Protect Online Services from Domain Hijacking
Ensure online service domain security by locking registration and verifying details.
Plain language
This control is about making sure your online business or service stays under your control, avoiding a situation where someone else takes over your domain name. Imagine if someone hijacked your website's address; customers could be misled, and your reputation could be damaged. It’s important to lock your domain and confirm all registration details to prevent this from happening.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingOfficial control statement
Domain names for online services are protected via registrar locking and confirming that domain registration details are correct.
Why it matters
Without registrar lock and accurate registrant details, attackers can hijack domains, redirect users to fake sites, and damage trust and revenue.
Operational notes
Enable registrar lock, restrict registrar account access, and regularly verify registrant/admin contact details and DNS settings match expected values.
Implementation tips
- Domain owners should work with their domain registrar to enable domain locking. This process usually involves logging into your account with the domain registrar and activating a specific locking feature that prevents unauthorised changes.
- The financial manager or business owner should make sure all contact and payment details for domain registration are up-to-date. This includes checking the primary contact email address is one that is monitored regularly and updating any payment information promptly.
- The IT manager or website administrator should schedule regular audits of domain registration details. This involves setting a calendar reminder each quarter to log in to the domain registrar's portal and verify that all information is correct and hasn’t been altered.
- Business owners should use multi-factor authentication (MFA) for accessing domain registrar accounts. This requires using an extra security step, like a phone app or physical token, along with a password to ensure that no one but authorised personnel can access the account.
- Procurement should keep a record of all communication and contracts with the domain registrar. Ensure there’s a clear document trail that includes confirmations of domain locking and any recent updates to account details.
Audit / evidence tips
-
Aska recent domain registration record: Request the document or screenshot showing the current registered details
Goodincludes updated contact details and a recent date indicating regular review
-
Aska domain lock confirmation: Request evidence, like an activation email or screenshot from the domain registrar, showing that domain locking is enabled
Goodis a confirmation showing domain lock is on
-
Asklogs of domain access: Request logs or records that indicate who accessed the domain settings and when
Goodcontains logs showing regular checks with no unauthorised changes
-
Askto see the MFA configuration for the domain account: Request evidence that multi-factor authentication is set up for the account login
Goodincludes screenshots or emails confirming MFA setup
-
Askcommunication history with the domain registrar: Request emails, support tickets, or other records showing interaction with the registrar
Goodcontains clear communication about domain security
Cross-framework mappings
How ISM-1432 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-1432 requires organisations to protect online service domain names by using registrar locking and confirming domain registration deta... | |
| Annex A 5.18 | ISM-1432 focuses on preventing domain hijacking by locking domains at the registrar and validating the correctness of domain registration... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.