Utilise Strong AES Encryption Algorithms
When encrypting with AES, use stronger versions like AES-192 or preferably AES-256 for better security.
Plain language
This control is about using strong encryption to protect your data when it is being stored or sent over the internet. By choosing a stronger form of encryption like AES-256, you make it much harder for hackers to access your sensitive information. If you don't do this, your data could be stolen, leading to financial loss, reputational damage, or privacy breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using AES for encryption, AES-192 or AES-256 is used, preferably AES-256.
Why it matters
Using weak AES encryption can expose sensitive data to breaches, resulting in financial loss and eroded trust.
Operational notes
Regularly audit systems and crypto libraries to ensure AES-256 (or at least AES-192) is enforced for all AES use, and block any AES-128 configurations.
Implementation tips
- IT team should review current encryption setups: Check what version of AES (Advanced Encryption Standard) is currently in use for encrypting data. Make sure the version is either AES-192 or AES-256, with a preference for AES-256 for the highest security.
- System administrators should update encryption settings: For systems using older or weaker encryption, upgrade to AES-256. This often involves changing settings in software configurations or updating encryption keys to ensure compliance.
- Procurement should specify encryption requirements in contracts: When purchasing new software or systems, include a requirement for AES-256 encryption. This can be done by adding it as a clause in contracts with software vendors.
- IT security team should conduct regular audits of encryption practices: Regularly check and verify that all systems are using AES-256 for encryption. Set up a schedule to review these settings at least annually.
- Train staff on the importance of strong encryption: Provide training sessions for employees to help them understand why strong encryption, like AES-256, is critical for safeguarding data. Use real-world examples to illustrate potential risks of using weaker encryption methods.
Audit / evidence tips
-
Askthe encryption policy document: Request a copy of the organisation's policy on encryption standards. Look to confirm it specifies the use of AES-192 or AES-256 for all relevant data
Gooddocument will clearly state AES-256 as the preferred method with clear guidelines on when it should be used
-
Aska recent encryption audit report: Request recent audit findings on encryption implementations within the organisation
Goodreport will show all systems meet the AES-256 requirement with evidence of recent checks
-
Askpurchase contracts for new systems: Verify if the contracts specify encryption requirements
Goodcontract will clearly mandate AES-256 as part of technical specifications
-
Asksystem configuration logs: Request proof of system configurations that show encryption settings
-
Askstaff training records: Request documentation of staff training sessions on encryption
Cross-framework mappings
How ISM-1770 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1770 requires that when AES is used for encryption, organisations select strong variants (AES-192 or preferably AES-256) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.