Require Latest Version of TLS for Security
Ensure only the latest TLS version is used to secure connections.
Plain language
This control is about making sure that when information is sent over the internet, it's kept safe and private. We do this by using the latest version of a security protocol called TLS (Transport Layer Security). If we don't, hackers could intercept and access sensitive information like credit card numbers or personal details.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Transport Layer SecurityOfficial control statement
Only the latest version of TLS is used for TLS connections.
Why it matters
Allowing non-latest TLS versions (e.g., TLS 1.0/1.1) can enable downgrade attacks and weaker ciphers, exposing data in transit to compromise.
Operational notes
Verify servers/clients only negotiate the latest TLS version supported; disable TLS 1.0/1.1, restrict cipher suites, and regularly test with TLS scanners.
Implementation tips
-
Look atyour web servers, email systems, and any other software that communicates over the internet. Make a list of each system and its current TLS version
- IT team: Update systems to the latest TLS version. For each system on your list that isn't using the latest version, follow the system's documentation to upgrade its TLS version. Ensure you test systems function correctly after upgrading.
- Procurement: Ensure new software and services support the latest TLS version. When purchasing or subscribing to new digital services, check their specifications to confirm they support the current TLS version.
- Office manager: Talk to your IT provider about TLS security. If you use an external IT service, ask them if your systems are using the latest TLS version and how they are keeping it up-to-date.
- Staff: Report any secure connection warnings to IT. If you see warnings about insecure connections or certificates while using business applications, inform IT immediately so they can check the TLS settings.
Audit / evidence tips
-
Aska list of systems and their current TLS versions: Request a report from the IT team showing each system and the TLS version it is using
Goodall systems listed with the latest TLS version clearly indicated
-
Askmaintenance records of TLS updates: Request documentation showing when each system was last updated for TLS
Goodrecent dates and the latest version of TLS on every system
-
Askto see purchasing guidelines for software and services: Request the procurement policy or guidelines
Gooda clear stipulation that vendors must support the latest TLS version
-
Askteam members about reports of security warnings: Speak to IT and staff about any security warnings related to TLS issues
Gooddocumented reports with follow-ups indicating resolved or harmless status
-
Askan IT service provider agreement: Request the contract or service agreement with your IT provider
Goodthe agreement includes explicit terms about using current TLS versions
Cross-framework mappings
How ISM-1139 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1139 requires organisations to only use the latest version of TLS for TLS connections to protect confidentiality and integrity in tra... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.