Security Assessment for System Controls
System owners ensure security checks for specific systems to verify proper setup and operation.
Plain language
This control is about making sure that all security measures for important systems are set up correctly and are working as they should. It’s crucial because if these protections are not checked, you could be at risk of losing sensitive data or having your system compromised, leading to potential financial loss or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesSection
System ownersOfficial control statement
System owners, in consultation with each system's authorising officer, ensure controls for each non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET system and its operating environment undergo a security assessment by their organisation's own assessors or Infosec Registered Assessor Program (IRAP) assessors to determine if they have been implemented correctly and are operating as intended.
Why it matters
Without security assessments, controls may be misconfigured or ineffective, increasing the likelihood of compromise and exposure of OFFICIAL: Sensitive to SECRET data.
Operational notes
Schedule periodic assessor or IRAP-led assessments to verify controls are correctly implemented and operating as intended, and record outcomes for the authorising officer.
Implementation tips
- System owners should work with the system's authorising officer to identify which systems need security assessments. They should review all systems classified as OFFICIAL: Sensitive, PROTECTED, or SECRET. They must ensure these systems are shortlisted for testing and validation.
- The IT team should organise security assessments for the identified systems. They should either prepare the internal assessors or engage someone from the Infosec Registered Assessor Program (IRAP) to conduct these tests. This involves setting a schedule and ensuring resources are available for a thorough review.
- System owners must document each system’s unique setup and security needs. This includes detailing where the system operates, the type of data it handles, and any existing security measures. These details will help assessors focus on critical aspects of the system during the assessment.
- Managers should arrange for internal training sessions to ensure everyone involved understands the security assessment process and their roles within it. This involves liaising with HR or internal training departments to develop simple, clear instructions and tutorials.
- Once the assessment is complete, system owners should review the results with their team and the authorising officer. This involves setting up a meeting to discuss the findings and agree on any changes or improvements needed to enhance security, then documenting those discussions and action items.
Audit / evidence tips
-
Askthe list of systems scheduled for security assessment: Request to see the documented list outlining which systems require an assessment and which have been reviewed
Goodrecord shows all systems needing assessment clearly marked with dates of past and planned assessments
-
Askto see the security assessment reports: Request copies of the latest security assessment reports
Goodreport details specific areas needing improvement and estimates when those improvements will be completed
-
Askevidence of authorising officer sign-off: Request documentation showing that the authorising officer has reviewed and approved the assessment outcomes
Goodsign-off document confirms the officer’s approval and any suggested actions have been noted
-
Askto see training records: Request records or logs of any training sessions conducted about security assessments
-
Aska follow-up action plan: Request to see the documented action plan for addressing any issues found during the assessments
Goodaction plan includes clear responsibilities and realistic timelines for completion
Cross-framework mappings
How ISM-1636 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.34 | ISM-1636 requires system owners, in consultation with the authorising officer, to ensure each system and its operating environment underg... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.