Identify Supplementary Controls for System Security
System owners consult officers to add extra security controls based on system specifics and organisational risk tolerance.
Plain language
System owners must work with the person who formally approves each system to decide if extra security measures are needed for that specific system. This matters because different systems face different risks — if you don’t tailor protections you could expose sensitive data, lose operational time, or suffer financial and reputational damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesSection
System ownersOfficial control statement
System owners, in consultation with each system's authorising officer, identify any supplementary controls required based upon the unique nature of each system, its operating environment and the organisation's risk tolerances.
Why it matters
If supplementary controls aren’t identified for a system’s unique environment and risks, gaps remain, increasing likelihood of compromise, data loss or service outage.
Operational notes
With the authorising officer, assess each system’s unique environment and risk tolerance, document required supplementary controls, and revalidate after major changes or incidents.
Implementation tips
- Set up a short review meeting: System owners should meet with the system's authorising officer (the person who signs off on the system) and the IT lead to list the system's unique features, where it runs (office servers, cloud, or contractor systems), and what would be bad if it failed. Keep the meeting to one hour and record agreed actions in writing.
- Make sure you document the organisation's risk tolerance: The business owner or risk manager should write a two‑page statement saying how much downtime, data loss or privacy exposure is acceptable. Use plain examples (e.g. ‘if customer data is exposed we want immediate remediation’) so decisions on extra controls are consistent across systems.
-
Askyour IT team to recommend specific supplementary controls: IT should provide plain options for the system (for example: stronger login methods, separate network area, extra backups, extra monitoring). For each option, include a short explanation of what risk it reduces and a rough estimate of cost and time to implement
- Check that the authorising officer formally approves any supplementary controls: The authorising officer should sign or email approval for the selected extra controls and the system owner should record who is responsible for implementing and maintaining them. Keep this approval with the system's records so auditors can see the decision trail.
- Create a review and test plan: The system owner should schedule periodic checks (for example, every 6 or 12 months) to confirm the supplementary controls are still needed and working. Testing can be a simple checklist or a short demonstration from IT showing the control is in place and behaves as expected.
Audit / evidence tips
-
Askthe system-specific supplementary controls record: Request the document that lists the extra controls identified for a named system and the approval from the authorising officer
Gooda dated record showing controls, risk rationale, approver name and next review date
-
Askto see the organisation’s short risk tolerance statement that the system owner used. Check that the supplementary controls align with that statement (for example, if low tolerance for data loss, there should be stronger backup controls)
Goodties controls back to the tolerance wording
-
Askthe change request or project ticket that shows the controls were implemented (for example, adding extra backups, separating the system onto its own network segment, or enabling stronger log collection). Check for dates, people responsible and completion notes
Goodincludes a completed ticket with verification notes
-
AskIT to show the auditor one of the supplementary controls in action (for example, a separate login page requiring extra steps, or a backup restore log). Observation should match the documented control
Goodis the demo working and matching the description in the record
-
Askthem how they decided on the supplementary controls and who approved them, and how they check the controls remain effective
Goodis both can describe the approved controls, the risk they reduce, who approved them, and when the next review is due
Cross-framework mappings
How ISM-0009 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| Annex A 5.1 | ISM-0009 requires identifying additional controls for specific systems based on their unique risks, environments and the organisation’s r... | |
| Annex A 5.4 | ISM-0009 requires system owners and authorising officers to identify supplementary controls based on system-specific risks, operating env... | |
| Annex A 5.31 | ISM-0009 requires identifying supplementary controls needed for a system based on its unique context and risk tolerance | |
| Annex A 5.35 | ISM-0009 requires system owners and authorising officers to determine supplementary controls needed for each system given its unique risk... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.