Ensure PFS is Enabled for TLS Connections
TLS connections must be set up to protect past data even if the server's private key is compromised.
Plain language
This control is about using something called Perfect Forward Secrecy (PFS) to protect data transferred online. It ensures that even if someone gets hold of the keys used to secure these transfers, they can't access past data. Without PFS, if a hacker steals a key, they could unlock all your previous communications, risking a breach of private or sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Transport Layer SecurityOfficial control statement
Perfect Forward Secrecy (PFS) is used for TLS connections.
Why it matters
Without PFS, a stolen TLS private key can decrypt previously captured sessions, exposing historical sensitive data and enabling major breaches.
Operational notes
Audit TLS to allow only ECDHE/DHE suites (PFS) and disable RSA key exchange. Re-test after updates to ensure forward secrecy remains enabled.
Implementation tips
- IT Team should check if Perfect Forward Secrecy is supported: They need to review the configuration of your TLS (Transport Layer Security) settings on servers. To do this, update server configurations to only allow PFS-supporting cipher suites, which decide how your data is encrypted during transfer.
- System Owners should work with IT to ensure compatibility: Communicate with IT to confirm that all your systems and applications are compatible with the latest TLS configurations. Ensure any legacy systems are updated or replaced to support PFS.
- Procurement managers should include PFS as a requirement: When buying new systems or software, ensure vendors commit to PFS in their security specifications. Include this requirement in all tenders and contracts to ensure compliance.
- IT Team should regularly update software: Ensure all software and servers involved in data transmission are kept up-to-date with the latest security patches. This helps maintain the efficacy of PFS as vulnerabilities are discovered and fixed over time.
- Conduct regular training for IT staff: Organise sessions to keep the team informed about PFS and how to manage TLS settings effectively. Encourage them to document their processes and share insights to maintain consistent security standards.
Audit / evidence tips
-
Askserver configuration files: Review the settings to confirm PFS-enabled cipher suites are the only ones active
Goodwill show PFS-only configurations without exceptions
-
Goodwill include documentation showing that all key apps are updated and configured to use PFS
-
Goodincludes documented obligations from suppliers to support PFS in their solutions
-
Askstaff training logs
Gooddemonstrates regular sessions, attendance records, and updated training materials
-
Goodhighlights a recent analysis that confirms no unsupported cipher suites are enabled
Cross-framework mappings
How ISM-1453 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1453 requires Perfect Forward Secrecy (PFS) to be used for TLS connections so past sessions remain protected even if a server private... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.