Ensure Secure Hashing with SHA-2 Algorithm
Use at least 224-bit SHA-2 hash, with SHA-384 or SHA-512 being preferred, to ensure strong security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P
🗓️ ISM last updated
Nov 2024
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for cryptographyWhen using SHA-2 for hashing, an output size of at least 224 bits is used, preferably SHA-384 or SHA-512.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about ensuring that when you use digital fingerprints (hashes) for storing or verifying data, you use a strong method called SHA-2 with output of at least 224 bits, but ideally 384 or 512 bits. This matters because weaker methods can be cracked by hackers, meaning your information could be tampered with or stolen without you knowing.
Why it matters
Using hashes weaker than SHA-2 (>=224-bit) can enable collision attacks, undermining data integrity and trust in files and signatures.
Operational notes
Ensure all systems use SHA-2 with at least 224-bit output and prioritise SHA-384 or SHA-512 for enhanced security.
Implementation tips
- IT Team: Ensure the software your organisation uses for hashing includes SHA-2 with at least 224-bit output capability. This could involve checking the settings or configurations of any application that handles passwords or sensitive data to verify it uses SHA-2.
- Procurement Officer: When purchasing new software, verify that it supports SHA-2 hashing methods, preferably with 384 or 512-bit output. Include this requirement in the checklist during the procurement process.
- System Administrator: Regularly update systems to ensure they maintain compatibility with the latest secure hashing standards, including SHA-2. This can be done by scheduling regular software updates and patches.
- Security Officer: Document and monitor how SHA-2 hashing is implemented within your various data systems to ensure compliance. This could include maintaining records of the configurations and regularly reviewing them.
- Compliance Manager: Conduct regular assessments to ensure SHA-2 algorithms are in use. This involves reviewing the organisational policies and practices concerning data security and hashing protocols.
Audit / evidence tips
-
Ask: the hash algorithm configuration report: Request the current configuration of data processing applications
Good: Confirmation that SHA-2 with at least 224 bits is configured
-
Ask: software specifications: Obtain documentation for all critical systems in use
Good: Mention of SHA-2 usage and specifying preferred bit lengths (384 or 512)
-
Ask: procurement records: Request recent software procurement documents
Good: Records showing SHA-2 with recommended bit lengths as a purchase requirement
-
Ask: policy documentation: Obtain the organisation's data security policy
Good: Policies explicitly requiring the use of SHA-2 hashing algorithms
-
Ask: a compliance audit report: Request the latest audit report on data security compliance
Good: Auditor's confirmation of SHA-2 implementation conforming to organisational policy
Cross-framework mappings
How ISM-1766 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-1766 requires organisations to use SHA-2 hashing with an output size of at least 224 bits (preferably SHA-384 or SHA-512) to ensure s... | |