Skip to content
Control Stack logo Control Stack
ISM-1528 ASD Information Security Manual (ISM)

Utilising Evaluated Firewalls for Network Security

Firewalls are installed to separate the organisation's networks from the public internet, enhancing security.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceFirewallsConfiguration management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Feb 2022

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for gateways

Section

Firewalls

Topic

Using Firewalls
Official control statement
Evaluated firewalls are used between an organisation's networks and public network infrastructure.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about using firewalls that have been tested and evaluated to help keep your organisation's network safe from the public internet. It matters because, without proper protection, cybercriminals can access sensitive information, damage systems, or disrupt business operations, leading to financial loss and reputational harm.

Why it matters

Without evaluated firewalls at the boundary to public networks, perimeter attacks can bypass filtering, enabling data theft and service disruption.

Operational notes

Deploy ASD/NIAP-evaluated firewalls at all public network boundaries; review rule sets, logging and firmware monthly to maintain assurance.

Implementation tips

  • IT team should install an evaluated firewall between the organisation's network and the internet. They can do this by selecting a firewall that meets recognised standards, which means it has been tested for effectiveness. This ensures the firewall can stop unauthorised access effectively.
  • System owners should work with IT to regularly update firewall settings and software. This involves scheduling monthly checks to ensure the firewall software is up to date and applying patches provided by the firewall vendor. Doing so minimizes vulnerabilities that hackers might exploit.
  • Managers should provide training to staff on firewall basics and why they're essential. Arrange for a simple training session with the IT team to explain what the firewall does and why it’s crucial for protecting the organisation’s information. This helps in creating a culture of security awareness.
  • Procurement should ensure new firewalls meet the required evaluation standards before purchase. They can do this by consulting with IT to verify that any new firewall products on the market come with the necessary certification or evaluation reports. This step ensures only capable firewalls are brought into the network.
  • The IT team should document firewall configurations and changes thoroughly. Start a log where every change to the firewall settings is recorded with a date and responsible person's name. This record allows for accountability and helps quickly identify if and when a setting needs to be rolled back.

Audit / evidence tips

  • Ask: the firewall configuration documentation: Request a record of the current settings and any recent changes for the firewalls in use

    Good: Detailed records showing regular updates checked, authorised by IT management

  • Ask: to see the evaluated certification of the installed firewalls: Request the documents proving the firewalls meet recognised standards

    Good: Current documents from a trusted body indicating the firewall is fully certified

  • Ask: about the firewall update process: Request to see the schedule and logs for recent firewall updates

    Good: Evidence of routine updates and patching conducted within the past month

  • Ask: staff training records on firewall awareness: Request records of training sessions with dates and attendee lists

    Good: Completed sessions covering firewall use with broad participation

  • Ask: to see the procurement process for firewall products: Request the checklist or criteria for selecting firewalls

    Good: Detailed criteria aligning with best practices and demonstrating responsible purchasing decisions

Cross-framework mappings

How ISM-1528 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Supports (1)
Annex A 8.22 ISM-1528 requires evaluated firewalls to be deployed between an organisation’s networks and public network infrastructure to control and ...

Mapping detail

Mapping

Direction

Controls