ISM-1461 ASD Information Security Manual (ISM)

Ensure Same Classification for Virtualised Environments

All shared server environments must be of the same classification to maintain security integrity.

Preventative SECRET TOP SECRET ASD Information Security Manual Governance Environment separation Information classification

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

S, TS

🗓️ ISM last updated

Feb 2022

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Virtualisation hardening

Topic

Functional Separation Between Computing Environments

Official control statement

When using a software-based isolation mechanism to share a physical server's hardware for SECRET or TOP SECRET computing environments, the physical server and all computing environments are of the same classification and belong to the same security domain.

Source: ASD Information Security Manual (ISM)

Plain language

When different virtual environments share the same physical server, they all need to be classified at the same security level, like SECRET or TOP SECRET. This is crucial because if environments with different security levels mix, sensitive information could leak to less secure areas, risking exposure or even legal issues.

Why it matters

Mixing classifications risks data leakage; a less secure virtual environment could expose SECRET or TOP SECRET information, endangering national security.

Operational notes

Confirm the physical host and all VMs/containers are the same SECRET/TOP SECRET classification and security domain; block mixed-classification tenancy.

Implementation tips

IT Managers should ensure all virtual environments on a physical server have the same security classification. They should coordinate with system administrators to confirm that no virtual machine (VM) is running at a lower classification level than required.
System Owners must verify the classification of their environments regularly. They can do this by checking system documentation and confirming with IT staff that all VMs on shared hardware are aligned in classification.
Security Officers need to audit all virtual environments on shared servers. Conduct checks by reviewing classification policies and confirming that they match the environment's settings.
Procurement teams should only acquire servers capable of handling the highest classification level needed by any environment. They must coordinate with security officers to understand the classification requirements before purchasing.
The IT Support team should maintain thorough records of each virtual environment's classification level. They need to regularly update this information in a centralized system accessible to authorized personnel.

Audit / evidence tips

Ask: server classification documentation: Request documents that list the classification levels of all virtual environments on shared physical servers

Good: will include a spreadsheet or database entry showing consistent classifications
Ask: policy compliance reports: Request a report that confirms the environments are being managed according to the classification policy

Good: will include evidence of periodic reviews and management sign-offs
Ask: system change logs: Request logs that record any changes to virtual environments on these servers

Good: will include detailed change records with timestamps and authorisation for modifications
Ask: a list of server security approvals: Request the documentation that shows which personnel have authorised the server classifications

Good: will have clear records of approvals and certification details
Ask: incident response procedures: Check if there are specific procedures for incidents related to classification breaches

Good: will include a documented process for identifying and resolving classification errors swiftly

Cross-framework mappings

How ISM-1461 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Depends on (1)
Annex A 5.12	ISM-1461 requires that when virtualisation is used to share a physical server for SECRET or TOP SECRET computing environments, the host a...

E8

Control	Notes	Details
Supports (1)
E8-RA-ML2.3	ISM-1461 requires same-classification and same-security-domain co-tenancy when virtualising SECRET or TOP SECRET environments on shared p...