Certificate Generation for Secure Authentication
Certificates must be created using approved secure tools to verify identities.
Plain language
This control is all about using trusted methods to create digital certificates. These certificates are like secure ID cards for your computer systems, making sure only authorised users can access your services. If you don't use a secure method for creating these certificates, you risk opening the door to cyber-attacks where intruders can pretend to be legitimate users.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Wireless networksOfficial control statement
Certificates are generated using an evaluated certificate authority or hardware security module.
Why it matters
Weak certificate generation (non-evaluated CA/HSM) enables forged identities and MITM, causing unauthorised access and data compromise.
Operational notes
Use only evaluated CA/HSMs; restrict key access, log issuance, and rotate/revoke certificates before expiry or on suspected compromise.
Implementation tips
- IT Managers should ensure certificates are generated using approved tools. This means selecting a certificate authority (CA) that has been evaluated as secure by industry standards. They can research reputable CAs online and read reviews to select one that meets required security benchmarks.
- Technical staff should verify the use of hardware security modules (HSMs). They can safeguard your certificates by storing them in a separate, secure hardware device. To implement this, have the IT team contact vendors who provide HSMs and follow the installation guidelines for their systems.
- Organisation leadership should designate someone to oversee certificate issuance. This person, often an IT manager, should be trained on the processes necessary to generate and distribute certificates securely. Provide this training by enrolling them in cybersecurity courses offered by the Australian Cyber Security Centre (ACSC) or similar institutions.
- Procurement staff should maintain records of approved certificate authorities and hardware security modules. They need to keep a list of all devices or services with valid contracts and licences. Make sure these records are updated whenever there's a change or renewal of services.
- System administrators need to regularly review and update the certificates. They should verify that all certificates are renewed before expiration and align with the organisation's security policies. Use calendar reminders and dedicate monthly checkpoints to ensure compliance.
Audit / evidence tips
- AskThe list of approved certificate authorities being used GoodIs a documented list showing CA names and verification dates
- GoodIs a detailed demonstration or step-by-step guide that matches industry-recommended methods
- AskThe training records of the person overseeing certificate generation GoodIs a certificate or transcript from a reputable source such as the ACSC
- AskThe logs of certificate issuance and renewals GoodIs a log file or report showing timely renewals and no expired certificates
- AskRecords of devices or services covered by approved certificates GoodIs a comprehensive document listing each covered device or service with valid certificate details
Cross-framework mappings
How ISM-1324 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1324 requires certificates to be generated using an evaluated certificate authority or hardware security module, focusing on the secu... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.17 | ISM-1324 requires certificates to be generated using an evaluated certificate authority or hardware security module to ensure authenticat... | |
| Annex A 8.5 | ISM-1324 requires certificates to be generated using an evaluated certificate authority or hardware security module to support secure, tr... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.