ISM-1535 ASD Information Security Manual (ISM)

Prevent Unsuitable Foreign Data Exports

Ensure processes are in place to block export of sensitive data to foreign systems.

Preventative SECRET TOP SECRET ASD Information Security ManualGuidelines for data transfers information transfer

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

S, TS

🗓️ ISM last updated

May 2024

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for data transfers

Section

Data transfers

Topic

Data Transfer Processes and Procedures

Official control statement

Processes, and supporting procedures, are developed, implemented and maintained to prevent AUSTEO, AGAO and REL data in textual and non-textual formats from being exported to unsuitable foreign systems.

Source: ASD Information Security Manual (ISM)

Plain language

This control ensures that sensitive Australian data doesn't end up in the wrong hands overseas. If we don't have good processes to stop this, our confidential information could be misused, leading to serious security risks and trust issues both domestically and internationally.

Why it matters

Exporting AUSTEO, AGAO or REL data to unsuitable foreign systems can expose classified information, harm national security, and damage partner trust.

Operational notes

Implement export checks to block AUSTEO/AGAO/REL data from transfer to foreign services not approved; monitor egress and review exceptions regularly.

Implementation tips

System owners should identify where sensitive data is stored and accessed within their organisation. They can map out information flows using simple diagrams and mark areas where data might be transferred internationally. This helps pinpoint potential vulnerabilities.
IT teams should set up systems to block unauthorised data exports. They can configure network settings to prevent data from being sent to select international locations or use secure transfer tools that have built-in restrictions.
Managers need to train staff on data handling policies about foreign transfers. They can organise regular workshops with clear examples of what’s allowed and what isn’t, ensuring staff know the importance of compliance.
Procurement teams should vet vendors for their data handling capabilities. They can ask vendors to commit to Australian data protection standards and check their track record in handling sensitive information.
The organisation's legal advisor should regularly review data transfer policies. They should ensure these policies align with both Australian laws and the laws of countries where data might be accessed, updating them as needed.

Audit / evidence tips

Ask: the data export policy document: Request the organisation’s documented policy on data transfers to foreign systems

Good: includes clear instructions on what data cannot be exported and the consequences for non-compliance
Ask: training records: Request records of staff training sessions related to data transfer

Good: shows regular, comprehensive training is provided to all relevant staff
Ask: system configurations: Request documentation on network or system configurations that prevent unauthorised exports

Good: shows concrete evidence of systems blocking unwanted data leaks
Ask: vendor agreements: Request contracts or agreements with third-party vendors

Good: includes vendor agreements explicitly committing to Australian standards
Ask: legal review summaries: Request summaries of legal reviews on data transfer policies

Good: includes regular reviews resulting in policy updates reflecting current laws and risks

Cross-framework mappings

How ISM-1535 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 5.14	ISM-1535 requires organisations to develop, implement, and maintain processes and procedures to prevent AUSTEO, AGAO, and REL data from b...
Partially overlaps (1)
Annex A 8.12	ISM-1535 requires processes and supporting procedures to prevent AUSTEO, AGAO, and REL information (textual and non-textual) from being e...
Supports (2)
Annex A 5.19	ISM-1535 requires processes and supporting procedures to prevent AUSTEO, AGAO, and REL data from being exported to unsuitable foreign sys...
Annex A 5.21	ISM-1535 requires processes and procedures to prevent AUSTEO, AGAO, and REL information from being exported to unsuitable foreign systems
Depends on (1)
Annex A 5.13	ISM-1535 requires processes and supporting procedures to prevent AUSTEO, AGAO, and REL data from being exported to unsuitable foreign sys...