Ensure Content Conversion at Gateways
Files going through gateways must be converted to ensure security and compatibility.
Plain language
This control is about making sure that any files coming into or leaving your organisation through internet gateways are converted into a safe and compatible format. It's like checking your mail for suspicious packages-if you don't, bad stuff could get in, which might damage your systems or leak important information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Official control statement
Files imported or exported via gateways or CDSs undergo content conversion.
Why it matters
Without content conversion at gateways/CDSs, imported or exported files may retain active content or malware, causing compromise or downtime.
Operational notes
Keep gateway/CDS content conversion profiles current; test new file types and ensure sanitisation removes active content (macros/scripts) before transfer.
Implementation tips
- IT team should set up a system to automatically convert files: They should use software that checks and changes file formats at the gateway before files enter the organisation. This protects against harmful files sneaking in.
- IT manager should train staff on file handling: They should organise regular training sessions to show employees what types of files might be risky and why converting them is important. Use simple examples like changing suspicious email attachments into safe formats.
- System administrators should configure gateway settings: They need to adjust the settings on hardware like firewalls or routers to ensure they always convert files passing through. This can involve selecting options in device menus to automatically handle certain file types.
- Security officer should conduct regular checks: They should regularly review if the conversion system is working properly by running test files through the gateway to see if it catches risks. This helps ensure the system is always active and effective.
- Procurement officer should confirm vendor capabilities: When purchasing new software or services, ensure vendors can provide file conversion capabilities at the gateway level. It involves having specific contractual agreements or confirmations in writing.
Audit / evidence tips
- AskThe gateway configuration file: Request the current configuration or settings file for the gateway device GoodIncludes detailed settings indicating active file conversions
- AskTraining records: Request logs or records of employee training sessions on file handling and conversion GoodIs a dated record showing regular training sessions with attendance by relevant staff
- AskTest logs: Request logs or reports of recent test files passed through the gateway GoodIs a detailed log showing successful file conversions and the absence of harmful file entries
- AskA vendor contract document: Request the document that outlines the file conversion capabilities agreed upon with a vendor GoodIs a signed contract explicitly stating conversion requirements
- AskPolicy documents on file handling: Request the internal policy document that outlines procedures for file handling and conversion at gateways GoodIs a formally approved policy document
Cross-framework mappings
How ISM-1286 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.20 | ISM-1286 requires that files imported or exported via gateways or CDSs undergo content conversion to reduce the risk of unsafe or incompa... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.