Secure Naming of Non-Public Wireless Networks
Ensure non-public WiFi network names (SSIDs) don't reveal info about the organisation or location.
Plain language
When setting up Wi-Fi for staff and authorised people only, it's important to use a name that doesn't give away any details about your business or where you're located. This matters because if the wrong people know your network's purpose or location, they might try to break into it, risking your data and privacy.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
SSIDs of non-public wireless networks are not readily associated with an organisation, the location of their premises or the functionality of wireless networks.
Why it matters
If non-public SSIDs expose the organisation, site or network purpose, attackers can identify targets and plan focused intrusion or phishing attempts.
Operational notes
Use neutral, non-identifying SSIDs for non-public WLANs; avoid business names, building/floor labels and function names, and review SSIDs after changes.
Implementation tips
- The IT team should choose a generic name for the Wi-Fi network that doesn’t include the company’s name or location. They can use a name that is simple and not linked to your business, like 'BlueWave43'.
- The office manager should communicate to staff and authorised users to avoid discussing or sharing the Wi-Fi name in public places. This can be done by sending a company-wide email with instructions on keeping network details private.
- System administrators should periodically review and change the Wi-Fi SSID as needed. They can schedule biannual reviews to consider if the current naming convention still sufficiently disguises the network origin.
- Human Resources should include clear information in the employee handbook about why it's important to keep the SSID secret. They can make this part of the new hire orientation session to ensure everyone understands the policy from day one.
- Procurement should ensure that when new networking equipment is purchased, the default Wi-Fi name (SSID) is changed immediately. They should check with the IT team that the new names follow the non-descriptive naming policy.
Audit / evidence tips
-
Aska list of current Wi-Fi network names
Goodresult is seeing generic, non-identifiable names
-
Goodwould be a policy document with a section distinctly addressing SSID naming
-
Aska few staff members what they know about the Wi-Fi naming policy. A satisfactory answer is that employees understand the purpose and importance of keeping names non-identifiable
-
Goodexample includes detailed logs demonstrating deliberate non-identifiable naming choices
Cross-framework mappings
How ISM-1317 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1317 requires that SSIDs for non-public wireless networks are named so they are not readily associated with the organisation, its loc... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.