Prevent Use of Insecure SNMP Versions on Networks
Avoid using SNMP versions 1 and 2, as they are insecure for network management.
Plain language
This control is about ensuring that your network doesn't use old, unsafe methods to manage devices, specifically versions 1 and 2 of something called the Simple Network Management Protocol (SNMP). If these outdated versions are used, hackers can easily snoop on or change your network data, leading to information theft or network disruption.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
SNMP version 1 and SNMP version 2 are not used on networks.
Why it matters
If SNMPv1/v2 are used, attackers can sniff community strings and modify device settings via unauthenticated or weakly protected SNMP traffic.
Operational notes
Scan and audit network devices to confirm SNMPv1/v2 are disabled; allow only SNMPv3 with authentication and encryption, and remove legacy configs.
Implementation tips
- IT support should review network management software to ensure it only uses SNMP version 3. This involves checking the software settings and configurations to see if older versions are disabled.
- The network administrator should conduct a survey of all devices on the network to identify which ones still use SNMP versions 1 or 2. Use a network scanning tool to find these devices, and record the findings for action.
- Procurement should stipulate in contracts with IT suppliers that any new management systems must not use SNMP versions 1 or 2. This can be done by including clear language in the purchase agreement stating the requirement.
- Managers should organise training sessions for their IT staff on the importance of using SNMP version 3. Provide materials or bring in an expert to explain why upgrading is crucial for network security.
- The IT team should regularly update device firmware and software to support the secure SNMP version 3. Follow manufacturer instructions for upgrading and verify that SNMP v3 features are enabled post-update.
Audit / evidence tips
- AskThe network configuration documentation: Request details on current network management settings GoodIs documentation clearly showing only version 3 being configured
- AskA recent network device inventory: Check for any devices listed as using SNMP v1 or v2 GoodAn inventory showing no devices with outdated SNMP versions
- AskThe IT procurement policy: Check for clauses ensuring new devices or software do not support SNMP v1 or v2 GoodA policy document stating SNMP v3 is a requirement
- AskTo see the IT team’s training records GoodDated records showing staff attended training about SNMP version use
- AskEvidence of firmware and software updates: This includes logs or reports on updates aimed at enabling SNMP v3 GoodComprehensive logs showing recent updates which ensure SNMP v3 is enabled
Cross-framework mappings
How ISM-1311 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.9 | ISM-1311 mandates that organisations ensure SNMP version 1 and 2 are not used on networks | |
| Annex A 8.20 | ISM-1311 requires organisations to prevent the use of insecure SNMP versions (SNMPv1 and SNMPv2) on networks | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.