ISM-2109 policy ASD Information Security Manual (ISM)

Pre-Boot Authentication for Encrypted System Volume Media

Devices with encrypted system volumes must require a password at start-up, or release the unlock key through a managed network, before the device boots.

Preventative NC OS P ASD Information Security ManualGuidelines for media authentication cryptography

record_voice_over

Plain language

A "system volume" is the part of a computer's storage that holds the operating system and start-up files, and encryption scrambles that storage so it cannot be read without the right key. This control means that before such a device will start up, it must either prompt the user for a password, or automatically receive its unlock key from a trusted system on your network. This matters because if a laptop or device is lost or stolen, this start-up barrier stops a thief from simply turning it on and reading everything inside.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

June 2026

Control Stack last updated

18 June 2026

E8 maturity levels

N/A

Guideline

Guidelines for media

Section

Media Usage

Topic

Encrypting Media

Official control statement

Pre-boot authentication using passwords, or managed network-based key release, is implemented for media containing encrypted system volumes.

policy ASD Information Security Manual (ISM) ISM-2109

priority_high

Why it matters

A lost or stolen device with no pre-boot authentication can be switched on and its encrypted system volume read in full, exposing all data and credentials it holds.

settings

Operational notes

Re-check pre-boot authentication whenever devices are re-imaged, reissued, or after operating system upgrades, since major updates can reset encryption settings.

02 - Implement

build

Implementation tips

IT administrators should turn on full disk encryption with pre-boot authentication on every device that holds a system volume, for example by enabling BitLocker with a start-up PIN or password on Windows, or FileVault on Apple computers, so the device asks for a password before it will boot.
IT administrators should choose between the two approved methods for each device type: a pre-boot password that the user types in at start-up, or a managed network-based key release where a trusted server on your network hands the device its unlock key automatically when it is connected.
Where network-based key release is used, IT teams should configure the key server so it only releases unlock keys to recognised devices on the corporate network, meaning a stolen device taken off-site cannot obtain its key and will not boot.
The person managing devices should set and document a strong pre-boot password or PIN policy (for example a minimum length and no reuse of common passwords) and record recovery keys securely in a separate, access-controlled location.
Whoever issues new laptops and portable devices should add 'encrypted system volume with pre-boot authentication enabled' to the standard build checklist, so no device is handed to a staff member until this protection is switched on and tested.

03 - Audit

fact_check

Audit / evidence tips

Askthe IT administrator for the list of devices with encrypted system volumes and the authentication method used for each Look atwhether every applicable device is covered Goodis a complete inventory showing each device has either pre-boot password or managed network key release enabled
Askto watch a device being started up Look atwhether it demands a password before the operating system loads, or whether it pauses to receive a key from the network server Goodis the device clearly refusing to boot until authentication succeeds
Askthe configuration or policy settings that enforce pre-boot authentication (for example BitLocker or FileVault settings, or the key server configuration) Look atwhether the settings are applied centrally and cannot be turned off by the user Goodis a documented, enforced policy rather than per-device manual setup
Askhow the managed network-based key release server decides which devices get a key Look atwhether it only releases keys to known devices on the corporate network Goodexplains that a device removed from the network or unknown to the server will not be unlocked
Askwhere pre-boot passwords and recovery keys are stored and who can access them Look atwhether recovery keys are kept separately from the devices and access is restricted Goodshows recovery keys held in a controlled vault with limited, logged access

04 - Mappings

link

Cross-framework mappings

How ISM-2109 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.5	ISM-2109 mandates pre-boot authentication (password or managed network key release) for devices with encrypted system volumes before the ...
sync_alt Partially overlaps (2) expand_less
Annex A 5.17	ISM-2109 mandates implementing pre-boot authentication using passwords or managed network-based key release for encrypted system volumes
Annex A 8.24	ISM-2109 requires pre-boot authentication or managed network-based key release as part of unlocking encrypted system volumes

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.