ISM Guide

AI-generated content · ✓ reviewed by The Organic
Background

What is the ISM?

The Information Security Manual (ISM) is the Australian Government's primary cybersecurity framework for protecting systems and data. It is published by the Australian Signals Directorate (ASD), a statutory agency established under the Australian Signals Directorate Act 2018, responsible for signals intelligence and offensive and defensive cyber operations.

The ISM defines security controls — specific requirements that Australian Government agencies and their ICT suppliers and contractors must consider and, where applicable, implement. It covers topics ranging from governance and physical security through to system hardening, cryptography, network management, and software development.

Who it applies to: Commonwealth entities subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) must use the ISM as the basis for their Information Security program. It also applies to contractors and cloud service providers handling Australian Government information, and is increasingly referenced by state governments and critical infrastructure operators.

Update cadence: The ISM is updated roughly quarterly. Each release is tagged with a version string such as ISM-2025-01 (year and month). Controls may be added, modified, or withdrawn between releases. The OSCAL-format catalog, which powers this site, has been published since late 2022; earlier releases were PDFs.

The authoritative source is asd.gov.au/ism. This site republishes the data for ease of browsing — always verify against ASD for compliance decisions.

The Information Security Manual (ISM) is the Australian Government's comprehensive record of everything you must do to your systems before ASD will consider trusting you near government information. It is published by the Australian Signals Directorate (ASD), a statutory agency established under the Australian Signals Directorate Act 2018, responsible for signals intelligence, offensive and defensive cyber operations, and periodically reminding the rest of the public sector that patching is still important.

The ISM defines over 1,000 security controls — specific requirements that Commonwealth agencies and their ICT suppliers must implement. Each control represents a concrete security measure, derived from either genuine threat intelligence or the accumulated scar tissue of a decade of incidents. In practice, both.

Who it applies to: Commonwealth entities under the PGPA Act must use the ISM as the foundation of their Information Security program. It also extends to contractors and cloud providers handling government information — on the basis that if the government is going to trust you with its data, it would like confirmation that you have enabled multi-factor authentication first. State governments and critical infrastructure operators increasingly reference it as well.

Update cadence: Approximately quarterly. Each release carries a version string such as ISM-2025-01. Controls are added, modified, and occasionally withdrawn. The important ones are usually modified. The compliance work is, by design, never finished.

The authoritative source is asd.gov.au/ism. This site republishes the data for convenience — always verify against ASD for anything that matters.

Structure

How is the ISM structured?

The ISM is organised in a three-level hierarchy:

  • Guidelines — broad topic areas (e.g. Guidelines for Networking, Guidelines for System Hardening). There are around 20 guidelines.
  • Sections — sub-topics within a guideline (e.g. Network Management, Operating System Hardening). Each section has a brief overview statement.
  • Controls — individual requirements within a section, each with a unique numeric identifier (ISM-NNNN), a plain-English statement, applicability markings, and a revision history.

Anatomy of a control: Each control has:

  • ID — e.g. ISM-1173. IDs are permanent and never reused.
  • Statement — what the organisation must do, expressed as a requirement (typically "… is implemented" or "… are used").
  • Applicability — which classification levels the control applies to (NC, OFFICIAL:Sensitive, PROTECTED, SECRET, TOP SECRET). A control may apply to some levels but not others.
  • Revision history — each time a control's statement or applicability changes, a new revision is recorded. This site tracks every revision back to 2010.

Control lifecycle: A control may be new (first introduced in a release), modified (statement or applicability changed), or withdrawn (removed from the catalog). Withdrawn controls remain visible on this site for historical reference — look for the "Withdrawn" filter in the Explorer.

The ISM is organised into a three-level hierarchy:

  • Guidelines — broad chapter headings covering topics like networking, cryptography, and personnel security. Note: "guideline" does not mean optional. These are mandatory requirements. The name is doing significant work. There are approximately 20 guidelines, and none of them are more what you'd call guidelines than actual rules.
  • Sections — sub-topics within each guideline. Each section includes a brief overview that explains what the section covers, which is useful the first time you read it.
  • Controls — the actual requirements. Over 1,000 of them, each with a permanent numeric ID that is never reused, an applicability marking, and a statement specifying what must be done.

