Secure Certificates for Network Authentication
Certificates must be secured using access controls, encryption, and authentication to prevent unauthorised access.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Wireless networksCertificates are protected by logical and physical access controls, encryption, and user authentication.
Source: ASD Information Security Manual (ISM)
Plain language
Certificates are a bit like digital ID cards that help keep data secure by making sure only the right people can access the network. If these certificates aren't protected properly, unauthorised people might gain access to sensitive information, which could lead to data breaches or compromise your business's reputation.
Why it matters
If certificates for network authentication are not securely protected, attackers can steal or forge them to impersonate users, enabling unauthorised access and data breaches.
Operational notes
Restrict certificate private key access with least privilege, MFA, and encryption at rest; secure HSM/keystores; audit access and rotate/revoke certificates promptly on compromise.
Implementation tips
- IT team should establish access controls: They need to ensure that only authorised personnel have access to the certificates. This can be done by setting up user accounts with passwords and permissions, limiting who can view or modify the certificates.
- IT team should implement encryption: This means encoding the certificates so only people with the correct key or password can read them. They can use software tools that automatically encrypt the certificates stored on servers or computers.
- System owner should ensure regular audits: They need to schedule regular checks to confirm that the access controls and encryption measures are in place and functioning effectively. This could involve reviewing logs or system access reports monthly.
- IT manager should facilitate user training: They should organise training sessions for staff on how to handle digital certificates securely. The focus should be on safe storage practices and recognising suspicious activities.
- Procurement should verify security features: When acquiring new software or hardware that uses certificates, confirm that they support robust encryption and user authentication features. This means checking specifications and asking vendors about how they secure certificates.
Audit / evidence tips
-
Ask: user access logs to the certificate store: Request documentation that shows who has accessed or tried to access certificates
Good: logs confirming only authorised users have accessed the certificates, with no unexplained access attempts
-
Ask: to see the encryption protocol details for how certificates are protected. Examine the type of encryption used and whether it matches industry standards, such as AES-256
Good: documentation showing use of strong, currently accepted encryption methods
-
Ask: a list of trained personnel: Request records of staff who have completed security training related to handling certificates
Good: an up-to-date list showing all relevant staff received training within the last year
-
Ask: a recent internal or external audit report regarding certificate security practices
Good: a report within the last six months showing effective safeguards with minor or no findings
-
Ask: vendor security documentation: Request information from vendors on how their systems support certificate security
Good: vendor documentation confirming products meet or exceed your organisation’s security requirements
Cross-framework mappings
How ISM-1327 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.15 | ISM-1327 requires certificates used for network authentication to be protected using logical and physical access controls, encryption, an... | |
| Partially overlaps (4) | ||
| Annex A 5.17 | Annex A 5.17 requires management processes for authentication information and guiding personnel on correct handling | |
| Annex A 7.2 | ISM-1327 requires certificates used for network authentication to be protected using logical and physical access controls, encryption, an... | |
| Annex A 7.3 | ISM-1327 requires certificates used for network authentication to be protected using logical and physical access controls, encryption, an... | |
| Annex A 8.5 | ISM-1327 requires certificates used for network authentication to be protected using logical and physical access controls, encryption, an... | |
| Related (1) | ||
| Annex A 8.3 | Annex A 8.3 requires access to information and associated assets to be restricted in accordance with an established access control policy | |