Secure Certificates for Network Authentication
Certificates must be secured using access controls, encryption, and authentication to prevent unauthorised access.
Plain language
Certificates are a bit like digital ID cards that help keep data secure by making sure only the right people can access the network. If these certificates aren't protected properly, unauthorised people might gain access to sensitive information, which could lead to data breaches or compromise your business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Wireless networksOfficial control statement
Certificates are protected by logical and physical access controls, encryption, and user authentication.
Why it matters
If certificates for network authentication are not securely protected, attackers can steal or forge them to impersonate users, enabling unauthorised access and data breaches.
Operational notes
Restrict certificate private key access with least privilege, MFA, and encryption at rest; secure HSM/keystores; audit access and rotate/revoke certificates promptly on compromise.
Implementation tips
- IT team should establish access controls: They need to ensure that only authorised personnel have access to the certificates. This can be done by setting up user accounts with passwords and permissions, limiting who can view or modify the certificates.
- IT team should implement encryption: This means encoding the certificates so only people with the correct key or password can read them. They can use software tools that automatically encrypt the certificates stored on servers or computers.
- System owner should ensure regular audits: They need to schedule regular checks to confirm that the access controls and encryption measures are in place and functioning effectively. This could involve reviewing logs or system access reports monthly.
- IT manager should facilitate user training: They should organise training sessions for staff on how to handle digital certificates securely. The focus should be on safe storage practices and recognising suspicious activities.
- Procurement should verify security features: When acquiring new software or hardware that uses certificates, confirm that they support robust encryption and user authentication features. This means checking specifications and asking vendors about how they secure certificates.
Audit / evidence tips
- AskUser access logs to the certificate store: Request documentation that shows who has accessed or tried to access certificates GoodLogs confirming only authorised users have accessed the certificates, with no unexplained access attempts
- AskTo see the encryption protocol details for how certificates are protected. Examine the type of encryption used and whether it matches industry standards, such as AES-256 GoodDocumentation showing use of strong, currently accepted encryption methods
- AskA list of trained personnel: Request records of staff who have completed security training related to handling certificates GoodAn up-to-date list showing all relevant staff received training within the last year
- AskA recent internal or external audit report regarding certificate security practices GoodA report within the last six months showing effective safeguards with minor or no findings
- AskVendor security documentation: Request information from vendors on how their systems support certificate security GoodVendor documentation confirming products meet or exceed your organisation’s security requirements
Cross-framework mappings
How ISM-1327 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires rules and procedures to control physical and logical access to information and associated assets | |
| Annex A 5.17 | Annex A 5.17 requires management processes for authentication information and guiding personnel on correct handling | |
| Annex A 7.2 | ISM-1327 requires certificates used for network authentication to be protected using logical and physical access controls, encryption, an... | |
| Annex A 7.3 | ISM-1327 requires certificates used for network authentication to be protected using logical and physical access controls, encryption, an... | |
| Annex A 8.5 | ISM-1327 requires certificates used for network authentication to be protected using logical and physical access controls, encryption, an... | |
| link Related (1) expand_less | ||
| Annex A 8.3 | Annex A 8.3 requires access to information and associated assets to be restricted in accordance with an established access control policy | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.