Anatomy of a control: Each control has:

  • ID — e.g. ISM-1173. Permanent. Never recycled. This level of numbering discipline is, in context, noteworthy.
  • Statement — what must be implemented. The language is consistently "…is implemented" or "…are used." Not "is considered" or "should be explored." Implemented.
  • Applicability — classification levels the control applies to. Higher levels accumulate requirements from lower levels.
  • Revision history — recorded when a control's statement or applicability changes. This site tracks every revision back to 2010, for those who enjoy watching requirements evolve over a decade.

Control lifecycle: Controls are introduced as new, updated as modified, or removed as withdrawn. Withdrawn controls remain in the catalog because somewhere, someone will need to explain to an auditor why the 2015 version said something different.

Classifications

Applicability classifications

Each control specifies which security classification levels it applies to. The current Australian Government protective security classification scheme has five levels:

MarkingLabelDescription
NC Not Classified (UNOFFICIAL / OFFICIAL) Unclassified government information, or information with no specific protective marking. Controls marked NC apply at the baseline level.
OS OFFICIAL:Sensitive Sensitive but unclassified information where compromise could have limited adverse effects. Formerly referred to as DLM (Dissemination Limiting Marker) in older releases.
P PROTECTED Information where compromise could cause damage to national security, individuals, or government interests.
S SECRET Information where compromise could cause serious damage to national security or Australian interests.
TS TOP SECRET Information where compromise could cause exceptionally grave damage to national security. Requires the most stringent controls.
C CONFIDENTIAL (historical) Used from 2010 to 2018, since removed from the Australian protective security framework. Appears only in pre-2019 ISM releases on this site.

Controls are cumulative: a system handling PROTECTED information must meet all controls applicable to NC, OFFICIAL:Sensitive, and PROTECTED. Higher classifications inherit all lower-classification controls and add their own.

Each control specifies which classification levels it applies to. The current Australian Government protective security scheme has five levels — think of them as a ladder where each rung adds more controls and removes more suppliers:

MarkingLabelDescription
NC Not Classified (UNOFFICIAL / OFFICIAL) The baseline. Unclassified government information with no specific protective marking. NC controls apply to every system in scope — they are the floor, not the ceiling.
OS OFFICIAL:Sensitive Sensitive but unclassified. Consequences of compromise are described as "limited adverse effects" — government language for "bad, but explainable." Formerly DLM (Dissemination Limiting Marker), which was at least honest about what it was doing.
P PROTECTED The level at which seriousness sets in. Systems at PROTECTED handling OFFICIAL:Sensitive and above require IRAP assessment, which is how you find out how many of your controls are "partially implemented."
S SECRET Serious damage to national security. Fewer suppliers, more controls, significantly more paperwork. Meetings that don't appear in your calendar.
TS TOP SECRET Exceptionally grave damage to national security. The controls are comprehensive. The audience for this guide, at this classification level, is very small.
C CONFIDENTIAL (historical) Used 2010–2018, subsequently removed from the Australian classification scheme. Appears only in pre-2019 ISM releases here, as evidence that even classification frameworks get refactored.

Controls are cumulative: PROTECTED systems must meet NC and OFFICIAL:Sensitive controls in addition to their own. The higher you go, the more you inherit. This is the information security equivalent of not being allowed to skip levels.

Essential Eight

The Essential Eight

The Essential Eight is a prioritised subset of ISM controls that ASD recommends as the baseline set of mitigation strategies for most organisations. It was introduced to give a more actionable starting point than the full ISM, which contains over 1,000 controls.

The ISM contains over 1,000 controls. The Essential Eight is ASD's acknowledgement that this is a lot, and that most organisations are better served by doing eight things well than a thousand things approximately. It is a prioritised set of mitigation strategies selected because the evidence says they stop the most common attacks.

The fact that strategy three is "Configure Microsoft Office Macro Settings" is a data point about the Australian threat landscape. That data point is not flattering. Macro-based malware has been a viable vector for a very long time. It continues to work.

