ISM-1461 policy ASD Information Security Manual (ISM)

Ensure Same Classification for Virtualised Environments

All shared server environments must be of the same classification to maintain security integrity.

Preventative S TS ASD Information Security ManualGuidelines for system hardening environment separation information classification

record_voice_over

Plain language

When different virtual environments share the same physical server, they all need to be classified at the same security level, like SECRET or TOP SECRET. This is crucial because if environments with different security levels mix, sensitive information could leak to less secure areas, risking exposure or even legal issues.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

S, TS

ISM last updated

Feb 2022

Control Stack last updated

18 May 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Virtualisation hardening

Topic

Functional Separation Between Computing Environments

Official control statement

When using a software-based isolation mechanism to share a physical server's hardware for SECRET or TOP SECRET computing environments, the physical server and all computing environments are of the same classification and belong to the same security domain.

policy ASD Information Security Manual (ISM) ISM-1461

priority_high

Why it matters

Mixing classifications risks data leakage; a less secure virtual environment could expose SECRET or TOP SECRET information, endangering national security.

settings

Operational notes

Confirm the physical host and all VMs/containers are the same SECRET/TOP SECRET classification and security domain; block mixed-classification tenancy.

02 - Implement

build

Implementation tips

IT Managers should ensure all virtual environments on a physical server have the same security classification. They should coordinate with system administrators to confirm that no virtual machine (VM) is running at a lower classification level than required.
System Owners must verify the classification of their environments regularly. They can do this by checking system documentation and confirming with IT staff that all VMs on shared hardware are aligned in classification.
Security Officers need to audit all virtual environments on shared servers. Conduct checks by reviewing classification policies and confirming that they match the environment's settings.
Procurement teams should only acquire servers capable of handling the highest classification level needed by any environment. They must coordinate with security officers to understand the classification requirements before purchasing.
The IT Support team should maintain thorough records of each virtual environment's classification level. They need to regularly update this information in a centralised system accessible to authorised personnel.

03 - Audit

fact_check

Audit / evidence tips

AskServer classification documentation: Request documents that list the classification levels of all virtual environments on shared physical servers GoodWill include a spreadsheet or database entry showing consistent classifications
AskPolicy compliance reports: Request a report that confirms the environments are being managed according to the classification policy GoodWill include evidence of periodic reviews and management sign-offs
AskSystem change logs: Request logs that record any changes to virtual environments on these servers GoodWill include detailed change records with timestamps and authorisation for modifications
AskA list of server security approvals: Request the documentation that shows which personnel have authorised the server classifications GoodWill have clear records of approvals and certification details
AskIncident response procedures: Check if there are specific procedures for incidents related to classification breaches GoodWill include a documented process for identifying and resolving classification errors swiftly

04 - Mappings

link

Cross-framework mappings

How ISM-1461 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
extension Depends on (1) expand_less
Annex A 5.12	ISM-1461 requires that when virtualisation is used to share a physical server for SECRET or TOP SECRET computing environments, the host a...

E8

Control	Notes	Details
handshake Supports (1) expand_less
E8-RA-ML2.3	ISM-1461 requires same-classification and same-security-domain co-tenancy when virtualising SECRET or TOP SECRET environments on shared p...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.