ISM-1968 policy ASD Information Security Manual (ISM)

Obtain Authorisation for TOP SECRET Systems

System owners must get official approval to operate TOP SECRET systems from the Director-General ASD.

Preventative TS ASD Information Security Manualasset management governance Guidelines for gateways March 2026 ISM Update

record_voice_over

Plain language

If you manage a system that handles highly secret information, you need official approval from the Director-General of the Australian Signals Directorate (ASD) or their representative. This matters because operating without approval could lead to severe security breaches, where extremely sensitive information might be exposed or misused.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

ISM last updated

Mar 2026

Control Stack last updated

24 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for gateways

Section

System owners

Topic

Protecting systems and their resources

Official control statement

System owners obtain an authorisation to operate for each TOP SECRET system, including for each sensitive compartmented information system, from Director-General ASD (or their delegate).

policy ASD Information Security Manual (ISM) ISM-1968

priority_high

Why it matters

Operating Top Secret systems without proper authorisation could expose highly sensitive data, risking national security and reputational damage to your organisation.

settings

Operational notes

Regularly review system operations and communicate any changes to relevant stakeholders to ensure ongoing compliance with authorisation requirements.

02 — Implement

build

Implementation tips

System owners should identify all systems that handle TOP SECRET information and compile a comprehensive list of these systems. To do this, review all organisational assets and categorise them based on the sensitivity of the information they process.
Managers should ensure that each TOP SECRET system is assessed for security risks before seeking authorisation. This involves working with a security consultant to evaluate existing protections and identify any potential vulnerabilities.
System owners must prepare a risk assessment report for each TOP SECRET system. This should include details about the system's purpose, the data it handles, potential security risks, and current safeguards, and it should be presented to the Director-General ASD or their delegate.
IT teams should implement recommended security controls based on the risk assessments conducted. This means applying appropriate measures such as advanced encryption, multi-factor authentication, and access restrictions to mitigate identified risks.
System owners should schedule regular reviews of authorised systems to ensure they continue to meet security requirements. This involves establishing a timetable for audits and updating systems as necessary to address any new threats or vulnerabilities.

03 — Audit

fact_check

Audit / evidence tips

Askthe official authorisation letter for operating each TOP SECRET system

Goodincludes a properly signed and dated document specific to each system
Goodis a thorough document showing all risks were considered and addressed
Askevidence of implemented security controls on each system

Goodis documentation proving regular maintenance and updates of security measures
Goodincludes a documented schedule of past and future reviews with results and follow-up actions
Askto see records of any incidents or breaches involving the TOP SECRET system

Goodconsists of detailed incident reports with resolutions and corrective actions

04 — Mappings

link

Cross-framework mappings

How ISM-1968 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

link_off

No cross-framework mappings recorded yet.