Ensure Security Controls for System Environments
System owners must apply security measures to safeguard each system and its environment.
Plain language
System owners need to ensure that the right security measures are in place for each system and its environment. This is important because every system has different risks, and if these aren't managed, it could lead to data breaches, financial losses, or damage to your organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesSection
System ownersOfficial control statement
System owners implement controls for each system and its operating environment.
Why it matters
Without environment-specific controls, systems may be exposed by misconfigurations and unpatched dependencies in each environment, increasing compromise risk and outages.
Operational notes
Regularly review system-specific baseline settings and automate drift detection to ensure controls remain effective as environments evolve.
Implementation tips
- System owners should conduct a security review for each system: Identify the system's components, where it operates, and what could go wrong. Engage with IT staff to list down potential threats and vulnerabilities specific to that environment.
- IT teams should apply tailored security controls: Once risks are identified, determine which security measures are needed. This might include setting up firewalls, encryption, or regular security software updates specific to that system's needs.
- System owners should document security measures: Create and maintain a record of all security controls in place for each system, including why they were chosen and how they protect against specific risks.
- Managers should regularly review security practices: Hold annual or semi-annual meetings to assess if the current security controls remain appropriate or if changes are needed, based on new risks or changes in system use.
- Involve staff in security awareness: Provide training to all system users on the specific security measures in place and what is expected of them to support these protections in their daily activities.
Audit / evidence tips
- AskThe security measures documentation for each system: Request a detailed list of security controls implemented for a specific system GoodWould include a comprehensive list of controls with an explanation for each
- GoodIncludes an up-to-date access log with minimal unnecessary access
- AskRisk assessment reports: Request documentation of risk assessments carried out for each system GoodIncludes a detailed risk assessment that aligns with current security measures
- AskRecords of any security training sessions conducted for staff GoodIncludes recent training sessions with high staff participation
- AskA change management policy: Request the policy that outlines how changes to system environments are managed GoodContains a clear, detailed change management protocol that includes security reviews
Cross-framework mappings
How ISM-1635 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (4) expand_less | ||
| Annex A 7.6 | ISM-1635 requires system owners to implement controls for systems and their operating environments | |
| Annex A 8.8 | ISM-1635 requires system owners to implement controls to protect systems and their environments | |
| Annex A 8.9 | ISM-1635 requires system owners to implement controls for each system and its operating environment | |
| Annex A 8.19 | ISM-1635 requires system owners to implement security controls for each system and its operating environment | |
E8
| Control | Notes | Details |
|---|---|---|
| link Related (2) expand_less | ||
| E8-AC-ML1.2 | ISM-1635 requires system owners to implement controls that protect each system and its operating environment | |
| E8-RA-ML1.5 | ISM-1635 requires system owners to implement controls for each system and its operating environment | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.