Operate Approved High Assurance Cryptographic Equipment
Use approved high-security cryptographic tools according to Australian guidelines.
Plain language
It's all about making sure that when we use high-security equipment to encode information, like secret business emails or customer data, we are following Australia's strict rules. If we don’t stick to these guidelines, someone could potentially crack that information open, leading to data breaches that can harm trust and security.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsOfficial control statement
HACE are issued an Approval for Use by ASD and operated in accordance with the latest version of their associated Australian Communications Security Instructions.
Why it matters
Using non‑ASD approved HACE or operating it outside ACSIs can weaken encryption and key handling, exposing classified/sensitive data and enabling compromise.
Operational notes
Regularly verify all HACE retain ASD Approval for Use, and operate/configure them strictly to the latest ACSIs, including key management, physical handling and operator procedures.
Implementation tips
- The IT manager should ensure that only approved cryptographic equipment is used. They can do this by checking the Australian Signals Directorate (ASD) list of approved tools and making sure all equipment in use is listed.
- Procurement should verify that any new cryptographic equipment being ordered is ASD-approved. They need to cross-reference all prospective purchases against the approved list before finalising any order.
- The system administrator must keep equipment updated according to the latest Australian Communications Security Instructions. They should sign up for updates from the ASD to receive the latest guidelines directly.
- Senior management should hold a quarterly meeting with the IT team to review cryptographic practices. This meeting should include a review of current equipment and verification against the approved list.
- The compliance officer is responsible for ensuring procedures are documented. This includes creating a checklist based on ASD guidelines for deploying and maintaining high-security cryptographic equipment.
Audit / evidence tips
- AskThe list of all cryptographic equipment in use: Make sure it includes model numbers and purchase dates GoodIncludes a spreadsheet or document with each item's details and ASD approval noted
- GoodWill be a document with a recent date that matches the current ASD publications
- AskProcurement records of cryptographic equipment: Check that every purchase order includes notations of ASD approval checks. Good records highlight a clear process for purchasing only approved equipment
- AskTo see the meeting minutes from quarterly reviews on cryptographic practices: Verify that the minutes discuss equipment validation against the ASD's approved list GoodIncludes detailed minutes showing active management review and compliance
- GoodShows regular updates and cross-verification against ASD guidelines
Cross-framework mappings
How ISM-1802 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1802 requires organisations to use ASD-approved High Assurance Cryptographic Equipment (HACE) and operate it in accordance with the a... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.37 | ISM-1802 requires organisations to operate ASD-approved HACE in line with the latest ACSI, which implies disciplined, documented operatin... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.