ASD's Information Security Manual: the controls AU government information systems must implement

What the ISM is

The Information Security Manual (ISM) is published by the Australian Signals Directorate (ASD), within the Australian Cyber Security Centre (ACSC). It provides a framework for cyber security across the Australian Government.

The ISM details cyber security guidelines and controls that Commonwealth Government entities are expected to implement to safeguard information and information systems. These controls are designed to reduce risk and improve the overall security posture of government networks.

The ISM is a living document, updated quarterly to incorporate new and evolving cyber threats and technological advancements.

Structure of the ISM

The Australian Signals Directorate’s (ASD) Information Security Manual (ISM) provides guidance on the controls that Australian government information systems must implement. The manual is structured around key information security topics, including governance, physical security, personnel security, communications security, communications systems and devices, system hardening, network design and configuration, cryptography, gateway security, data transfers, system monitoring, and incident response.

Controls within the ISM are presented as specific requirements, with many directly linked to information classification levels: OFFICIAL: Sensitive, PROTECTED, SECRET, and TOP SECRET. This tiered approach ensures security measures are appropriately scaled to the sensitivity of the data being protected.

The ISM incorporates recognised security frameworks, notably referencing the Essential Eight maturity check as a baseline mitigation strategy framework. This acknowledges established practices and provides a practical starting point for organisations seeking to improve their security posture.

Who must apply the ISM

Non-corporate Commonwealth entities are obligated to implement the Information Security Manual (ISM) as the baseline for technical information security controls. This requirement stems from the Protective Security Policy Framework (PSPF).

Corporate Commonwealth entities and bodies within state and territory governments are not mandated to apply the ISM, but are strongly encouraged to do so. Adopting the ISM provides a recognised framework for information security management.

Contractors working with Commonwealth information or managing Commonwealth systems are generally required to adhere to the ISM. This alignment is typically enforced through contractual obligations, especially within programs such as Right Fit For Risk (RFFR) and related defence industry initiatives.

How the ISM is used in practice

The Information Security Manual (ISM) operates on a risk-based approach. This means that the controls outlined within the manual are not universally applied; instead, entities must determine which controls are relevant to their specific systems. This determination is based on the classification of information held and the associated risks.

Formal assessment of systems against the ISM is undertaken by assessors accredited under the Information Security Registered Assessors Program (IRAP). This assessment process is a key step in achieving accreditation for Australian Government information systems.

The ISM is subject to ongoing updates, with releases occurring on a quarterly basis. To maintain compliance, entities and their contractors must establish and maintain processes to monitor these changes and subsequently update their systems and associated policies. Reporting suspected cyber security incidents should be done via the cyber incident notification tool.