Use SHA-2 Certificates for Secure TLS Connections
Use secure certificates to prevent eavesdropping on data sent over the internet.
Plain language
When you use the internet to send or receive information, there's always a risk someone could be snooping on that data. Using SHA-2 certificates for your website's secure connections helps keep your information safe from prying eyes, like encrypting your messages so only the intended recipient can read them.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Transport Layer SecurityOfficial control statement
SHA-2-based certificates are used for TLS connections.
Why it matters
Without SHA-2 TLS certificates, attackers can exploit weak/legacy hashes to impersonate services or intercept traffic, increasing risk of data breach and loss of trust.
Operational notes
Regularly verify TLS certificates use SHA-2 (e.g., SHA-256/SHA-384) and replace any SHA-1-signed certificates; enforce this via scanner checks and CA policy.
Implementation tips
- IT Manager: Ensure your website and servers are using SHA-2 certificates. Check with your web hosting provider or certificate authority to upgrade from older certificates to SHA-2 if necessary. This ensures your online communications are properly encrypted.
- Procurement Officer: Purchase SSL/TLS certificates that use SHA-2 encryption. When buying a new certificate, confirm with the supplier that it supports this standard to avoid insecure connections.
- IT Team: Regularly update the server's certificate settings. Set a reminder to review your certificates every year and ensure they're using SHA-2. This keeps your server's communications secure.
- System Administrator: Test your system to ensure SHA-2 certificates are active. Use online tools or software to scan your website's certificates and confirm they are SHA-2 compliant, fixing any errors found.
- Business Owner: Educate staff on the importance of secure connections. Hold a simple training session to explain how using SHA-2 helps protect the business and customer data when online.
Audit / evidence tips
- AskThe current SSL/TLS certificates: Request copies of the active certificates used by your organisation's servers GoodAll certificates show SHA-2 as their hashing algorithm
- AskA server configuration report: Request a report showing the server settings for encryption protocols GoodThe report confirms only SHA-2 certificates are accepted for secure connections
- AskSupplier verification documents: Request documentation from the certificate authority confirming the issue of SHA-2 certificates GoodDocuments show your organisation's name and SHA-2 compliance
- AskAn IT maintenance log: Request the log showing the last audit or review of certificate configurations GoodLog entries confirm regular checks and upgrades to SHA-2 when necessary
- AskA staff training record: Request evidence of recent training sessions on secure connections GoodRecords verify that training included information on SHA-2 and its security benefits
Cross-framework mappings
How ISM-1374 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1374 requires that SHA-2-based certificates are used for TLS connections to protect data in transit from eavesdropping | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.