Ensure Secure Hashing with SHA-2 Algorithm
Use at least 224-bit SHA-2 hash, with SHA-384 or SHA-512 being preferred, to ensure strong security.
Plain language
This control is about ensuring that when you use digital fingerprints (hashes) for storing or verifying data, you use a strong method called SHA-2 with output of at least 224 bits, but ideally 384 or 512 bits. This matters because weaker methods can be cracked by hackers, meaning your information could be tampered with or stolen without you knowing.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using SHA-2 for hashing, an output size of at least 224 bits is used, preferably SHA-384 or SHA-512.
Why it matters
Using hashes weaker than SHA-2 (>=224-bit) can enable collision attacks, undermining data integrity and trust in files and signatures.
Operational notes
Ensure all systems use SHA-2 with at least 224-bit output and prioritise SHA-384 or SHA-512 for enhanced security.
Implementation tips
- IT Team: Ensure the software your organisation uses for hashing includes SHA-2 with at least 224-bit output capability. This could involve checking the settings or configurations of any application that handles passwords or sensitive data to verify it uses SHA-2.
- Procurement Officer: When purchasing new software, verify that it supports SHA-2 hashing methods, preferably with 384 or 512-bit output. Include this requirement in the checklist during the procurement process.
- System Administrator: Regularly update systems to ensure they maintain compatibility with the latest secure hashing standards, including SHA-2. This can be done by scheduling regular software updates and patches.
- Security Officer: Document and monitor how SHA-2 hashing is implemented within your various data systems to ensure compliance. This could include maintaining records of the configurations and regularly reviewing them.
- Compliance Manager: Conduct regular assessments to ensure SHA-2 algorithms are in use. This involves reviewing the organisational policies and practices concerning data security and hashing protocols.
Audit / evidence tips
- AskThe hash algorithm configuration report: Request the current configuration of data processing applications GoodConfirmation that SHA-2 with at least 224 bits is configured
- AskSoftware specifications: Obtain documentation for all critical systems in use GoodMention of SHA-2 usage and specifying preferred bit lengths (384 or 512)
- AskProcurement records: Request recent software procurement documents GoodRecords showing SHA-2 with recommended bit lengths as a purchase requirement
- AskPolicy documentation: Obtain the organisation's data security policy GoodPolicies explicitly requiring the use of SHA-2 hashing algorithms
- AskA compliance audit report: Request the latest audit report on data security compliance GoodAuditor's confirmation of SHA-2 implementation conforming to organisational policy
Cross-framework mappings
How ISM-1766 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1766 requires organisations to use SHA-2 hashing with an output size of at least 224 bits (preferably SHA-384 or SHA-512) to ensure s... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.