Ensure Content Filtering of Archive Files at Gateways
Files in archive formats must be opened for security checks when they pass through security gateways.
Plain language
This control requires that files in archive formats, like ZIP or RAR, are checked for security problems when they pass through your organisation's gateways or transfer points. This is crucial because failing to do so could allow dangerous content, such as malware, to slip into your network undetected, potentially causing data loss or system damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Archive files imported or exported via gateways or CDSs are unpacked in order to undergo content filtering checks.
Why it matters
Failing to filter archive files at gateways can allow hidden malware to infect systems, leading to data breaches or operational disruption.
Operational notes
At gateways/CDSs, automatically unpack archives (nested too) before scanning; keep signatures current and test with passworded/corrupt samples to verify detection.
Implementation tips
- IT staff should set up automatic scanning software at the gateways: Configure the security gateways to automatically unpack and scan archive files as they are sent or received, checking for viruses or malicious content. Use straightforward software that integrates with your current system easily.
- System administrators should update scanning rules regularly: Ensure that the software has the latest threat definitions by scheduling routine updates. This can be done by enabling automatic updates offered by the software vendor, keeping scanning capabilities current.
- Office managers should train staff about safe file handling practices: Conduct regular training sessions to inform employees about recognising potentially harmful archive files and the importance of allowing security scans. This can be done through brief, periodic workshops or online training modules.
- Procurement teams should choose vendors with strong security features: When purchasing or renewing gateway systems, ensure they offer robust archive file content filtering capabilities. Request demonstrations for how these features handle and filter unwanted or harmful files.
- Security officers should perform regular tests on the filters: Conduct scheduled tests where benign and malicious archive files are intentionally sent through the system to verify filters are functioning properly. Document the outcomes of these tests and address any failures promptly.
Audit / evidence tips
- AskSecurity policy documents governing archive file handling: Review the policies outlining how archive file checks are to be performed GoodA comprehensive policy document with clear, up-to-date procedures and periodic review dates
- GoodConsistent logs showing regular scanning activity and follow-up actions for threats
- AskUser training records on file handling: Review records or certificates showing employee participation in security training GoodA training roster and materials covering handling risks and the importance of scans, with recent attendance records
- GoodDocumented testing reports showing tests executed and results, along with corrective actions for any failures
- GoodManufacturer brochures or technical sheets with detailed feature lists and compliance certifications
Cross-framework mappings
How ISM-1289 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.7 | ISM-1289 requires archive files imported or exported via gateways or CDSs to be unpacked so the extracted contents can be content-filtere... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.20 | ISM-1289 requires gateways or CDSs to unpack archive files so content filtering can be applied to the extracted files during import/export | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.