Regular Assessment of Security Events in CDS
Every three months, security events are reviewed to ensure CDS are working correctly and follow data transfer policies.
Plain language
This control is about checking every three months that the systems used to securely transfer data are working as they should and following the rules set out for them. If this isn't done, mistakes or security issues in data transfers may go unnoticed, potentially leading to data breaches or unauthorised access to sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
Cross Domain SolutionsOfficial control statement
A sample of security-relevant events relating to data transfer policies are taken at least every three months and assessed against security policies for CDSs to identify any operational failures.
Why it matters
Without quarterly sampling and assessment of CDS data-transfer events, policy failures may go unnoticed, enabling unauthorised data exfiltration or disclosure.
Operational notes
At least every 3 months, sample CDS data-transfer events/logs and compare against transfer policies; record findings, investigate deviations, and remediate failures.
Implementation tips
- IT team should schedule a quarterly review: Regularly check the logs and records from systems that transfer data to ensure they comply with security policies. Set up a calendar reminder to perform these checks thoroughly every quarter.
- Security manager should gather relevant event samples: Collect specific examples of security events related to data transfers from the logs. This can be done by identifying and exporting security incident records and other relevant data transfer logs.
- System administrator should assess the logs: Analyse and compare the event samples against the organisation's data transfer policies to check for any breaches or failures. Use clear and simple checklists to make sure all aspects are reviewed consistently.
- Compliance officer should document findings: Record the results of each review, noting any discrepancies or compliance issues found in the security events. Use a standardised report template to ensure consistency across different time periods.
- CEO or top management should be informed: Report the review outcomes, including any identified issues and corrective actions taken or required, ensuring that high-level management is aware of the system's current security posture.
Audit / evidence tips
-
Askthe quarterly review schedule: Request a copy of the IT department's calendar or scheduling tool
Gooda clearly defined schedule showing reviews planned every three months without gaps
-
Asksample security event logs: Request the logs related to data transfers over the past quarter
Goodlogs showing clear records of security events, including any abnormalities or incidents
-
Askcompliance checklists: Request the checklists used by the system administrator during their quarterly assessments
Gooddetailed checklists with all necessary policy checks completed and marked
-
Askreview reports: Request the documented findings from past quarterly reviews
Goodcomprehensive review reports showing issues identified and corrective actions implemented
-
Askmanagement communication: Request evidence of communication with top management about review outcomes
Goodemails or briefing documents showing clear communication of results and planned actions
Cross-framework mappings
How ISM-1523 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.36 | ISM-1523 requires a three‑monthly review of a sample of CDS security-relevant events against data transfer security policies to identify ... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.35 | ISM-1523 requires a three‑monthly assessment of sampled CDS security-relevant events against data transfer policies to detect operational... | |
| extension Depends on (1) expand_less | ||
| Annex A 6.8 | ISM-1523 requires that security-relevant events relating to CDS data transfer policies are sampled and assessed at least every three months | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.