Ensure Content Conversion at Gateways
Files going through gateways must be converted to ensure security and compatibility.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Files imported or exported via gateways or CDSs undergo content conversion.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that any files coming into or leaving your organisation through internet gateways are converted into a safe and compatible format. It's like checking your mail for suspicious packages—if you don't, bad stuff could get in, which might damage your systems or leak important information.
Why it matters
Without content conversion at gateways/CDSs, imported or exported files may retain active content or malware, causing compromise or downtime.
Operational notes
Keep gateway/CDS content conversion profiles current; test new file types and ensure sanitisation removes active content (macros/scripts) before transfer.
Implementation tips
- IT team should set up a system to automatically convert files: They should use software that checks and changes file formats at the gateway before files enter the organisation. This protects against harmful files sneaking in.
- IT manager should train staff on file handling: They should organise regular training sessions to show employees what types of files might be risky and why converting them is important. Use simple examples like changing suspicious email attachments into safe formats.
- System administrators should configure gateway settings: They need to adjust the settings on hardware like firewalls or routers to ensure they always convert files passing through. This can involve selecting options in device menus to automatically handle certain file types.
- Security officer should conduct regular checks: They should regularly review if the conversion system is working properly by running test files through the gateway to see if it catches risks. This helps ensure the system is always active and effective.
- Procurement officer should confirm vendor capabilities: When purchasing new software or services, ensure vendors can provide file conversion capabilities at the gateway level. It involves having specific contractual agreements or confirmations in writing.
Audit / evidence tips
-
Ask: the gateway configuration file: Request the current configuration or settings file for the gateway device
Good: includes detailed settings indicating active file conversions
-
Ask: training records: Request logs or records of employee training sessions on file handling and conversion
Good: is a dated record showing regular training sessions with attendance by relevant staff
-
Ask: test logs: Request logs or reports of recent test files passed through the gateway
Good: is a detailed log showing successful file conversions and the absence of harmful file entries
-
Ask: a vendor contract document: Request the document that outlines the file conversion capabilities agreed upon with a vendor
Good: is a signed contract explicitly stating conversion requirements
-
Ask: policy documents on file handling: Request the internal policy document that outlines procedures for file handling and conversion at gateways
Good: is a formally approved policy document
Cross-framework mappings
How ISM-1286 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Supports (1) | ||
| Annex A 8.20 | ISM-1286 requires that files imported or exported via gateways or CDSs undergo content conversion to reduce the risk of unsafe or incompa... | |