Ensure TLS Connections Use AES-GCM Encryption
Use AES-GCM to securely encrypt information sent over TLS connections.
Plain language
This control is about making sure the information you send over the internet is hard for others to read, by using a type of encryption called AES-GCM. This matters because if your data isn't properly protected, cybercriminals could intercept and misuse sensitive information, such as customer details or financial data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Transport Layer SecurityOfficial control statement
AES-GCM is used for encryption of TLS connections.
Why it matters
If TLS does not use AES-GCM, weaker ciphers may be negotiated, increasing the risk of traffic decryption or tampering and data exposure.
Operational notes
Regularly review server/client TLS cipher suites to ensure AES-GCM is enabled and preferred; monitor config changes and disable legacy CBC/RC4 suites.
Implementation tips
- The IT team should review all systems that use Transport Layer Security (TLS) and ensure they are configured to use AES-GCM for encryption. They should check the configuration settings of each system or application and update them if necessary to support AES-GCM, following guidance from vendor documentation or security best practices.
- System administrators should verify that their current TLS certificates support AES-GCM encryption. They can do this by checking the details of the certificate through server configuration files or using online tools that analyse the security of TLS connections.
- IT staff should work with software vendors to ensure that applications are up-to-date and support AES-GCM encryption. They should consult with vendors to understand the technical requirements and update processes to enable this feature in any third-party applications used by the organisation.
- Network administrators should conduct periodic checks to confirm that AES-GCM is actually being used in TLS connections. They can use network monitoring tools or logging features built into security software to examine TLS traffic and ensure AES-GCM is the encryption method.
- The IT manager should organise regular security training sessions for IT staff on the importance of using strong encryption like AES-GCM. These sessions should cover how encryption protects data and the specific steps staff need to take to ensure compliance with this control.
Audit / evidence tips
- AskThe network configuration documentation: Review the files that detail TLS setup and encryption methods GoodIs a clear setting showing AES-GCM in use across relevant systems
- AskThe network security monitoring reports: These should show recent checks on TLS traffic GoodResult shows consistent use of AES-GCM over time with no exceptions
- AskRecords showing discussions with vendors about enabling AES-GCM
- AskTraining records for IT staff: Request evidence of training sessions that cover encryption practices, specifically AES-GCM GoodResult includes recent training attendance and topics showing AES-GCM as covered content
Cross-framework mappings
How ISM-1369 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1369 requires that TLS connections use AES-GCM encryption, which is a specific security configuration for network services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.