested after configuration changes and at least every six months to confirm they conform to expected sec... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.35 | ISM-1037 requires gateways to be tested after configuration changes and at least every six months to confirm they meet expected security ... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.21 | Annex A 8.21 requires security mechanisms for network services to be implemented and monitored | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.