Security Assessments for TOP SECRET Managed Services
TOP SECRET managed services must undergo security checks by ASD assessors every two years.
Plain language
If your business uses TOP SECRET managed services, they must be checked by ASD (Australian Signals Directorate) to ensure they're secure, at least every two years. This is important because without regular checks, sensitive data might be compromised, potentially leading to data breaches that could damage your reputation or cause financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Managed service providers and their TOP SECRET managed services, including sensitive compartmented information managed services, undergo a security assessment by ASD assessors (or their delegates), using the latest release of the ISM available prior to the beginning of the security assessment (or a subsequent release), at least every 24 months.
Why it matters
Without ASD-led assessments at least every 24 months, TOP SECRET managed services may retain unknown weaknesses and accreditation risk.
Operational notes
Schedule ASD (or delegate) security assessments at least every 24 months using the latest ISM release available before assessment; retain change records for scope.
Implementation tips
- The IT manager should schedule regular security assessments: Arrange for ASD assessors or approved delegates to review your services every 24 months. Make sure to keep a calendar reminder and organise it well in advance to ensure availability.
- The security officer should gather all relevant documentation: Before the assessment, collect necessary information about the services, including service configurations and any changes made since the last check. Ensure everything is comprehensive and up to date.
- The managed service provider needs to cooperate with assessors: Ensure your service provider is ready to work with assessors, giving them access and information necessary for a thorough review. Communicate clearly with the provider about the scope and requirements of the assessment.
- The compliance officer should update policies: After each assessment, review the findings with service providers and make necessary changes to your security policies. Document these updates and train your staff accordingly.
- Senior management should oversee the implementation: Management should review assessment results and ensure that recommendations are put into practice promptly. This includes allocating resources to address any highlighted security issues.
Audit / evidence tips
-
Askthe assessment schedule: Request a copy of the timeline that outlines when each managed service is due for its next security assessment by ASD
Goodschedule will show completed assessments and upcoming reviews clearly
-
Askto see the assessment results report: Examine the documented findings and recommendations from the most recent ASD assessment
Goodreport will show a timeline for addressing all recommendations
-
Askcommunication records with the provider: Request emails or meeting minutes that show discussions with the managed service provider about the assessment
Goodrecord will show clear, agreed-upon steps to improve security
-
Askto see updated security policies: Request the latest versions of security policies that have been updated post-assessment
Goodupdate will clearly reflect adjustments made in response to specific assessment findings
-
Asktraining records related to security changes: Request documentation of staff training sessions conducted following policy updates
Goodrecord will show regular and thorough training sessions for all relevant staff
Cross-framework mappings
How ISM-1971 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.35 | ISM-1971 requires TOP SECRET managed service providers and services to undergo an ASD-led security assessment at least every 24 months us... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.36 | ISM-1971 mandates periodic ASD security assessments for TOP SECRET managed services, providing formal assurance against the ISM baseline | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.