Tailoring System Controls for Security and Resilience
System owners work with authorising officers to customise security controls to meet system-specific needs.
Plain language
This control is about making sure that each system's security measures fit its unique needs. It’s important because a one-size-fits-all approach can leave parts of your business vulnerable to cyber threats, leading to data leaks or service disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
System ownersOfficial control statement
System owners, in consultation with each system’s authorising officer, select controls for each system and tailor them to achieve desired security and resilience objectives.
Why it matters
Fitting security measures to each system prevents exposure to unique risks, protecting data and maintaining service reliability.
Operational notes
Constant re-evaluation is key. Regularly review if security controls still align with system functions and threat landscapes.
Implementation tips
- System owners should collaborate with the authorising officer to discuss the system's specific security needs. They can start by identifying what the system does, what data it holds, and potential threats it might face. This ensures the chosen security measures are relevant and effective.
- The IT team should help the system owner by performing a risk assessment on the system. This involves examining potential vulnerabilities and the impact of security breaches. They can use these insights to guide the selection of appropriate controls.
- Managers should ensure there are regular review meetings between system owners and authorising officers. These meetings should focus on evaluating the effectiveness of current security measures and making any necessary adjustments.
- Procurement teams need to work with system owners when selecting or updating software or services to ensure they meet the tailored security requirements. They should check vendor compliance with security standards before purchasing.
- System owners should document their control choices and reasons for tailoring them. They should store this documentation in an easily accessible format for future audits and reviews. This creates a clear audit trail showing how security decisions were made.
Audit / evidence tips
-
Askthe system security plan: Request a document that outlines the tailored security controls for a particular system and the rationale behind them
Goodincludes clear descriptions of controls chosen, reasons for selection, and signatures of involved parties
-
Goodcomprises thorough minutes showing active participation by all parties and clear action points
-
Askrisk assessment reports: Request documents detailing potential threats and vulnerabilities identified for the system
Goodincludes comprehensive analysis and alignment with security measures implemented
-
Goodpresents up-to-date verification of vendor's security capabilities relevant to the system
-
Askdocumented control reviews: Request records of regular assessments of control effectiveness
Goodis a series of well-documented reviews indicating proactive management of security controls
Cross-framework mappings
How ISM-1634 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (5) expand_less | ||
| Annex A 8.8 | ISM-1634 requires system owners and authorising officers to select and tailor controls to achieve system-specific security and resilience... | |
| Annex A 8.9 | ISM-1634 requires system owners and authorising officers to select and tailor system controls to meet defined security and resilience obj... | |
| Annex A 8.15 | ISM-1634 focuses on tailoring system controls so the implemented control set achieves the system’s desired security and resilience outcomes | |
| Annex A 8.30 | ISM-1634 requires system owners (with the authorising officer) to select and tailor an appropriate set of system security controls to mee... | |
| Annex A 8.32 | ISM-1634 requires system owners, with the authorising officer, to choose and tailor a set of controls appropriate to the system’s securit... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.