Tailoring System Controls for Security and Resilience
System owners work with authorising officers to customise security controls to meet system-specific needs.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Mar 2026
✏️ Control Stack last updated
23 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
System OwnersSystem owners, in consultation with each system's authorising officer, select controls for each system and tailor them to achieve desired security and resilience objectives.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that each system's security measures fit its unique needs. It’s important because a one-size-fits-all approach can leave parts of your business vulnerable to cyber threats, leading to data leaks or service disruptions.
Why it matters
Fitting security measures to each system prevents exposure to unique risks, protecting data and maintaining service reliability.
Operational notes
Constant re-evaluation is key. Regularly review if security controls still align with system functions and threat landscapes.
Implementation tips
- System owners should collaborate with the authorising officer to discuss the system's specific security needs. They can start by identifying what the system does, what data it holds, and potential threats it might face. This ensures the chosen security measures are relevant and effective.
- The IT team should help the system owner by performing a risk assessment on the system. This involves examining potential vulnerabilities and the impact of security breaches. They can use these insights to guide the selection of appropriate controls.
- Managers should ensure there are regular review meetings between system owners and authorising officers. These meetings should focus on evaluating the effectiveness of current security measures and making any necessary adjustments.
- Procurement teams need to work with system owners when selecting or updating software or services to ensure they meet the tailored security requirements. They should check vendor compliance with security standards before purchasing.
- System owners should document their control choices and reasons for tailoring them. They should store this documentation in an easily accessible format for future audits and reviews. This creates a clear audit trail showing how security decisions were made.
Audit / evidence tips
-
Ask: the system security plan: Request a document that outlines the tailored security controls for a particular system and the rationale behind them
Good: includes clear descriptions of controls chosen, reasons for selection, and signatures of involved parties
-
Good: comprises thorough minutes showing active participation by all parties and clear action points
-
Ask: risk assessment reports: Request documents detailing potential threats and vulnerabilities identified for the system
Good: includes comprehensive analysis and alignment with security measures implemented
-
Good: presents up-to-date verification of vendor's security capabilities relevant to the system
-
Ask: documented control reviews: Request records of regular assessments of control effectiveness
Good: is a series of well-documented reviews indicating proactive management of security controls
Cross-framework mappings
How ISM-1634 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Supports (5) | ||
| Annex A 8.8 | ISM-1634 requires system owners and authorising officers to select and tailor controls to achieve system-specific security and resilience... | |
| Annex A 8.9 | ISM-1634 requires system owners and authorising officers to select and tailor system controls to meet defined security and resilience obj... | |
| Annex A 8.15 | ISM-1634 focuses on tailoring system controls so the implemented control set achieves the system’s desired security and resilience outcomes | |
| Annex A 8.30 | ISM-1634 requires system owners (with the authorising officer) to select and tailor an appropriate set of system security controls to mee... | |
| Annex A 8.32 | ISM-1634 requires system owners, with the authorising officer, to choose and tailor a set of controls appropriate to the system’s securit... | |