Develop a Detailed System Security Plan
Create a security plan detailing system purpose, management, and additional controls.
Plain language
A system security plan is like a blueprint for protecting your computer systems. It clearly shows what the system does, where it operates, and how it's managed. Without such a plan, you risk leaving gaps in your security, which could lead to data breaches or system failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Topic
System Security PlanOfficial control statement
Systems have a system security plan that includes an overview of the system (covering the system's purpose, the system boundary and how the system is managed) as well as an annex that covers applicable controls from this document and any additional controls that have been identified and implemented.
Why it matters
Without a current system security plan, system boundaries, ownership and applicable ISM controls can be unclear, leading to missing controls and unmanaged changes that increase compromise risk.
Operational notes
Update the system security plan for changes to purpose, boundary, hosting or administration; maintain the annex mapping to applicable ISM controls and record versioned review/approval.
Implementation tips
- The system owner should develop a clear overview of the system, explaining why it's used and what makes it important. Do this by writing a short document that outlines its purpose, where it fits within your organisation, and key management details.
- IT teams need to define the system boundary, which means identifying all the parts of the system you control. Create a diagram or list that shows all servers, devices, and networks connected to your system.
- Managers should ensure there's a section in the plan that lists security measures currently in place. This involves working with IT to document steps taken to protect data, such as who controls access and how updates are handled.
- The system owner should work with the cybersecurity team to identify any extra security measures needed. Use risk assessments to discuss potential threats and assignments of new controls to close security gaps.
- Managers should maintain and review this plan regularly to ensure it's up-to-date. Set a quarterly reminder to meet with IT and cybersecurity teams to discuss any changes in the system or its environment, updating the plan as needed.
Audit / evidence tips
-
Askthe system security plan document: Check that it includes a system purpose section with clear explanations of what the system is for
Goodis a descriptive section that outlines its role in the organisation
-
Goodplan will have a detailed map or list of each component under its control
-
Goodplan provides a comprehensive list of these measures
-
Askhow they identify and implement additional controls
Goodshould explain how risks are assessed and any extra measures taken as a result
-
Goodprocess shows regular checks and updates to the plan, ensuring it remains relevant
Cross-framework mappings
How ISM-0041 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (6) expand_less | ||
| Annex A 5.1 | Annex A 5.1 sets the requirement for organisational and topic-specific information security policies to be established and maintained thr... | |
| Annex A 5.2 | ISM-0041 requires a system security plan that explains how the system is managed, which commonly includes identifying accountable parties... | |
| Annex A 5.8 | Annex A 5.8 requires information security to be integrated into project management activities and decision-making | |
| Annex A 5.31 | ISM-0041 requires documenting a system’s applicable controls and any additional controls in a system security plan annex | |
| Annex A 5.36 | Annex A 5.36 requires regularly reviewing compliance with information security policies, rules and standards | |
| Annex A 5.37 | Annex A 5.37 requires operating procedures for information processing facilities to be documented and accessible to personnel who need them | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.