Utilising Evaluated Firewalls for Network Security
Firewalls are installed to separate the organisation's networks from the public internet, enhancing security.
Plain language
This control is about using firewalls that have been tested and evaluated to help keep your organisation's network safe from the public internet. It matters because, without proper protection, cybercriminals can access sensitive information, damage systems, or disrupt business operations, leading to financial loss and reputational harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Evaluated firewalls are used between an organisation's networks and public network infrastructure.
Why it matters
Without evaluated firewalls at the boundary to public networks, perimeter attacks can bypass filtering, enabling data theft and service disruption.
Operational notes
Deploy ASD/NIAP-evaluated firewalls at all public network boundaries; review rule sets, logging and firmware monthly to maintain assurance.
Implementation tips
- IT team should install an evaluated firewall between the organisation's network and the internet. They can do this by selecting a firewall that meets recognised standards, which means it has been tested for effectiveness. This ensures the firewall can stop unauthorised access effectively.
- System owners should work with IT to regularly update firewall settings and software. This involves scheduling monthly checks to ensure the firewall software is up to date and applying patches provided by the firewall vendor. Doing so minimizes vulnerabilities that hackers might exploit.
- Managers should provide training to staff on firewall basics and why they're essential. Arrange for a simple training session with the IT team to explain what the firewall does and why it’s crucial for protecting the organisation’s information. This helps in creating a culture of security awareness.
- Procurement should ensure new firewalls meet the required evaluation standards before purchase. They can do this by consulting with IT to verify that any new firewall products on the market come with the necessary certification or evaluation reports. This step ensures only capable firewalls are brought into the network.
- The IT team should document firewall configurations and changes thoroughly. Start a log where every change to the firewall settings is recorded with a date and responsible person's name. This record allows for accountability and helps quickly identify if and when a setting needs to be rolled back.
Audit / evidence tips
-
Askthe firewall configuration documentation: Request a record of the current settings and any recent changes for the firewalls in use
GoodDetailed records showing regular updates checked, authorised by IT management
-
Askto see the evaluated certification of the installed firewalls: Request the documents proving the firewalls meet recognised standards
GoodCurrent documents from a trusted body indicating the firewall is fully certified
-
Askabout the firewall update process: Request to see the schedule and logs for recent firewall updates
GoodEvidence of routine updates and patching conducted within the past month
-
Askstaff training records on firewall awareness: Request records of training sessions with dates and attendee lists
GoodCompleted sessions covering firewall use with broad participation
-
Askto see the procurement process for firewall products: Request the checklist or criteria for selecting firewalls
GoodDetailed criteria aligning with best practices and demonstrating responsible purchasing decisions
Cross-framework mappings
How ISM-1528 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.22 | ISM-1528 requires evaluated firewalls to be deployed between an organisation’s networks and public network infrastructure to control and ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.