The eight strategies are:

1Application Control
2Patch Applications
3Configure Microsoft Office Macro Settings
4User Application Hardening
5Restrict Administrative Privileges
6Patch Operating Systems
7Multi-factor Authentication
8Regular Backups

Maturity levels: Each Essential Eight strategy has three maturity levels — ML1, ML2, and ML3 — representing progressively stronger implementation. ML1 is the minimum baseline; ML3 represents a hardened posture resistant to more sophisticated adversaries. ASD recommends that most organisations target at least ML2.

The maturity levels are defined in ASD's Essential Eight Maturity Model. Each maturity level maps to specific ISM controls — these mappings are shown in the Explorer's right panel (the maturity grid and E8 strategy pills on each control).

Finding E8 controls on this site: Use the ML1 / ML2 / ML3 filter pills in the Explorer sidebar, or the Essential 8 filter pills on the landing page, to display only controls mapped to each maturity level. The right panel on any selected control shows its E8 maturity grid and which strategy it belongs to.

Maturity levels: ML1, ML2, and ML3 — representing progressively stronger implementation. ML1 is the minimum. ML3 is what you aim for once you have time, budget, and executive support, ideally in that order. ASD recommends at least ML2, which translates roughly to "please do more than the bare minimum."

Maturity levels are defined in ASD's Essential Eight Maturity Model and map to specific ISM controls. The mappings are shown in the Explorer's right panel — the maturity grid and E8 strategy pills on each control detail.

Finding E8 controls on this site: Use the ML1 / ML2 / ML3 filter pills in the Explorer sidebar. The right panel on any selected control shows its maturity level mapping and which strategy it belongs to.

IRAP

What is IRAP?

IRAP — the Information Security Registered Assessors Program — is an ASD-administered scheme for assessing the security posture of ICT systems that handle Australian Government information. IRAP assessors are independent security professionals who have been vetted, trained, and endorsed by ASD to conduct formal security assessments.

Why IRAP matters: For systems that handle OFFICIAL:Sensitive and above information, an IRAP assessment is typically required as part of the accreditation process — obtaining an Authority to Operate (ATO) from the system owner's agency. Cloud service providers seeking to host government workloads at OFFICIAL:Sensitive or above must hold a current IRAP assessment as part of ASD's cloud security evaluation process.

Assessment types:

  • Informal / advisory assessment — a gap analysis that identifies areas where a system does not yet meet ISM requirements. Used for planning and remediation. Does not produce a formal accreditation artifact.
  • Formal / compliance assessment — a comprehensive, evidence-based evaluation of a system against a defined set of ISM controls. Produces a Security Assessment Report (SAR) that system owners use to support an ATO decision.

What an assessment covers:

  • System boundary definition — agreeing on exactly which components, interfaces, and data flows are in scope for the assessment.
  • Threat modelling — identifying relevant threat actors, attack vectors, and the information assets at risk within the system boundary.
  • Security documentation review — examining the System Security Plan (SSP), Security Risk Management Plan (SRMP), Incident Response Plan, and other required artifacts for completeness and accuracy.
  • Control evaluation — testing and evidence review to determine whether each applicable ISM control is implemented, partially implemented, or not implemented. Each control receives a finding with supporting evidence.
  • Residual risk statement — a summary of risks that remain after controls are applied, which informs the ATO decision by the Authorising Officer.

ASD publishes a standardised methodology in the IRAP Common Assessment Framework (April 2025) to ensure consistency across assessors and engagements.

IRAP — the Information Security Registered Assessors Program — is an ASD-administered scheme for assessing ICT systems against the ISM. IRAP assessors are independent security professionals who have been vetted, trained, and endorsed by ASD. They have read the ISM. Professionally. This is how they make their living, and they have chosen to continue doing it.

Why IRAP matters: Systems handling OFFICIAL:Sensitive and above information require an IRAP assessment as part of obtaining an Authority to Operate (ATO) — the document that authorises a system to operate. The ATO is signed by the Authorising Officer, who accepts residual risk on behalf of the agency. The Authorising Officer is the person who has been persuaded that the benefits of the system outweigh the documented risks. Cloud providers seeking to host government workloads must also hold a current IRAP assessment, because the government would like to know you have done the work before it hands you its data.

