Ensure Security Assessment of TOP SECRET Systems
System owners and officers ensure TOP SECRET systems are correctly assessed for security measures.
Plain language
If you own a system that stores top secret information, you need to make sure it's properly checked for security. This is crucial because if something isn’t secure, sensitive information might be exposed, which could cause major damage to national security or your organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesSection
System ownersOfficial control statement
System owners, in consultation with each system's authorising officer, ensure controls for each TOP SECRET system and its operating environment, including each sensitive compartmented information system and its operating environment, undergo a security assessment by ASD assessors (or their delegates) to determine if they have been implemented correctly and are operating as intended.
Why it matters
If ASD assessors do not assess TOP SECRET controls and operating environments, weaknesses may go undetected, enabling compromise of compartmented information and national security harm.
Operational notes
Schedule ASD (or delegate) assessments for each TOP SECRET system and its operating environment; track findings and evidence of correct operation, then provide results to the authorising officer.
Implementation tips
- System owners should organise a meeting with the authorising officer to discuss the security requirements of their top secret systems. They should walk through how the system is used and what sensitive information it holds, focusing on areas that might have security gaps.
- The system's IT team should perform a preliminary security check before an official assessment. They should check that all the necessary security settings are turned on and working properly, such as password protection and data encryption.
- Authorising officers need to engage with ASD assessors or their delegates for an official assessment. This involves arranging a date for the assessors to review the security controls of the system to ensure they are correctly implemented.
- Managers should ensure that any feedback from the ASD assessment is documented and addressed. This means, after the assessment, compiling a list of recommendations and creating a plan to tackle any issues found.
- The team responsible for each system should ensure ongoing monitoring and improvement of security measures. This can be done by scheduling regular internal reviews and updating their practices to align with the latest security standards from the Australian Cyber Security Centre.
Audit / evidence tips
- AskThe security assessment plan: Request a document that outlines the scheduled security assessments for top secret systems GoodPlan would detail past and upcoming assessments with clear timelines and contacts
- AskAssessment reports from ASD assessors: Examine reports issued by assessors after evaluating the system. Check for a comprehensive review of all security controls with specific notes on any findings GoodReport would highlight confirmed areas of compliance and areas requiring improvement
- AskA follow-up document that shows actions taken based on assessor recommendations GoodWould include dates, actions taken, responsible persons, and current status
- AskAuthorisation approval records: Require documents showing the authorising officer's approval after assessments GoodDocument would be recently dated, with explicit confirmation that the system meets security requirements
Cross-framework mappings
How ISM-1967 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.35 | Annex A 5.35 requires independent review of the organisation’s information security approach and its implementation at planned intervals ... | |
| Annex A 8.34 | Annex A 8.34 requires audit tests and assurance activities involving operational systems to be planned and agreed with management | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.