Use NIST P-384 Curve for ECDSA Signatures
When signing digitally, prefer using the NIST P-384 curve for better security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
S
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
When using ECDSA for digital signatures, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve.
Source: ASD Information Security Manual (ISM)
Plain language
When you're signing documents digitally, it's like putting your unique signature on paper. This control suggests using a specific type of digital 'signature' method, called the NIST P-384 curve, which is known for being very secure. If you don't use this, your digital signatures might get easier to forge, potentially leading to unauthorised access or fraud.
Why it matters
Using weaker or non-approved ECDSA curves instead of NIST P-384 can reduce signature strength, increasing the chance of forged signatures and unauthorised actions.
Operational notes
Confirm ECDSA implementations are restricted to NIST P-256/P-384/P-521 and prefer P-384; audit certificate keys and signing libraries to prevent weaker curves.
Implementation tips
- IT team should review current digital signing methods: Check what algorithms are currently being used. Ensure that NIST P-384 curve is included as an option for digital signatures and update software if necessary.
- Procurement should specify security requirements: When purchasing software or services that involve digital signatures, ensure contracts specify that they support the NIST P-384 curve for ECDSA signatures. Clarify this during vendor negotiation.
- IT security manager should run awareness sessions: Educate team members about the importance of using recommended algorithms. Use simple examples to explain why the NIST P-384 curve is preferred for security.
- System owner should coordinate upgrade plans: If the required software does not support the NIST P-384 curve, collaborate with IT to plan and prioritise an upgrade. Create a timeline for implementing this change.
- Policy manager should update documentation: Ensure internal security policies reflect the use of the NIST P-384 curve for digital signatures. This ensures everyone knows it's the standard and follows it.
Audit / evidence tips
-
Ask: the list of algorithms used for digital signatures: Request documentation from the IT team detailing current algorithms
Good: includes NIST P-384 listed with implementation notes
-
Good: confirms NIST P-384 inclusion or future update commitments
-
Ask: IT awareness session records: Review attendance and materials from training sessions
Good: includes clear session agendas and participant feedback
-
Ask: upgrade timelines: Request a project plan or timeline for software upgrades
Good: includes a specific timeline and responsible parties
-
Ask: to see updated security policies: Review new policies set by the policy manager
Good: includes explicit statements about using NIST P-384
Cross-framework mappings
How ISM-1763 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-1763 requires that when an organisation uses ECDSA for digital signatures it uses approved NIST curves (preferably P-384) | |
| Supports (1) | ||
| Annex A 5.36 | ISM-1763 requires organisations to standardise ECDSA signature configurations to approved NIST curves, preferably P-384 | |