ASD Information Security Manual (ISM)

The Information Security Manual (ISM) is the cyber security framework published by the Australian Signals Directorate (ASD). It outlines a comprehensive set of principles, guidelines and controls that organisations can apply — using their own risk management framework — to protect information technology and operational technology systems from cyber threats.

The ISM is updated regularly and reflects ASD's considered advice, drawing on its threat intelligence, incident response experience and engagement with Australian organisations. The current edition is dated March 2026 and introduces significant changes including AI governance, cryptographic agility (post-quantum readiness) and operational technology isolation.

Unlike prescriptive standards, the ISM is designed to be applied contextually. It describes risks and recommended mitigations — organisations select and tailor controls based on the system's business criticality, data sensitivity, operating environment and risk tolerance.

The ISM is written primarily for security and technology leaders designing, operating and assuring systems.

• Chief Information Security Officers (CISOs) — overall accountability for an organisation's cyber security posture and ISM implementation
• Chief Information Officers (CIOs) — enterprise technology leaders ensuring systems align to ISM controls
• Cyber security professionals — architects, engineers, assessors, analysts implementing and operating controls
• Information technology managers — responsible for the systems to which ISM controls apply
• System owners and authorising officers — individuals authorising systems to operate based on residual risk

While the ISM's primary audience is Australian Government, its principles are increasingly adopted by regulated industries, critical infrastructure operators, defence industry and suppliers delivering services to government.

The ISM represents the considered advice of ASD. This advice is provided in accordance with ASD's designated functions under the Intelligence Services Act 2001.

An organisation is not required as a matter of law to comply with the ISM, unless legislation — or a direction given under legislation or by a lawful authority — compels them to comply. The ISM does not override legal or legislative obligations; where there is conflict, legislation and law take precedence.

Where ASD publishes specific guidance (for example, Australian Communications Security Instructions, or operating system / application / device specific advice), that guidance may take precedence over the general advice in the ISM.

• Archives Act 1983 — record-keeping obligations relevant to logging and retention
• Privacy Act 1988 — personal information handling and notifiable data breaches
• Security of Critical Infrastructure Act 2018 (SOCI) — risk management program obligations for responsible entities
• Telecommunications (Interception and Access) Act 1979 — lawful interception considerations

The ISM explicitly recommends that organisations familiarise themselves with relevant legislation when designing, operating and decommissioning systems — the ISM does not provide comprehensive legal analysis.

The March 2026 ISM organises its cyber security principles into six strategic functions that describe how an organisation should approach cyber security end-to-end. The functions align with global frameworks such as NIST CSF 2.0.

• Govern (GOV) — establish and maintain a strong, resilient cyber security culture; includes executive accountability, security risk management, supplier assurance, personnel suitability, legacy system management and continuous improvement (GOV-01 through GOV-14)
• Identify (IDE) — identify assets, interdependencies, business criticality, security and resilience requirements, and security risks (IDE-01 through IDE-06)
• Protect (PRO) — implement controls to manage security risks including secure lifecycle, supply chain security, identity and access management, vulnerability management, cryptography, segmentation and OT isolation (PRO-01 through PRO-20)
• Detect (DET) — centralised logging, baselining high-risk access, event detection, incident identification and detection capability efficacy (DET-01 through DET-05)
• Respond (RES) — incident planning, coordination, response, reporting and insights from lessons learnt (RES-01 through RES-05)
• Recover (REC) — system recovery assurance and business operations resumption (REC-01, REC-02)

Within each function, principles are listed in a logical implementation sequence — but the numeric identifiers (GOV-01, PRO-08, etc.) are labels, not an ordered workflow. Principles are interdependent and must be implemented collectively.

The ISM has a three-layer structure. Understanding the distinction between layers is essential to interpreting and applying the ISM correctly.

• Cyber security principles (strategic) — high-level outcomes grouped by function (Govern, Identify, Protect, Detect, Respond, Recover). They describe what good cyber security looks like at the organisational level
• Cyber security guidelines (domain-specific) — practical guidance organised by topic (e.g. system hardening, cryptography, email, gateways, enterprise mobility). Each guideline discusses the risks and recommended treatments for its domain
• Cyber security controls (tactical) — specific, measurable requirements embedded within guidelines. Controls are the items listed in Control Stack with identifiers like ISM-0123

Controls do not form an exhaustive list for any specific system. The ISM expects organisations to supplement the controls with context-specific mitigations identified through their own risk analysis.

Every ISM control carries an applicability marking that signals the classification level of systems it applies to. Markings let organisations tailor control selection to the sensitivity of each system.

• NC — Non-classified: controls applicable to all systems, including government and non-government systems that do not handle classified information
• OS — OFFICIAL: Sensitive: controls for systems processing OFFICIAL: Sensitive information
• P — PROTECTED: controls for systems processing PROTECTED information
• S — SECRET: controls for systems processing SECRET information
• TS — TOP SECRET: controls for systems processing TOP SECRET information, including sensitive compartmented information

Higher-classification markings generally include stricter requirements (for example: tighter patch timelines, phishing-resistant MFA, more rigorous key management, stronger physical security).

