Skip to content
Control Stack logo Control Stack
ISM-1453 ASD Information Security Manual (ISM)

Ensure PFS is Enabled for TLS Connections

TLS connections must be set up to protect past data even if the server's private key is compromised.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceCryptographyConfiguration management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2018

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for cryptography

Section

Transport Layer Security

Topic

Configuring Transport Layer Security
Official control statement
Perfect Forward Secrecy (PFS) is used for TLS connections.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about using something called Perfect Forward Secrecy (PFS) to protect data transferred online. It ensures that even if someone gets hold of the keys used to secure these transfers, they can't access past data. Without PFS, if a hacker steals a key, they could unlock all your previous communications, risking a breach of private or sensitive information.

Why it matters

Without PFS, a stolen TLS private key can decrypt previously captured sessions, exposing historical sensitive data and enabling major breaches.

Operational notes

Audit TLS to allow only ECDHE/DHE suites (PFS) and disable RSA key exchange. Re-test after updates to ensure forward secrecy remains enabled.

Implementation tips

  • IT Team should check if Perfect Forward Secrecy is supported: They need to review the configuration of your TLS (Transport Layer Security) settings on servers. To do this, update server configurations to only allow PFS-supporting cipher suites, which decide how your data is encrypted during transfer.
  • System Owners should work with IT to ensure compatibility: Communicate with IT to confirm that all your systems and applications are compatible with the latest TLS configurations. Ensure any legacy systems are updated or replaced to support PFS.
  • Procurement managers should include PFS as a requirement: When buying new systems or software, ensure vendors commit to PFS in their security specifications. Include this requirement in all tenders and contracts to ensure compliance.
  • IT Team should regularly update software: Ensure all software and servers involved in data transmission are kept up-to-date with the latest security patches. This helps maintain the efficacy of PFS as vulnerabilities are discovered and fixed over time.
  • Conduct regular training for IT staff: Organise sessions to keep the team informed about PFS and how to manage TLS settings effectively. Encourage them to document their processes and share insights to maintain consistent security standards.

Audit / evidence tips

  • Ask: server configuration files: Review the settings to confirm PFS-enabled cipher suites are the only ones active

    Good: will show PFS-only configurations without exceptions

  • Good: will include documentation showing that all key apps are updated and configured to use PFS

  • Good: includes documented obligations from suppliers to support PFS in their solutions

  • Ask: staff training logs

    Good: demonstrates regular sessions, attendance records, and updated training materials

  • Good: highlights a recent analysis that confirms no unsupported cipher suites are enabled

Cross-framework mappings

How ISM-1453 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.24 ISM-1453 requires Perfect Forward Secrecy (PFS) to be used for TLS connections so past sessions remain protected even if a server private...

Mapping detail

Mapping

Direction

Controls