Using Hybrid Schemes for Secure Encryption
Ensure at least one encryption method is approved for strong protection against future quantum threats.
Plain language
This control is about using a combination of current and new methods to keep your data safe from future threats, including those posed by advanced computers yet to come. It matters because if you don't prepare now, your sensitive information could be at risk when these powerful new technologies become available, potentially leading to data breaches or loss of customer trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When a post-quantum traditional hybrid scheme is used, either the post-quantum cryptographic algorithm, the traditional cryptographic algorithm or both are AACAs.
Why it matters
If neither algorithm in a post-quantum/traditional hybrid is an AACA, encrypted data may be compromised as cryptanalysis improves or quantum attacks emerge.
Operational notes
Regularly review your PQ/traditional hybrid so that at least one component algorithm is an AACA, and replace any component that is no longer assessed as AACA.
Implementation tips
- System owners should coordinate with cybersecurity experts to understand the basics of hybrid encryption. This involves learning about traditional and post-quantum algorithms to comprehend their significance in protecting information against potential future threats.
- The IT team should assess current encryption processes and identify opportunities to implement hybrid encryption methods. This can be done by first auditing existing systems to check which encryption algorithms are already in use and consulting cybersecurity guidelines from the Australian Cyber Security Centre (ACSC).
- Procurement officers should ensure any new software or systems being acquired support hybrid encryption technologies. They should ask vendors whether their products incorporate both traditional and post-quantum algorithms and require evidence or certifications that these meet standards set by the Australian Signals Directorate (ASD).
- Managers should arrange for regular training sessions for staff to understand the importance of encryption in the context of hybrid schemes. These sessions should focus on what encryption is, why it's important, and what's being done within the business to protect data today and in the future.
- The IT security manager should establish a monitoring system to consistently check the effectiveness of hybrid schemes in place. They can use performance metrics and regular reviews against the latest ACSC guidelines to ensure ongoing protection even as threats evolve.
Audit / evidence tips
-
Askdocumentation of the encryption technologies currently in use: Request a report that lists all encryption algorithms applied across systems
Goodshould clearly show the integration of both algorithm types with explanations of how they protect against modern and future threats
-
Askto see procurement records for technology purchases: Review the criteria and responses from vendors regarding encryption capabilities
Goodincludes documented responses or certifications from vendors ensuring compliance with encryption standards
-
Goodwill be a recent (e.g., annual) report confirming the integration and effectiveness of both traditional and post-quantum encryption algorithms
-
Askmonitoring logs or reports showing the ongoing evaluation of encryption technologies
Goodis a consistent record showing proactive checks and updates made in alignment with evolving security guidance
Cross-framework mappings
How ISM-1996 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1996 requires that when using a post-quantum/traditional hybrid encryption scheme, at least one of the component algorithms is an AAC... | |
| link Related (1) expand_less | ||
| Annex A 8.27 | Annex A 8.27 requires documented secure architecture and engineering principles to be applied during development | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.