The ISM draws from NIST SP 800-37 Rev. 2 (Risk Management Framework for Information Systems and Organizations) and defines a six-step lifecycle for applying cyber security to a system.

This framework is the recommended operational approach to selecting and applying ISM controls. It is system-oriented — every system operated by the organisation should go through these steps.

• 1. Define the system — determine the system boundary, business criticality and security/resilience objectives based on compromise impact; document in the system security plan
• 2. Select controls — select and tailor controls to meet objectives; document in the system security plan annex; authorising officer approves control selection
• 3. Implement controls — deploy controls; record actual (vs planned) implementation in the system security plan annex
• 4. Assess controls — assessor verifies controls operate as intended; produce a security assessment report identifying strengths, weaknesses, remaining risks and remediation actions
• 5. Authorise the system — authorising officer decides whether to accept residual security risks and issue an authorisation to operate (ATO), with or without constraints
• 6. Monitor the system — continuous monitoring of threats, risks and control effectiveness; trigger events include incidents, policy changes and major architectural changes

Before a system handling government information can operate, it must be formally authorised. The authorising officer decides whether the residual risks are acceptable and issues an authorisation to operate (ATO).

The authorising officer must receive an authorisation package including the system security plan, incident response plan, change and configuration management plan, continuous monitoring plan, security assessment report, and plan of action and milestones.

• Non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET systems — authorising officer is the organisation's CISO (or delegate)
• TOP SECRET systems (including sensitive compartmented information systems) — authorising officer is the Director-General ASD (or delegate)
• Commercial providers serving an organisation — authorising officer is the CISO of the supported organisation (or delegate)
• Multi-organisation / multi-stakeholder systems — a single authorising officer may be agreed via formal arrangement, or multiple may issue a joint ATO
• Where no CISO exists — a chief security officer, CIO or other senior executive with appropriate seniority and understanding of the risks may serve as authorising officer

Authorisations can be granted with constraints (limiting functionality, time-bounded) or denied pending further remediation. After control changes or significant risk events, the authorisation package should be updated and revisited.

Security assessments validate that controls are implemented correctly and operating as intended. The ISM sets out who may conduct assessments based on system classification.

• Non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET systems — assessments may be conducted by the organisation's own assessors or by Infosec Registered Assessors Program (IRAP) assessors
• TOP SECRET systems, including sensitive compartmented information systems — assessments are conducted by ASD assessors (or their delegates)
• Assessors should hold appropriate security clearance and have sufficient experience and understanding of the type of system being assessed
• The assessment scope — type and extent of activities — should be agreed between the assessor, system owner and authorising officer, typically in a security assessment plan

IRAP assessors are endorsed by ASD. Their reports are widely relied upon by Commonwealth customers procuring cloud and managed services. An IRAP assessment is distinct from an ATO — IRAP provides the assessment report; the authorising officer issues the authorisation.

The March 2026 edition made substantial additions to reflect emerging threats and technology shifts, particularly AI, post-quantum cryptography and operational technology.

• GOV-08 Executive AI accountability — boards/executives accountable for AI being secure, controllable, human-supervised and used ethically and accountably
• GOV-10 System exposure minimisation — limit public disclosure of system design and configuration; log any disclosure
• GOV-13 Cyber security and safety — controls must not compromise human, physical or environmental safety
• GOV-14 Legacy system management — manage legacy systems with compensating controls and enhanced monitoring until retired
• IDE-05 Asset interdependencies — document how compromise of one system affects dependent systems
• IDE-06 Resilience requirement identification — identify and document resilience requirements alongside security requirements
• PRO-16 Cyber supply chain security — consolidated supply chain principle (previously spread across Govern / Identify)
• PRO-17 Cryptographic agility — design systems to support timely, prioritised and orderly cryptography changes, including post-quantum cryptography
• PRO-18 / PRO-19 / PRO-20 — new principles covering network segmentation, operational technology isolation, and secured remote access to OT
• DET-04 Baselined high-risk access activities — baselines for identity, privileged and remote access to enable anomaly detection
• RES-05 Cyber security incident coordination — pre-defined roles, exercises, and pre-approved response/recovery activities
• REC-02 System recovery assurance — verify recovered systems via assurance activities before resuming operations

New AI development and usage controls (ISM-2084 through ISM-2103 series) were also added under the software development and mobile device guidelines.

ISM compliance is driven by a mix of legislation, whole-of-government policy and contractual requirements.

