Ensure All Network Data is Encrypted
Make sure all data sent over any network is protected by encryption.
Plain language
Think of network encryption like a lock on your front door. When data is sent over the internet or through your office network, encryption makes sure that only the right people can understand it. Without encryption, anyone could take a peek at your sensitive information, leading to privacy breaches and potentially financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationTopic
Network EncryptionOfficial control statement
All data communicated over network infrastructure is encrypted.
Why it matters
If network traffic is unencrypted, attackers can intercept credentials and sensitive data in transit, leading to breaches and loss of trust.
Operational notes
Regularly validate TLS/VPN configurations and cipher suites, and ensure all endpoints use ISM-approved encryption for data in transit.
Implementation tips
- The IT team should assess all current network connections and identify any that aren't using encryption. They can do this by reviewing data flow diagrams and checking configurations on network devices like routers and switches.
- Managers should work with IT to ensure all staff understand the importance of encrypting data. They can organise training sessions where IT explains how encryption protects sensitive information and what actions staff should take when sending emails or using online services.
- Procurement should require encryption capabilities when purchasing new software or network services. They should ask vendors to demonstrate how their products encrypt data during transmission before making a purchase decision.
- System owners must ensure that all internal communication tools, like chat and file-sharing platforms, use encryption. They can work with IT to enable and configure encryption settings, and double-check this protection is active.
- HR should make sure that all relevant policies, including data handling and usage protocols, explicitly mandate the use of encryption for transmitting sensitive information. These policies should be part of employee onboarding and regularly reviewed in staff meetings.
Audit / evidence tips
- AskConfiguration logs from network devices: Request logs that show encryption settings are enabled GoodIs a recent log showing all data pathways protected by encryption
- GoodIs regular sessions attended by all relevant staff, including notes or feedback from sessions
- GoodIncludes vendor documentation detailing encryption features and their evaluation against organisational needs
- AskDocumentation of internal communication platforms: Ensure there’s evidence of encryption settings being configured and regularly reviewed GoodIs current settings documentation showing encryption is active and any audit logs that verify usage
- GoodIs a well-circulated policy document that explicitly mentions encryption and has been acknowledged by all staff
Cross-framework mappings
How ISM-1781 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1781 requires all data communicated over network infrastructure to be encrypted to protect confidentiality and reduce interception risk | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.