Restrict Internet Access for Networked Devices
Limit internet connection only to devices that need it to ensure security.
Plain language
This control is about limiting internet access only to the devices that really need it. It matters because if devices that shouldn't be online are connected to the internet, they could be hacked, spreading viruses or leaking sensitive data which could harm your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Internet connectivity for networked devices is strictly limited to those that require access.
Why it matters
Unnecessary internet-connected devices increase the attack surface, enabling compromise, malware spread and potential data exfiltration.
Operational notes
Regularly audit and enforce which devices have internet egress, removing access where not required and documenting approved exceptions.
Implementation tips
- Managers should identify which devices actually need internet access for essential business functions. Create a list by discussing with team members how each device is used and which tasks require internet connectivity.
- The IT team should configure network settings to restrict internet access for devices that aren't on the list. Use a router or firewall to allow internet access only to approved devices and block others.
- System owners should regularly review and update the list of devices needing internet access. This can be done by sending a monthly reminder to team leaders to check the current needs and report back.
- IT team must set up alerts for any unauthorised device attempting to access the internet. Use basic network monitoring tools that notify administrators if a new device connects.
- Managers should hold a training session for staff to understand the risks of improper internet access. Use clear examples of potential threats and discuss how restricting access helps protect the business.
Audit / evidence tips
-
Askthe current list of devices permitted internet access. Check the list includes only operationally necessary devices and is signed off by a manager
Goodlist will be dated, with device details and manager approval
-
Goodlog will show only authorised device access or attempts
-
Askthe network configuration settings. Check that the settings enforce the access restrictions described. Good settings will reflect exactly the list of approved devices
-
Goodreport will show prompt recognition and handling of alerts
-
Asktraining session attendance records. Check that recent sessions covered internet access risks and how they are managed
Goodattendance record will show wide participation across relevant staff
Cross-framework mappings
How ISM-2068 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.23 | ISM-2068 requires organisations to strictly limit internet connectivity to only those networked devices that require access | |
| handshake Supports (2) expand_less | ||
| Annex A 8.21 | ISM-2068 requires organisations to strictly limit internet connectivity to only those networked devices that require access | |
| Annex A 8.22 | ISM-2068 requires organisations to strictly limit internet connectivity to only those networked devices that require access | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML1.4 | E8-RA-ML1.4 requires that privileged accounts authorised to use online services are limited to only the access required for their duties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.