Use SHA-2 for Secure TLS Connections
TLS connections must use SHA-2 for better security, acting as a key and message verifier.
Plain language
This control means that when you are using secure connections over the internet, the technology behind it should use something called SHA-2, which is like a lock and key system to keep information private and prevent tampering. It's important because if the technology used is outdated or weak, then data could be stolen or changed by cyber criminals, leading to data breaches or financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Transport Layer SecurityOfficial control statement
SHA-2 is used for the Hash-based Message Authentication Code (HMAC) and pseudorandom function (PRF) for TLS connections.
Why it matters
Using outdated hash algorithms for TLS like SHA-1 can lead to vulnerabilities, risking data confidentiality and integrity during internet communications.
Operational notes
Verify TLS is configured to use SHA-2 for HMAC/PRF and monitor for unexpected downgrade to SHA-1 in negotiated cipher suites.
Implementation tips
- The IT team should ensure that all software used for secure internet connections, such as websites and email servers, are configured to use the SHA-2 hashing algorithm. This can be done by checking the software settings and upgrading or applying patches if necessary.
- Business owners should consult with a trusted IT consultant to review their current internet security systems to verify if SHA-2 is being used. Set up an initial assessment to discuss any needed changes and potential risks of not updating.
- System administrators should update the configuration settings of any Transport Layer Security (TLS) connections to use SHA-2 as the secure hashing method. This involves accessing server configuration files and adjusting the security suite settings accordingly.
- The procurement team should make sure that new technology purchases, especially those involving secure communications, are specified to support SHA-2. This includes checking product specifications and confirming it with the vendor before purchase.
- Office managers should schedule regular check-ins with the IT team to ensure that all systems remain compliant with security standards using SHA-2 for encryption, assisting in maintaining an ongoing security posture.
Audit / evidence tips
-
Askthe server configuration documentation: Request documents that show the server's setup for secure connections
Goodincludes a documented list indicating SHA-2 as the preferred hashing algorithm
-
Aska report from the IT security audit confirming SHA-2 implementation: Request the latest security audit report
Goodwould clearly highlight where SHA-2 is used throughout secure systems
-
Askto see the purchase orders for recent IT systems: These should show specifications or requirements for SHA-2 support
Goodshould have comprehensive documentation backing the SHA-2 requirement
-
Askthe security policy documents: Check that the organisational security policy mandates the use of SHA-2 for all relevant systems
Goodincludes a clearly outlined policy specifying SHA-2 as a mandatory standard
-
Askevidence of any recent IT staff training: Examine training session outlines or modules that cover secure TLS practices, including SHA-2
Goodis detailed training records showing SHA-2 knowledge has been shared with the IT staff
Cross-framework mappings
How ISM-1375 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1375 requires organisations to use SHA-2 for the HMAC and PRF in TLS connections to ensure strong cryptographic protection for secure... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.