Using AES Encryption with Strong Key Lengths
Use AES encryption with a strong key length, preferably AES-256, for enhanced security.
Plain language
Using AES encryption with a strong key, like AES-256, keeps your data safe from hackers. If your data isn’t well protected, cybercriminals could steal sensitive information, leading to financial losses and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using AES for encryption, AES-128, AES-192 or AES-256 is used, preferably AES-256.
Why it matters
Using AES with weak or non-approved variants can enable data compromise, leading to unauthorised disclosure, financial loss and reputational damage. Prefer AES-256 for stronger protection.
Operational notes
Regularly audit encryption configurations to ensure AES-128/192/256 only (prefer AES-256), and block legacy/weak cipher suites in applications, libraries and TLS settings.
Implementation tips
- The IT team should choose AES-256 for encrypting sensitive data. You can do this by configuring your software and systems to use this encryption method to secure data, especially for customer information and business-sensitive files.
- Business owners should consult IT providers to ensure they use software that supports AES-256 encryption. They should ask their IT provider to confirm that the systems are set up correctly to achieve high security.
- Managers should train staff on why using strong encryption is crucial. This involves organising training sessions to explain the importance of encryption in protecting company data and how to follow procedures that maintain high data security standards.
- Procurement officers should verify that any new software or service purchase supports AES-256 encryption. This means checking product specifications and asking vendors for documentation that confirms compliance with this requirement.
- System owners should conduct regular check-ups on their systems to ensure AES-256 encryption is in use. This includes performing routine audits or assessments and logging results to confirm that encryption standards are consistently applied.
Audit / evidence tips
- AskThe IT policies documentation GoodIncludes clear requirements stating AES-256 must be used for all data encryption processes
- AskSystem configuration reports from IT. These should show which encryption standards are currently applied GoodIs documentation confirming that AES-256 is configured as the standard for all necessary systems
- GoodRecord will detail that AES-256 was a purchase condition
- AskLogs of regular system assessments
Cross-framework mappings
How ISM-1769 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1769 requires that when AES is used for encryption it uses strong key lengths (AES-128/192/256), preferably AES-256 | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RB-ML1.3 | ISM-1769 requires the use of AES with strong key lengths, preferably AES-256, when AES is used for encryption | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.