Routine Security Assessments for TOP SECRET Gateways
TOP SECRET gateways are reviewed for security by authorised assessors every two years.
Plain language
Every two years, a special expert comes in to check the security of our systems that protect the most sensitive information on our network. It’s like a regular health check-up for our security, to make sure that we are protected against the latest threats. If we skip this, we risk leaving ourselves open to cyber attacks that could expose our most secret information, possibly harming the whole organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
TOP SECRET gateways undergo a security assessment by ASD assessors (or their delegates), using the latest release of the ISM available prior to the beginning of the assessment (or a subsequent release), at least every 24 months.
Why it matters
Without ASD-led security assessments at least every 24 months, TOP SECRET gateways can drift from ISM requirements, leaving critical weaknesses unremediated.
Operational notes
Maintain a 24‑month assessment calendar for each TOP SECRET gateway, book ASD assessors (or delegates) early, and baseline testing against the latest ISM release.
Implementation tips
- Authorised assessors from the Australian Signals Directorate (ASD) should schedule a security assessment of the TOP SECRET gateways. They should use the latest guidelines available, which act like a checklist to ensure everything is checked properly. This makes sure our most protected systems are up-to-date with security measures.
- The IT team needs to prepare for the assessment by gathering all necessary documentation on the current security measures in place. They should ensure that all systems and protocols are in line with the latest release from the Information Security Manual (ISM) before the assessment starts.
- Senior management should be involved in the initial and final debrief meetings for the security assessment. These meetings ensure that everyone understands the key findings and the steps to be taken next, reinforcing accountability at a high level.
- The system owners should work with the IT team to address any issues found during the security assessment. They should use the assessment report to fix vulnerabilities, ensuring that improvements are completed within a planned timeframe to maintain security posture.
- HR should communicate any significant protocol changes or improvements resulting from the security assessment to all staff. This ensures everyone is informed and compliance with new security measures is achieved across the organisation.
Audit / evidence tips
- AskThe latest security assessment report from the authorised assessors GoodIncludes a report from the last 24 months using the latest ISM available at the time
- AskTo see evidence of completed security improvements from the last assessment GoodShows all recommendations are followed up with actions completed and recorded
- GoodSchedule shows planned assessments every two years with clear timelines
- AskInternal meeting notes or minutes that discuss the assessment outcomes GoodIncludes notes with action items and decisions documented after the assessment
- GoodIncludes a document confirming implementation and systems now meet or exceed assessment recommendations
Cross-framework mappings
How ISM-2019 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
No cross-framework mappings recorded yet.