Changing Default SNMP Community Strings on Devices
To enhance security, change default SNMP passwords and disable write access on network devices.
Plain language
This control is about making sure the 'locks' on our digital doors aren't left on the factory settings. Many network devices use a feature called SNMP for tasks like monitoring. If the default settings aren't changed, it can be easy for outsiders to sneak in and mess with our systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
All default SNMP community strings on network devices are changed and write access is disabled.
Why it matters
Leaving default SNMP community strings in place (or allowing write access) enables device takeover, outages, and unauthorised configuration changes.
Operational notes
Audit all devices for default SNMP community strings; set unique read-only strings, disable SNMP write, and log/alert on SNMP configuration changes.
Implementation tips
- IT team should identify all network devices: First, make a list of all devices that use SNMP, like routers or switches, to ensure none are missed.
- IT team should change default SNMP settings: Replace the default 'community strings' (think of these as passwords) with strong, unique ones that follow good password practices. Use a secure method and tool to change these settings so unauthorised users can't access them.
- IT team should disable SNMP write access: Configure the devices so that SNMP can only read information and not make changes. This is like allowing someone to see inside but not touch anything, and instructions for this can typically be found in device manuals or online support guides.
- System owners should liaise with the IT team: Regularly review the SNMP settings to ensure they remain secure and effective. This helps catch any accidental changes or new threats that might have surfaced.
- Managers and team leads should ensure security awareness: Educate staff on the importance of network security, including changing default settings. Use regular reminders or training sessions to keep this top of mind.
Audit / evidence tips
-
Askthe SNMP configuration report: Request documentation showing current SNMP settings on network devices
-
GoodEvidence of unique, complex community strings and disabled write access across all devices
-
Asknetwork device inventory: Request a list of all network devices known to use SNMP
-
GoodComprehensive inventory matching the SNMP configuration details and reviews with no missing entries
-
Askevidence of regular security reviews: Request records showing periodic checks of SNMP settings by the IT team
-
GoodConsistent review reports, logs of action taken, and resolved issues
-
Asktraining records or awareness sessions: Request documentation or schedules of any sessions held for staff education on network security
-
GoodRegularly updated sessions with attendance logs and comprehensive content covering SNMP security
Cross-framework mappings
How ISM-1312 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1312 requires a specific secure configuration outcome for SNMP on network devices (non-default community strings and no write access) | |
| link Related (1) expand_less | ||
| Annex A 8.20 | Annex A 8.20 requires secure management and control of networks and network devices to protect information | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.