Use Protocol Breaks to Separate Network Layers
Ensure data flows are separated by breaking protocols at each network level for security.
Plain language
This control is about making sure that the flow of data through different networks has breaks between each layer. Think of it like having walls between rooms in your house to keep each section private and secure. If you don't have these breaks, sensitive information could leak from one network area to another, creating a risk of data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Official control statement
CDSs implement protocol breaks at each network layer.
Why it matters
Without protocol breaks between network layers, traffic can traverse unintended paths, enabling cross-layer data leakage and raising the likelihood of compromise.
Operational notes
Regularly verify protocol breaks at each network layer (e.g., gateways/guards), review boundary rules, and monitor for misconfigurations that enable unintended cross-layer flows.
Implementation tips
- IT team should identify where data crosses from one network to another within the organisation. They can do this by mapping out the data paths and points where different network systems connect, using simple diagrams or lists.
- System administrators should set up protocol breaks at these identified crossing points. This involves creating a separate point where data from one network is checked and possibly transformed into a different format before it continues to the next network layer.
- Managers should ensure the protocol break systems have regular checks by IT staff. They can set up a schedule for these checks, ensuring the security settings are up-to-date and functioning as intended.
- Security officers should conduct training sessions for staff about the importance of protocol breaks. The training should include what protocol breaks are and why they are critical for safeguarding sensitive data.
- System owners should work with IT teams to document the areas where protocol breaks are implemented. They need to create a clear document that lists these points and describes how each break functions to maintain security.
Audit / evidence tips
- AskThe network diagram showing protocol breaks: Request the current network diagram that includes marked points of protocol breaks GoodA diagram with distinct, labelled protocol break points across different network layers
- AskTo see the documentation on protocol break procedures: Request documents detailing how data is processed at each protocol break GoodComprehensive instructions for each break point, including any transformation or checks done
- AskLogs of regular protocol break checks: Request the records showing when and how often the protocol breaks are checked GoodLogs with regular dates and clear descriptions of the monitoring activities
- AskTo review staff training records on protocol breaks: Request records or certificates of staff training sessions about protocol breaks GoodDocumented evidence of regular training sessions with high staff attendance
- AskSystem configuration settings: Request access to configuration settings where protocol breaks are enforced GoodConfiguration settings align exactly with documented procedures and show evidence of regular updates
Cross-framework mappings
How ISM-1521 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1521 requires CDSs to implement protocol breaks at each network layer to enforce strong separation of data flows between layers | |
| handshake Supports (1) expand_less | ||
| Annex A 8.22 | ISM-1521 requires CDSs to implement protocol breaks at each network layer to prevent direct end-to-end protocol continuity and reduce cro... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.