Operate Approved High Assurance Cryptographic Equipment
Use approved high-security cryptographic tools according to Australian guidelines.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
S, TS
🗓️ ISM last updated
Aug 2023
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsHACE are issued an Approval for Use by ASD and operated in accordance with the latest version of their associated Australian Communications Security Instructions.
Source: ASD Information Security Manual (ISM)
Plain language
It's all about making sure that when we use high-security equipment to encode information, like secret business emails or customer data, we are following Australia's strict rules. If we don’t stick to these guidelines, someone could potentially crack that information open, leading to data breaches that can harm trust and security.
Why it matters
Using non‑ASD approved HACE or operating it outside ACSIs can weaken encryption and key handling, exposing classified/sensitive data and enabling compromise.
Operational notes
Regularly verify all HACE retain ASD Approval for Use, and operate/configure them strictly to the latest ACSIs, including key management, physical handling and operator procedures.
Implementation tips
- The IT manager should ensure that only approved cryptographic equipment is used. They can do this by checking the Australian Signals Directorate (ASD) list of approved tools and making sure all equipment in use is listed.
- Procurement should verify that any new cryptographic equipment being ordered is ASD-approved. They need to cross-reference all prospective purchases against the approved list before finalising any order.
- The system administrator must keep equipment updated according to the latest Australian Communications Security Instructions. They should sign up for updates from the ASD to receive the latest guidelines directly.
- Senior management should hold a quarterly meeting with the IT team to review cryptographic practices. This meeting should include a review of current equipment and verification against the approved list.
- The compliance officer is responsible for ensuring procedures are documented. This includes creating a checklist based on ASD guidelines for deploying and maintaining high-security cryptographic equipment.
Audit / evidence tips
-
Ask: the list of all cryptographic equipment in use: Make sure it includes model numbers and purchase dates
Good: includes a spreadsheet or document with each item's details and ASD approval noted
-
Good: will be a document with a recent date that matches the current ASD publications
-
Ask: procurement records of cryptographic equipment: Check that every purchase order includes notations of ASD approval checks. Good records highlight a clear process for purchasing only approved equipment
-
Ask: to see the meeting minutes from quarterly reviews on cryptographic practices: Verify that the minutes discuss equipment validation against the ASD's approved list
Good: includes detailed minutes showing active management review and compliance
-
Good: shows regular updates and cross-verification against ASD guidelines
Cross-framework mappings
How ISM-1802 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-1802 requires organisations to use ASD-approved High Assurance Cryptographic Equipment (HACE) and operate it in accordance with the a... | |
| Supports (1) | ||
| Annex A 5.37 | ISM-1802 requires organisations to operate ASD-approved HACE in line with the latest ACSI, which implies disciplined, documented operatin... | |