Prevent Unsuitable Foreign Data Exports
Ensure processes are in place to block export of sensitive data to foreign systems.
Plain language
This control ensures that sensitive Australian data doesn't end up in the wrong hands overseas. If we don't have good processes to stop this, our confidential information could be misused, leading to serious security risks and trust issues both domestically and internationally.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for data transfersSection
Data transfersOfficial control statement
Processes, and supporting procedures, are developed, implemented and maintained to prevent AUSTEO, AGAO and REL data in textual and non-textual formats from being exported to unsuitable foreign systems.
Why it matters
Exporting AUSTEO, AGAO or REL data to unsuitable foreign systems can expose classified information, harm national security, and damage partner trust.
Operational notes
Implement export checks to block AUSTEO/AGAO/REL data from transfer to foreign services not approved; monitor egress and review exceptions regularly.
Implementation tips
- System owners should identify where sensitive data is stored and accessed within their organisation. They can map out information flows using simple diagrams and mark areas where data might be transferred internationally. This helps pinpoint potential vulnerabilities.
- IT teams should set up systems to block unauthorised data exports. They can configure network settings to prevent data from being sent to select international locations or use secure transfer tools that have built-in restrictions.
- Managers need to train staff on data handling policies about foreign transfers. They can organise regular workshops with clear examples of what’s allowed and what isn’t, ensuring staff know the importance of compliance.
- Procurement teams should vet vendors for their data handling capabilities. They can ask vendors to commit to Australian data protection standards and check their track record in handling sensitive information.
- The organisation's legal advisor should regularly review data transfer policies. They should ensure these policies align with both Australian laws and the laws of countries where data might be accessed, updating them as needed.
Audit / evidence tips
-
Askthe data export policy document: Request the organisation’s documented policy on data transfers to foreign systems
Goodincludes clear instructions on what data cannot be exported and the consequences for non-compliance
-
Asktraining records: Request records of staff training sessions related to data transfer
Goodshows regular, comprehensive training is provided to all relevant staff
-
Asksystem configurations: Request documentation on network or system configurations that prevent unauthorised exports
Goodshows concrete evidence of systems blocking unwanted data leaks
-
Askvendor agreements: Request contracts or agreements with third-party vendors
Goodincludes vendor agreements explicitly committing to Australian standards
-
Asklegal review summaries: Request summaries of legal reviews on data transfer policies
Goodincludes regular reviews resulting in policy updates reflecting current laws and risks
Cross-framework mappings
How ISM-1535 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.14 | ISM-1535 requires organisations to develop, implement, and maintain processes and procedures to prevent AUSTEO, AGAO, and REL data from b... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.12 | ISM-1535 requires processes and supporting procedures to prevent AUSTEO, AGAO, and REL information (textual and non-textual) from being e... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.19 | ISM-1535 requires processes and supporting procedures to prevent AUSTEO, AGAO, and REL data from being exported to unsuitable foreign sys... | |
| Annex A 5.21 | ISM-1535 requires processes and procedures to prevent AUSTEO, AGAO, and REL information from being exported to unsuitable foreign systems | |
| extension Depends on (1) expand_less | ||
| Annex A 5.13 | ISM-1535 requires processes and supporting procedures to prevent AUSTEO, AGAO, and REL data from being exported to unsuitable foreign sys... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.