• Non-corporate Commonwealth entities — directed under the Protective Security Policy Framework (PSPF) to apply ISM controls proportionate to classification
• Corporate Commonwealth entities — strongly encouraged to adopt the PSPF (including ISM) as good practice
• Defence Industry Security Program (DISP) members — must align to ISM controls as part of DISP obligations
• State and territory government agencies — many jurisdictions reference the ISM either directly or via aligned state frameworks
• Critical infrastructure responsible entities (SOCI Act) — the ISM (alongside the Essential Eight and other frameworks) supports satisfying CIRMP obligations
• Government suppliers — service contracts frequently require ISM / IRAP alignment, particularly for cloud and managed services handling government data

Private-sector organisations not covered by the above often adopt ISM controls voluntarily for systems handling sensitive or regulated information, or to win government contracts.

The Essential Eight is a prioritised subset of the broader Strategies to Mitigate Cyber Security Incidents published by ASD. The Essential Eight provides a baseline; the full Strategies and the ISM provide depth.

The Essential Eight addresses a narrow band of technical controls (patching, MFA, admin privileges, application control, macro restrictions, hardening, backups). The ISM addresses the complete cyber security lifecycle — governance, personnel, physical security, cryptography, networks, gateways, development, data transfers and more.

• Start with the Essential Eight as a baseline for IT networks running Microsoft Windows
• Layer the ISM's broader principles and controls on top, guided by the risk management framework and system classification
• For high-assurance or classified systems, the ISM is the operative reference — the Essential Eight alone is insufficient
• Commonwealth entities are expected to implement the Essential Eight at or above ML2 while also meeting relevant ISM controls

The ISM sits inside a broader policy environment. Knowing how it relates helps avoid duplicate effort and reconcile overlapping requirements.

• Protective Security Policy Framework (PSPF) — whole-of-government framework; its information security requirements direct non-corporate Commonwealth entities to apply the ISM
• Essential Eight — prioritised baseline; subset of the broader Strategies to Mitigate Cyber Security Incidents and the ISM
• NIST SP 800-37 Rev. 2 — the ISM's risk management framework is adapted from this NIST publication
• NIST Cybersecurity Framework (CSF) 2.0 — six-function structure (Govern, Identify, Protect, Detect, Respond, Recover) aligns closely with the ISM's cyber security principles
• ISO/IEC 27001:2022 — an ISMS certification standard; ISO Annex A controls overlap with ISM domains (access control, cryptography, physical security, supplier relationships) but are higher-level than ISM controls
• NZISM (New Zealand Information Security Manual) — structurally similar Trans-Tasman counterpart; organisations operating in both jurisdictions can often run combined assessments
• SOC 2 Trust Services Criteria — US-centric; overlaps in areas such as access, change management and vendor oversight

There is no ASD-issued certification for individuals against the ISM. Practitioners typically hold ISO 27001-based qualifications and acquire ISM expertise through practical work, IRAP training and ASD guidance.

Mindset Cyber offers PECB-accredited ISO/IEC 27001 training that supports ISM implementation work. ISM and ISO 27001 share the same underlying discipline (risk-based information security management), making the ISO training an effective foundation for ISM practitioners — especially for control assessment, documentation and governance activities.

• ISO 27001 Foundation — introductory course; useful for team members and stakeholders who need to understand risk-based information security ($399)
• ISO 27001 Lead Implementer — five-day course for those leading ISMS programs, including teams aligning ISO 27001 with ISM obligations ($849)
• ISO 27001 Lead Auditor — five-day course for auditors; valuable for internal assessors validating ISM control implementation ($849)
• IRAP assessor endorsement — administered by ASD; the pathway for professionals wishing to conduct formal IRAP assessments

All Mindset Cyber courses are delivered as self-paced eLearning or live weekend training. Certification is through PECB and is internationally recognised.

Patterns that ASD, IRAP assessors and internal auditors commonly identify when ISM implementations underperform.

• Treating the ISM as a control checklist rather than a risk management framework — controls must be selected, tailored and justified, not blanket-applied
• Misusing applicability markings — applying only NC controls to an OFFICIAL: Sensitive system, or applying TS controls to a non-classified system and over-engineering
• Under-scoping the authorisation boundary — systems extending into third-party cloud or managed services not fully documented in the system security plan
• Skipping the monitor step — once an ATO is issued, systems drift; without continuous monitoring, residual risk quietly rises above the accepted threshold
• Relying on the Essential Eight alone for classified or high-assurance systems — Essential Eight is a baseline; ISM coverage is much broader
• Not keeping pace with ISM updates — major updates (like March 2026) introduce new principles and controls that existing authorisations may not cover
• Documentation gaps — the ATO package is only as strong as the system security plan, assessment report and POA&M; vague or outdated documentation is frequently cited
• Treating IRAP as certification — IRAP produces assessment reports; authorisation decisions still rest with the authorising officer
• Overlooking OT and enterprise mobility — the ISM has dedicated guidelines; these are often under-implemented compared to the IT mainstream

ASD strongly recommends independent assessment (IRAP or equivalent) before relying on self-assessed ISM compliance for regulatory or contractual purposes.