Ensure Rigorous Testing of Content Filters
Content filters need thorough testing to make sure they work properly and can't be bypassed.
Plain language
This control is about making sure that content filters, which block harmful or unwanted information from entering an organisation's systems, are thoroughly tested. If these filters don't work properly or can be easily bypassed, the organisation is at risk of data breaches, exposure to malware, or inappropriate content reaching employees, which could lead to legal trouble or damage to the organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Content filters used by CDSs undergo rigorous security testing to ensure they perform as expected and cannot be bypassed.
Why it matters
Poorly tested CDS content filters may be bypassed, enabling unauthorised data transfer or malware ingress and causing breaches.
Operational notes
Routinely regression-test CDS content filters using known bypass cases (encoding tricks, polyglots, archives, malformed files) and verify blocks.
Implementation tips
- IT team should conduct regular testing: Develop a testing schedule where the IT team systematically tests content filters by using legitimate and malicious content to ensure they are effectively blocking and allowing the right information. This can be done by simulating attacks in a safe environment to see if the filters catch them.
- System administrators should verify filter updates: Regularly check and update the content filtering software to the latest version to ensure it has the newest protections. This involves reviewing update logs from the software provider and applying updates as soon as they become available.
- Procurement should ensure contracts include testing: When acquiring content filters, include requirements in supplier contracts for the provision of testing methodologies and validation results. This means working with the vendor to get detailed explanations of how the product is tested and proven to work effectively.
- Managers should review filter effectiveness reports: Set up regular reviews where managers evaluate reports on content filtering effectiveness generated by the IT team or automated systems. These reports should include instances of successfully blocked content and any false positives where legitimate content was blocked.
- IT security staff should perform bypass testing: Try methods commonly used by hackers to bypass content filters and see if these attempts are detected and blocked. This can involve using known software flaws or other techniques that malicious users might employ, ensuring that the filters stay robust.
Audit / evidence tips
-
Askthe content filter testing schedule: Request the documented schedule that details when and how the content filters are tested
Goodincludes a clear timeline with diverse test methods conducted regularly
-
Askfilter update logs: Request the logs or reports that show updates to the content filtering software
Goodis a documented list showing timely updates and patches applied
-
Askthe contract with the filter provider: Request the procurement documents or contracts made with content filter suppliers
Goodincludes contractual commitments for product testing proof
-
Askfilter effectiveness reports: Request effectiveness reports that detail recent content filtering incidents
Goodincludes statistics showing high accuracy in filtering and rapid incident resolution
-
Askevidence of bypass testing: Request documentation or results from recent bypass tests conducted by internal staff
Goodwill include detailed test records and improvements made to the filters
Cross-framework mappings
How ISM-1524 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.29 | ISM-1524 requires that content filters used by Cross Domain Solutions (CDSs) are subjected to rigorous security testing to confirm they w... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.34 | ISM-1524 requires rigorous security testing of CDS content filters to ensure they perform as expected and cannot be bypassed | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.