Prevent Lower Email Protective Marking Selection
Email reply or forward tools must not allow reducing security markings from the original.
Plain language
This control ensures that when you reply to or forward an email, you can't lower its security level. It matters because if someone reduces a protective marking, sensitive information could be exposed to people who shouldn't see it, increasing the risk of data leaks or breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Protective marking tools do not allow users replying to or forwarding emails to select protective markings lower than previously used.
Why it matters
Reducing protective markings in replies or forwards can expose sensitive content to wider audiences, causing unauthorised disclosure and potential data breaches.
Operational notes
Regularly audit email clients/gateways to confirm replies and forwards cannot be marked lower than the original email, and test after updates to ensure downgrade prevention remains enforced.
Implementation tips
- Email system administrators should configure email software settings so that users can't choose a lower security marking when replying or forwarding emails. This can usually be set up in the system’s security settings menu.
- IT managers should train staff on the importance of keeping the security marking the same or higher when dealing with sensitive information via email. This can be done through simple workshops or online training sessions.
- Office managers should regularly review email security policies to ensure staff understands them, possibly via monthly staff meetings where any changes to procedures are communicated clearly.
- Business owners should ensure their IT support continuously monitors email software for compliance with this setting, using routine system audits to check that lower security classifications can't be applied inappropriately.
- Procurement teams should ensure that any new email software or tools comply with this control by requiring vendors to demonstrate this feature before purchase.
Audit / evidence tips
-
Askthe email system's configuration settings report: Request a document showing how email protective markings are set
Goodis a configuration report with settings that prevent downgrading security markings
-
Askto see the staff training materials on email security: Request evidence of what was used to train staff about protective markings
Goodincludes detailed training slides or completed attendance records
-
Askscreenshots or a demo of the email system in use: Request a live demonstration or screenshots showing what happens when a user tries to lower a marking when forwarding or replying
Goodshows the system does not allow marking reductions
-
Aska list of user complaints or helpdesk tickets about email security markings: Request reports or logs from the helpdesk related to this feature
Goodshows few or resolved complaints, indicating understanding and compliance
-
Askevidence of periodic checks of email system settings: Request logs or reports from routine audits of the email system settings
Goodshows regular audits with documented results confirming compliance
Cross-framework mappings
How ISM-1089 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.12 | ISM-1089 requires email reply/forward tooling to prevent users from selecting a protective marking lower than the original email, reducin... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.