ISM-1246 policy ASD Information Security Manual (ISM)

Apply Strict Server Application Hardening Guidelines

Servers are secured using the most restrictive guidance from ASD and vendors to protect against vulnerabilities.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardening hardening

record_voice_over

Plain language

This control is about strengthening the security of server applications by following strict guidelines to reduce the risk of cyber attacks. If server applications are not properly secured, they can be vulnerable to hackers, potentially leading to data breaches and serious disruptions to your business.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Hardening Server Application Configurations

Official control statement

Server applications are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.

policy ASD Information Security Manual (ISM) ISM-1246

priority_high

Why it matters

Without strict server application hardening (ASD/vendor baselines), default settings and weak services may be exploited, enabling unauthorised access or outages.

settings

Operational notes

Maintain ASD and vendor hardening baselines for each server app; review updates and, where guidance conflicts, implement the most restrictive settings.

02 - Implement

build

Implementation tips

The IT team should gather hardening guidelines from both the Australian Signals Directorate and the application vendors. This involves visiting the respective websites and downloading the latest guidance documents or security bulletins.
The system administrator should review these guidelines to identify any conflicting recommendations. This can be done by creating a comparison list and deciding which guidance to follow, prioritising the stricter set of rules.
The IT manager should ensure that these hardening measures are applied to each server application. This involves updating configurations as per the guidelines and checking that no recommended security settings are missed.
IT staff should conduct regular training sessions for everyone involved in server management. These sessions ensure all personnel are aware of the importance of adhering to the strict guidelines and know how to implement them effectively.
The business owner should allocate resources for regular secutiry audits of the server applications to ensure continued compliance with the strictest hardening guidelines. This ensures that security configurations are up-to-date and effective.

03 - Audit

fact_check

Audit / evidence tips

AskThe documented record of the hardening guidelines used: Request a list showing both the Australian Signals Directorate and vendor guidelines consulted GoodIs an up-to-date list with notes on the decisions made for each conflict
AskConfiguration settings documentation: Review the settings applied to each server application against the list of guidelines GoodA document verifying compliance with no skipped steps
AskTraining records for IT staff: Look into attendance records and training material to ensure sessions cover the security guidelines comprehensively GoodComprehensive coverage of the guidelines and 100% attendance by relevant staff
AskSecurity audit reports: Ensure audits cover whether server applications are compliant with the strictest guidelines GoodIncludes a passed audit with clear notes on each guideline checked
AskThe change logs for server application configurations: Check if changes align with the strictest guidelines and when they were implemented GoodIncludes regular updates with documented rationale for each change

04 - Mappings

link

Cross-framework mappings

How ISM-1246 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
handshake Supports (1) expand_less
Annex A 8.8	Annex A 8.8 supports ISM-1246 by establishing governance to identify, assess, and treat technical vulnerabilities, which encourages apply...

E8

Control	Notes	Details
sync_alt Partially overlaps (3) expand_less

E8-AH-ML3.1	ISM-1246 requires server applications to be hardened using ASD and vendor hardening guidance with the most restrictive precedence
E8-AH-ML3.2	ISM-1246 requires server applications to be hardened with ASD and vendor guidance, applying the most restrictive guidance where conflicts...
E8-AH-ML3.3	ISM-1246 ensures server applications are hardened using ASD/vendor guidance, following the most restrictive precedence
link Related (3) expand_less

E8-AH-ML2.1	ISM-1246 requires server applications to be hardened using ASD and vendor hardening guidance, applying the most restrictive requirement w...
E8-AH-ML2.6	ISM-1246 requires server applications to be hardened using ASD and vendor hardening guidance, applying the most restrictive requirement w...
E8-AH-ML2.9	ISM-1246 requires server applications to be hardened using ASD and vendor hardening guidance, applying the most restrictive requirement w...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.