Assessment types:

  • Informal / advisory assessment — a gap analysis. Identifies where you stand relative to where you need to be. Useful for remediation planning. Does not produce an ATO-ready artifact. Think of it as a practice run where the examiner tells you your answers.
  • Formal / compliance assessment — a full evidence-based evaluation against a defined ISM control set. Produces a Security Assessment Report (SAR) that informs the ATO decision. At no stage in this process does anyone claim it is enjoyable.

What an assessment covers:

  • System boundary definition — agreeing on what is in scope. This sounds straightforward and reliably takes longer than expected.
  • Threat modelling — identifying who might attack the system, how, and what they are after. The honest answer is usually "most actors, many vectors, all data."
  • Security documentation review — the SSP, SRMP, Incident Response Plan, and related artifacts. The documentation describes what you claim the system does. The rest of the assessment verifies whether this is accurate.
  • Control evaluation — testing and evidence review for each applicable ISM control. Each control is assessed as implemented, partially implemented, or not implemented. "Partially implemented" is the most common outcome and the one that generates the most remediation actions and follow-up meetings.
  • Residual risk statement — risks that remain after controls are applied. This is the part the Authorising Officer reads most carefully, because they are the ones signing off on it.

ASD publishes the IRAP Common Assessment Framework (April 2025) to ensure consistency across assessors and engagements — because when everyone is reading the same document, it helps if they agree on what it means.

Guidelines

Guidelines for use

rule1.link42.app is a research and reference tool. Before relying on it for compliance or security decisions, keep the following in mind:

  • Always verify against the authoritative source. The canonical ISM is published at asd.gov.au/ism. This site is a search and browsing tool — not a substitute for the official document.
  • Pre-2022 data was AI-extracted from PDFs. Control data from ISM releases prior to the OSCAL era (before late 2022) was parsed from historical PDFs by an AI model. PDF formats varied significantly over a decade; some statements, applicability markings, or revision details may be inaccurate. Exercise appropriate caution when relying on historical data.
  • AI summaries are informative, not authoritative. The Overview tab on each control includes an AI-generated plain-English summary. These are intended to aid understanding, not replace a careful reading of the control statement itself.
  • Use the Compare tool for gap analysis, not as a compliance record. The version diff is a useful starting point for identifying what changed between ISM releases, but your compliance evidence should reference the official ASD release notes and catalog directly.
  • Report errors. If you find data that appears incorrect, please raise an issue. Do not incorporate inaccurate data into compliance documentation.
Using this site

How to use rule1.link42.app

Explorer

  • Search by keyword (e.g. multi-factor, patch) or by ISM ID (e.g. ISM-1173 or bare 1173) — exact IDs are selected automatically.
  • Use filter pills to narrow by change type (Changed / New / Withdrawn) or Essential Eight maturity level (ML1 / ML2 / ML3).
  • Use the data classification pills (NC / OS / P / S / TS) to show only controls applicable to a given classification level.
  • Every view is deep-linkable — the URL updates as you navigate, so you can share or bookmark any control or filter state.
  • The Changelog tab on a control shows its full revision history with word-level diffs between versions.
  • The Context tab shows the section overview and the neighbourhood graph — nearby controls and principles in the ISM graph.
  • The Implementation tab shows AI-generated guidance on how to implement the control.

Compare

  • Select any two ISM catalog versions (From / To) to see all controls that changed between them.
  • Each changed control shows a word-level diff of the statement text and any applicability changes.
  • Export results to CSV for use in a spreadsheet or compliance gap analysis.
  • Deep-link any comparison via ?from=ISM-2024-10&to=ISM-2025-01.

API

  • All data is accessible via a public REST API at https://api.rule1.link42.app.
  • The API is rate-limited — see the API reference for endpoint details and limits.
  • For high-volume access (e.g. automated compliance tooling), request a bypass token via the bypass eligibility page.