Use AES Encryption for IPsec Connections
AES encryption, especially ENCR_AES_GCM_16, is recommended for securing internet protocol connections.
Plain language
This control is about using a type of online lock called AES encryption to protect your internet connections from being accessed by criminals. If you don't use this encryption, your sensitive information, like customer data or confidential business emails, could be intercepted by malicious actors, leading to breaches that could damage your reputation and result in financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Internet Protocol SecurityTopic
Encryption AlgorithmsOfficial control statement
AES is used for encrypting IPsec connections, preferably ENCR_AES_GCM_16.
Why it matters
If IPsec is not encrypted with AES (preferably ENCR_AES_GCM_16), attackers can intercept or alter in-transit traffic, exposing sensitive data.
Operational notes
Regularly review IPsec proposals/SA settings to ensure AES is used, preferably ENCR_AES_GCM_16, and remove weaker ciphers from all peers.
Implementation tips
- The IT team should ensure that all internet protocol connections use AES encryption, specifically the ENCR_AES_GCM_16 version, to protect data in transit. This can be done by configuring network devices like routers and firewalls to use this form of encryption for IPsec connections.
- Managers should schedule regular training for the IT staff to stay updated on encryption best practices. This could involve webinars or workshops, ensuring the team knows how to implement AES encryption effectively.
- System owners need to collaborate with IT professionals to assess current encryption protocols and upgrade them if necessary. This involves reviewing existing system settings and making sure they align with ENCR_AES_GCM_16 standards.
- A security officer should conduct a thorough evaluation of third-party services to confirm they use AES encryption on their interfaces. This can be done by requesting encryption method disclosures from these service providers.
- IT staff should document all changes made to the encryption settings, including the timing and rationale for the change. This documentation will be vital for regular audits to ensure compliance and can serve as a reference for troubleshooting future issues.
Audit / evidence tips
-
Aska network configuration report: Request a detailed report showing encryption settings on network devices such as routers and firewalls
Goodshows devices configured with ENCR_AES_GCM_16 and consistent across the network
-
Asktraining records: Request attendance logs and materials from any conducted staff trainings on encryption
Goodis an up-to-date training log with participant names and dates
-
Askvendor compliance documents: Request assurances or reports from third-party vendors detailing their encryption methods
Goodincludes documentation verifying the use of AES encryption for all internet protocol security connections with traceable verification
-
Askchange history documentation: Request logs of changes made to the system’s encryption configurations
Goodwill show detailed, dated records of when AES encryption, specifically ENCR_AES_GCM_16, was implemented
-
Aska review meeting's minutes: Request minutes from meetings where encryption upgrades were discussed and planned
Goodis well-documented minutes that include the discussions and decisions related to using ENCR_AES_GCM_16
Cross-framework mappings
How ISM-1771 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1771 requires AES to be used for encrypting IPsec connections, preferably using ENCR_AES_GCM_16 | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.