Control Stack.
A public catalogue of Australian security and AI governance controls. ISO/IEC 27001:2022, ISO/IEC 42001:2023, the ASD Essential Eight and the ASD Information Security Manual distilled into plain-language cards with implementation tips and audit evidence guidance.
Each control includes linked tags, classification levels and maturity cues so you can quickly see how ISO requirements align with ASD obligations, Essential Eight maturity goals or AI Management System (AIMS) obligations.
Why build this?
Controls are rewritten in plain English so stakeholders understand intent, not just clause numbers or acronyms.
Who it helps
CISOs, compliance managers, internal audit and partners who need a central library of authoritative control language.
What you get
Cross-framework mappings, implementation tips and audit-ready evidence examples for every control.
How teams use Control Stack.
- 1 ISO 27001 certification
Use the plain-language Annex A cards and audit evidence tips to draft your Statement of Applicability and prepare for Stage 1 and Stage 2 audits.
- 2 ISO 42001 AI management
Build an AI Management System (AIMS) using the Annex A controls - AI policy, impact assessments, data governance and supplier requirements - with plain-English guidance and cross-mapping to ISO 27001.
- 3 Essential Eight maturity uplift
Filter controls by maturity level and strategy to build a prioritised remediation plan, then share the implementation tips with your technical teams.
- 4 ISM compliance for government systems
Browse ISM controls by guideline and classification level to identify which controls apply to your system and use the cross-framework mappings to show alignment with ISO and Essential Eight.
- 5 Internal audit and assurance
Reference the audit evidence examples on each control card to build testing procedures, or use the cross-framework mappings to consolidate overlapping audit programs.
Have an issue or suggestion? Drop us a line at info@controlstack.au.