Use Appropriate SHA-2 Output Size for Hashing
Use SHA-2 with at least 384-bit output for secure data hashing.
Plain language
When you use hashing to secure your data, it's like putting a unique fingerprint on it. This control means you should use a strong type of fingerprint called SHA-2 with at least 384 bits. If you don't, your data could be vulnerable to attacks, making it possible for someone to tamper with or steal sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using SHA-2 for hashing, an output size of at least 384 bits is used, preferably SHA-384 or SHA-512.
Why it matters
Using weaker SHA-2 output sizes (e.g., SHA-256) increases collision risk, enabling attackers to forge hashes and undermine integrity checks on sensitive data.
Operational notes
Confirm all hashing uses SHA-384 or SHA-512 (no SHA-224/256) by reviewing configs, libraries and code paths; update legacy defaults and prevent downgrades.
Implementation tips
- The IT team should ensure that any system or application doing data hashing is set up to use SHA-2 with at least 384 bits. They can do this by checking and updating the system settings or code configurations where hashing occurs.
- Managers should include a discussion about data hashing in their regular security reviews, focusing on whether systems use the recommended SHA-2 standard. They should set up meetings with IT to confirm hashing outputs are compliant.
- The procurement officer should verify that new software products purchased by the organisation support SHA-2 with a minimum of 384-bit output. They can do this by requesting documentation from vendors during the buying process.
- System administrators should routinely check logs and system settings to ensure hash algorithms have not been unintentionally changed to less secure versions. They can use scripts or monitoring software to automate these checks.
- Training coordinators should schedule regular sessions to remind staff about the importance of using strong hash functions. This helps maintain awareness and ensures the staff recognises the importance of SHA-2 in data protection.
Audit / evidence tips
-
Askthe system's configuration documentation: This document should detail the hashing algorithms in use across systems
Goodwould be a clear mention of SHA-384 or SHA-512 being used
-
Goodincludes logs showing hash strings with appropriate lengths reflecting the recommended algorithms
-
Askto see a list of security policies: Ensure there is a policy requiring SHA-2 with a minimum 384 bit-size for hashing
-
Goodwill have this requirement clearly written in the contract or SLA terms
-
Askthe IT team for evidence of staff training on hashing algorithms: This could be training materials or attendance records. Check that the materials cover the importance of using SHA-2 with a 384-bit minimum size
Goodincludes dated training documentation with these specifics
Cross-framework mappings
How ISM-1768 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1768 requires that when SHA-2 is used for hashing, the organisation selects an output size of at least 384 bits (preferably SHA-384 o... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.