Requiring Certificates for Wireless Network Access
Devices and users must have certificates to connect to wireless networks.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Wireless networksCertificates are required for devices and users accessing wireless networks.
Source: ASD Information Security Manual (ISM)
Plain language
This control means that any device or person trying to connect to your wireless network must show a digital certificate. Think of it like having a special pass to enter a secure area. This is important because, without it, unauthorised people could easily access your network, stealing information or causing damage.
Why it matters
Without certificates for wireless access, unauthorised users can hijack network traffic, compromising data integrity and confidentiality.
Operational notes
Regularly update and manage device/user certificates, ensuring certificate revocation lists are current to prevent access from compromised devices.
Implementation tips
- The IT team should set up a system to issue digital certificates to devices and users. They can use a Certificate Authority (CA), which is a tool that helps create and manage these certificates securely.
- Managers or team leads should ensure all employees understand the need for certificates to access the network. They can do this by organising short training sessions where the process and importance are explained in simple terms.
- The IT team should configure the network to only accept connections from devices with the correct certificates. This involves changing the network settings to require certificate validation for access.
- System administrators should continually monitor and manage the certificates, renewing them before they expire. This can be done by using tools that alert them when a certificate is about to expire.
- Procurement should ensure any new equipment purchased can support the use of certificates. They can do this by specifying this requirement in product purchase agreements with vendors.
Audit / evidence tips
-
Ask: the list of all issued certificates: Request the document or system report showing which certificates have been issued and to whom
Good: A comprehensive, current list with details for each certificate, indicating who or what device it corresponds to
-
Ask: the network configuration settings: Request documentation or a demonstration of the network's settings for certificate verification
Good: Settings that clearly show certificate verification is active and operational
-
Ask: training records for staff awareness: Request evidence of employee training on the importance of certificates
Good: Records showing regular training sessions with clear information about certificates and their role
-
Ask: alerts or logs related to expired certificates: Request reports or logs about any certificates that were renewed or expired
Good: Logs showing proactive renewals and no instances of service disruption due to expired certificates
-
Ask: purchase agreements of network equipment: Request documents detailing procurement specs for new equipment
Good: Purchase documents indicating that all new equipment is capable of supporting digital certificates
Cross-framework mappings
How ISM-1323 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| Annex A 8.3 | ISM-1323 requires certificates for devices and users accessing wireless networks, restricting who/what can join the WLAN | |
| Annex A 8.20 | ISM-1323 requires that devices and users present certificates to access wireless networks, enforcing strong, credential-based network adm... | |
| Annex A 8.21 | ISM-1323 mandates certificate-based authentication for wireless network access by users and devices | |