ISM Guide

The Information Security Manual (ISM) is the Australian Government's primary cybersecurity framework for protecting systems and data. It is published by the Australian Signals Directorate (ASD), a statutory agency established under the Australian Signals Directorate Act 2018, responsible for signals intelligence and offensive and defensive cyber operations.

The ISM defines security controls — specific requirements that Australian Government agencies and their ICT suppliers and contractors must consider and, where applicable, implement. It covers topics ranging from governance and physical security through to system hardening, cryptography, network management, and software development.

Who it applies to: Commonwealth entities subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) must use the ISM as the basis for their Information Security program. It also applies to contractors and cloud service providers handling Australian Government information, and is increasingly referenced by state governments and critical infrastructure operators.

Update cadence: The ISM is updated roughly quarterly. Each release is tagged with a version string such as ISM-2025-01 (year and month). Controls may be added, modified, or withdrawn between releases. The OSCAL-format catalog, which powers this site, has been published since late 2022; earlier releases were PDFs.

The authoritative source is asd.gov.au/ism. This site republishes the data for ease of browsing — always verify against ASD for compliance decisions.

The ISM is organised in a three-level hierarchy:

• Guidelines — broad topic areas (e.g. Guidelines for Networking, Guidelines for System Hardening). There are around 20 guidelines.
• Sections — sub-topics within a guideline (e.g. Network Management, Operating System Hardening). Each section has a brief overview statement.
• Controls — individual requirements within a section, each with a unique numeric identifier (ISM-NNNN), a plain-English statement, applicability markings, and a revision history.

Anatomy of a control: Each control has:

• ID — e.g. ISM-1173. IDs are permanent and never reused.
• Statement — what the organisation must do, expressed as a requirement (typically "… is implemented" or "… are used").
• Applicability — which classification levels the control applies to (NC, OFFICIAL:Sensitive, PROTECTED, SECRET, TOP SECRET). A control may apply to some levels but not others.
• Revision history — each time a control's statement or applicability changes, a new revision is recorded. This site tracks every revision back to 2010.

Control lifecycle: A control may be new (first introduced in a release), modified (statement or applicability changed), or withdrawn (removed from the catalog). Withdrawn controls remain visible on this site for historical reference — look for the "Withdrawn" filter in the Explorer.

Each control specifies which security classification levels it applies to. The current Australian Government protective security classification scheme has five levels:

Controls are cumulative: a system handling PROTECTED information must meet all controls applicable to NC, OFFICIAL:Sensitive, and PROTECTED. Higher classifications inherit all lower-classification controls and add their own.

The Essential Eight is a prioritised subset of ISM controls that ASD recommends as the baseline set of mitigation strategies for most organisations. It was introduced to give a more actionable starting point than the full ISM, which contains over 1,000 controls.

Maturity levels: Each Essential Eight strategy has three maturity levels — ML1, ML2, and ML3 — representing progressively stronger implementation. ML1 is the minimum baseline; ML3 represents a hardened posture resistant to more sophisticated adversaries. ASD recommends that most organisations target at least ML2.

The maturity levels are defined in ASD's Essential Eight Maturity Model. Each maturity level maps to specific ISM controls — these mappings are shown in the Explorer's right panel (the maturity grid and E8 strategy pills on each control).

Finding E8 controls on this site: Use the ML1 / ML2 / ML3 filter pills in the Explorer sidebar, or the Essential 8 filter pills on the landing page, to display only controls mapped to each maturity level. The right panel on any selected control shows its E8 maturity grid and which strategy it belongs to.

IRAP — the Information Security Registered Assessors Program — is an ASD-administered scheme for assessing the security posture of ICT systems that handle Australian Government information. IRAP assessors are independent security professionals who have been vetted, trained, and endorsed by ASD to conduct formal security assessments.

Why IRAP matters: For systems that handle OFFICIAL:Sensitive and above information, an IRAP assessment is typically required as part of the accreditation process — obtaining an Authority to Operate (ATO) from the system owner's agency. Cloud service providers seeking to host government workloads at OFFICIAL:Sensitive or above must hold a current IRAP assessment as part of ASD's cloud security evaluation process.

Assessment types:

• Informal / advisory assessment — a gap analysis that identifies areas where a system does not yet meet ISM requirements. Used for planning and remediation. Does not produce a formal accreditation artifact.
• Formal / compliance assessment — a comprehensive, evidence-based evaluation of a system against a defined set of ISM controls. Produces a Security Assessment Report (SAR) that system owners use to support an ATO decision.

What an assessment covers:

• System boundary definition — agreeing on exactly which components, interfaces, and data flows are in scope for the assessment.
• Threat modelling — identifying relevant threat actors, attack vectors, and the information assets at risk within the system boundary.
• Security documentation review — examining the System Security Plan (SSP), Security Risk Management Plan (SRMP), Incident Response Plan, and other required artifacts for completeness and accuracy.
• Control evaluation — testing and evidence review to determine whether each applicable ISM control is implemented, partially implemented, or not implemented. Each control receives a finding with supporting evidence.
• Residual risk statement — a summary of risks that remain after controls are applied, which informs the ATO decision by the Authorising Officer.

ASD publishes a standardised methodology in the IRAP Common Assessment Framework (April 2025) to ensure consistency across assessors and engagements.