Determine System Boundaries and Objectives
System owners work with officers to set system boundaries and objectives based on potential impact if compromised.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Mar 2026
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
System OwnersSystem owners continuously monitor the security of each system, and manage associated cyber threats, security risks and controls.
Source: ASD Information Security Manual (ISM)
Plain language
System owners need to work closely with their approving officer to decide how important and secure each system should be. If this isn't done, you might leave important business functions open to attacks or failures that could damage your business.
Why it matters
Without clear boundaries and objectives, systems may be improperly secured, leading to data breaches, operational hiccups, and reputational harm.
Operational notes
Regular reviews of system boundaries and objectives are essential. Stay aware of any changes in business processes that might affect these parameters.
Implementation tips
- System owners should establish a routine for monitoring system security. They can set up alerts to notify them of any unusual activity or potential threats, using simple software tools that don't require deep technical knowledge.
- Managers should ensure employees understand the basics of spotting suspicious activities. This can be done through regular training sessions that include easy examples of what to watch out for, such as unexpected emails or system slowdowns.
- The IT team should schedule regular system scans for viruses and malware. These can be automated using simple antivirus solutions and scheduled to run during off-peak hours to minimise disruption.
- System owners should review logs of system activity periodically. They can use a straightforward report format that highlights unusual patterns, like repeated failed login attempts.
- Managers should encourage open communication about potential security issues. Create a simple reporting process where staff can easily share concerns or strange observations, ensuring they are addressed promptly.
Audit / evidence tips
-
Ask: the system monitoring schedule: Request to see the calendar or list of dates showing when system checks are performed
Good: will show a consistent pattern of checks over time
-
Ask: logs of detected threats: Request logs or records showing any threats that have been caught
Good: will show timely detection and resolution of threats
-
Ask: employee training records: Request documentation of training sessions held to educate employees on spotting threats
Good: includes regular attendance and relevant topics
-
Ask: incident response reports: Request summaries of security incidents and how they were handled
Good: will show quick response and implemented improvements
-
Ask: communication logs: Request logs or records showing reported security concerns by employees
Good: demonstrates a working system for reporting and responding to potential security issues
Cross-framework mappings
How ISM-1526 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Supports (3) | ||
| Annex A 5.7 | ISM-1526 requires system owners to monitor each system and its associated cyber threats, security risks and controls on an ongoing basis | |
| Annex A 8.15 | ISM-1526 requires system owners to monitor each system and associated cyber threats, risks and controls on an ongoing basis | |
| Annex A 8.16 | ISM-1526 requires continuous monitoring of each system’s security and ongoing management of cyber threats, risks and controls based on sy... | |
E8
| Control | Notes | Details |
|---|---|---|
| Supports (5) | ||
| E8-AC-ML2.8 | ISM-1526 requires ongoing system monitoring including cyber threats, risks and the state of controls | |
| E8-MF-ML2.9 | ISM-1526 requires system owners to continuously monitor each system’s security and manage associated threats, risks and controls within d... | |
| E8-RA-ML2.9 | ISM-1526 requires continuous security monitoring and ongoing management of threats, risks and controls for each system within set boundar... | |
| E8-RA-ML2.10 | ISM-1526 requires system owners to monitor systems and associated cyber threats and risks on an ongoing basis | |
| E8-AH-ML2.15 | ISM-1526 requires ongoing monitoring of systems and associated cyber threats, security risks and controls by system owners | |