Use Approved Encryption for Data at Rest
Use an approved encryption algorithm to protect stored data from unauthorized access.
Plain language
This control is about making sure that any data you store on your computers or servers is encrypted using a method that is approved by the Australian Signals Directorate (ASD). This matters because if someone without permission gets access to your stored data, encryption makes it unreadable to them. Without proper encryption, sensitive information like customer details or financial records could be stolen or exposed, leading to trust issues, reputational damage, or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsTopic
Encrypting Data at RestOfficial control statement
An ASD-Approved Cryptographic Algorithm (AACA) or high assurance cryptographic algorithm is used when encrypting media.
Why it matters
If media is not encrypted with an ASD‑approved or high assurance algorithm, lost or stolen storage can expose sensitive data and cause breaches.
Operational notes
Confirm all at-rest encryption uses an ASD‑Approved Cryptographic Algorithm or high assurance algorithm, and revalidate configs after any crypto updates.
Implementation tips
- System owners should identify all locations where sensitive data is stored, such as on computers, servers, or external drives. They should then ensure that these locations are marked as needing encryption. This helps in understanding which parts of your setup need protection.
- The IT team should select encryption software that is on the list of ASD-Approved Cryptographic Algorithms (AACA). They can find this list on the official ASD website and choose software that fits the organisation's needs and budget.
- Managers should arrange for training sessions for staff on the importance of encryption and how it works. This can be done by inviting an expert to explain why encryption is important for protecting company and customer information, helping staff understand the necessity and how to identify encrypted areas.
- Procurement officers should verify that any new hardware or software purchased for storing data comes with encryption capabilities compliant with ASD guidelines. This means checking product specifications and confirming with vendors that their products meet the required standards.
- IT teams should regularly update and patch encryption software to maintain security standards. They can schedule regular checks and updates, ensuring the encryption methods remain robust against new threats.
Audit / evidence tips
-
Askthe list of all data storage locations identified by the system owner
Goodis a comprehensive list that includes all storage hardware and software with dates of encryption applied
-
Goodis software listed in the ASD-Approved Cryptographic Algorithms (AACA)
-
Askrecords of staff training on data encryption
Goodincludes recent training sessions with most relevant staff attending and positive understanding feedback
-
Goodincludes a clear step in product acquisition processes ensuring compliance with encryption requirements
-
Goodshows a regular, proactive update process with documentation for each update or patch applied
Cross-framework mappings
How ISM-1080 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.24 | ISM-1080 requires that when encrypting media (data at rest), organisations use an ASD-Approved Cryptographic Algorithm (AACA) or other hi... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.33 | ISM-1080 requires that encryption of media uses an AACA or high assurance algorithm, reducing the likelihood that stored records can be a... | |
| Annex A 8.1 | ISM-1080 requires use of ASD-approved/high assurance algorithms when encrypting media to protect data at rest from unauthorised access | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.