ISM-1968 ASD Information Security Manual (ISM)

Obtain Authorisation for TOP SECRET Systems

System owners must get official approval to operate TOP SECRET systems from the Director-General ASD.

Preventative TOP SECRET ASD Information Security ManualGuidelines for gateways asset management governance March 2026 ISM Update

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

🗓️ ISM last updated

Mar 2026

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for gateways

Section

System Owners

Topic

Protecting Systems and Their Resources

Official control statement

System owners obtain an authorisation to operate for each TOP SECRET system, including for each sensitive compartmented information system, from Director-General ASD (or their delegate).

Source: ASD Information Security Manual (ISM)

Plain language

If you manage a system that handles highly secret information, you need official approval from the Director-General of the Australian Signals Directorate (ASD) or their representative. This matters because operating without approval could lead to severe security breaches, where extremely sensitive information might be exposed or misused.

Why it matters

Operating Top Secret systems without proper authorisation could expose highly sensitive data, risking national security and reputational damage to your organisation.

Operational notes

Regularly review system operations and communicate any changes to relevant stakeholders to ensure ongoing compliance with authorisation requirements.

Implementation tips

System owners should identify all systems that handle TOP SECRET information and compile a comprehensive list of these systems. To do this, review all organisational assets and categorise them based on the sensitivity of the information they process.
Managers should ensure that each TOP SECRET system is assessed for security risks before seeking authorisation. This involves working with a security consultant to evaluate existing protections and identify any potential vulnerabilities.
System owners must prepare a risk assessment report for each TOP SECRET system. This should include details about the system's purpose, the data it handles, potential security risks, and current safeguards, and it should be presented to the Director-General ASD or their delegate.
IT teams should implement recommended security controls based on the risk assessments conducted. This means applying appropriate measures such as advanced encryption, multi-factor authentication, and access restrictions to mitigate identified risks.
System owners should schedule regular reviews of authorised systems to ensure they continue to meet security requirements. This involves establishing a timetable for audits and updating systems as necessary to address any new threats or vulnerabilities.

Audit / evidence tips

Ask: the official authorisation letter for operating each TOP SECRET system

Good: includes a properly signed and dated document specific to each system
Good: is a thorough document showing all risks were considered and addressed
Ask: evidence of implemented security controls on each system

Good: is documentation proving regular maintenance and updates of security measures
Good: includes a documented schedule of past and future reviews with results and follow-up actions
Ask: to see records of any incidents or breaches involving the TOP SECRET system

Good: consists of detailed incident reports with resolutions and corrective actions

Cross-framework mappings

How ISM-1968 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

No cross-framework mappings recorded yet.