ASD Information Security Manual (ISM)
Australian Signals Directorate Information Security Manual β principles and detailed guidelines for securing Australian Government systems.
What Is the ASD Information Security Manual?
The Information Security Manual β commonly called the ISM manual β is published by the Australian Signals Directorate (ASD) and provides a comprehensive set of cybersecurity principles and guidelines for protecting government systems and data. Its full official title is the Australian Government Information Security Manual.
The ISM covers an exceptionally broad range of security domains β from personnel security and physical security through to cryptography, network hardening, and software development. It is updated regularly by ASD to reflect the evolving threat landscape, with new controls added and existing ones refined as technology and attack techniques change.
Unlike the Essential Eight, which focuses on eight priority mitigations, the ISM provides detailed, granular guidance across every aspect of information security. The two frameworks are complementary: the Essential Eight establishes baseline cyber hygiene, while the ISM provides the comprehensive technical controls needed for higher-assurance environments.
Who Must Comply with the ISM?
Compliance with the Information Security Manual varies by organisation type and the classification of systems being operated.
- Australian Government agencies β mandatory under the Protective Security Policy Framework (PSPF). Agencies must apply ISM controls appropriate to the classification of their systems.
- Defence contractors and suppliers β required to meet ISM standards when handling classified information or operating systems connected to Defence networks.
- Critical infrastructure operators β encouraged to adopt ISM guidance, particularly for systems that process or store sensitive government data.
- State and territory agencies β many adopt the ISM voluntarily as a benchmark for their own cybersecurity programs.
- Supply chain organisations β any organisation in the Australian government supply chain that handles sensitive or classified information may be required to implement relevant ISM controls.
ISM Control Categories
The Information Security Manual organises its controls into guidelines grouped by domain. These cover three broad themes: people, process, and technology. The major categories include:
People
- Guidelines for personnel security
- Guidelines for outsourcing
- Guidelines for physical security
Process
- Guidelines for system management
- Guidelines for system monitoring
- Guidelines for software development
- Guidelines for product security
Technology
- Guidelines for system hardening
- Guidelines for networking
- Guidelines for cryptography
- Guidelines for gateways
- Guidelines for email
- Guidelines for database systems
- Guidelines for enterprise mobility
- Guidelines for ICT equipment
- Guidelines for media
- Guidelines for communications infrastructure
Use the quick filters in the sidebar to narrow controls by guideline category, or browse the full list below.
ISM Classification Levels
ISM controls are tagged with the minimum classification level at which they apply. The classification filter on this page lets you narrow controls to a specific level. The levels are:
| Code | Classification | Description |
|---|---|---|
| NC | Non-Classified | Baseline controls applicable to all government systems regardless of classification. |
| OS | OFFICIAL: Sensitive | Controls for systems handling information that could cause limited damage if compromised. |
| P | PROTECTED | Controls for systems where compromise could cause damage to national security or government operations. |
| S | SECRET | Controls for systems handling information that could cause serious damage to national security. |
| TS | TOP SECRET | Controls for the most sensitive systems where compromise could cause exceptionally grave damage. |
ISM vs Essential Eight vs ISO 27001
Australian organisations often need to navigate multiple security frameworks. The table below compares the three frameworks available in Control Stack to help you understand their scope and relationship.
| ASD ISM | Essential Eight | ISO 27001 | |
|---|---|---|---|
| Scope | Comprehensive government security guidelines | 8 priority mitigations | International ISMS standard |
| Controls | 1,073 | 149 (across 3 maturity levels) | 93 (Annex A) |
| Mandatory for | Australian Government | Australian Government | Voluntary (often contractually required) |
| Focus | Detailed technical security guidelines | Baseline cyber hygiene | Risk-based management system |
| Maturity model | No | Yes (ML1-ML3) | No (pass/fail certification) |
Control Stack maps controls across all three frameworks, so you can see which ISM controls align with Essential Eight strategies and ISO 27001 Annex A requirements.
How to Use the ISM Manual Controls on This Page
The control listing below contains all 1,073 ISM manual controls. Here is how to navigate them efficiently:
- Quick filters β use the sidebar filters to narrow controls by guideline domain (communications, cryptography, networking, etc.).
- Classification level β filter by NC, OS, P, S, or TS to see only the controls that apply at your system's classification level.
- Control detail β click any control for a plain-English explanation, implementation tips, audit evidence requirements, and cross-framework mappings.
- Pagination β use the per-page selector and navigation buttons to browse through all controls.
Frequently Asked Questions
What is the ISM manual?
Who must comply with the ASD ISM?
How does the ISM relate to the Essential Eight?
Many ISM controls align with ISO 27001 requirements. Get PECB ISO 27001 Lead Implementer certified with Mindset Cyber to build the skills needed for ISM compliance.