ISM Controls

From Glitchdata
Jump to navigation Jump to search

List of ~1800 Cyber Controls published by ASD.

ISM Guidelines for Cyber Security Roles

  • Security Control: ISM-0714; Revision: 5; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • A CISO is appointed to provide cyber security leadership and guidance for their organisation.
  • Security Control: ISM-1478; Revision: 1; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation.
  • Security Control: ISM-1617; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities.
  • Security Control: ISM-0724; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO implements cyber security measurement metrics and key performance indicators for their organisation.
  • Security Control: ISM-0725; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key cyber security and business executives, which meets formally and on a regular basis.
  • Security Control: ISM-0726; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO coordinates security risk management activities between cyber security and business teams.
  • Security Control: ISM-0718; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The CISO reports directly to their organisation’s senior executive or Board on cyber security matters.
  • Security Control: ISM-0733; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO is fully aware of all cyber security incidents within their organisation.
  • Security Control: ISM-1618; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO oversees their organisation’s response to cyber security incidents.
  • Security Control: ISM-0734; Revision: 3; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • The CISO contributes to the development and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster.
  • Security Control: ISM-0720; Revision: 1; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO develops and maintains a cyber security communications strategy for their organisation.
  • Security Control: ISM-0731; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO oversees cyber supply chain risk management activities for their organisation.
  • Security Control: ISM-0732; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO receives and manages a dedicated cyber security budget for their organisation.
  • Security Control: ISM-0717; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO oversees the management of cyber security personnel within their organisation.
  • Security Control: ISM-0735; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • The CISO oversees the development and operation of their organisation’s cyber security awareness training program.
  • Security Control: ISM-1071; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Each system has a designated system owner.
  • Security Control: ISM-1525; Revision: 1; Updated: Jan-21; Applicability: All; Essential Eight: N/A
    • System owners register each system with its authorising officer.
  • Security Control: ISM-1633; Revision: 0; Updated: Jan-21; Applicability: All; Essential Eight: N/A
    • System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised.
  • Security Control: ISM-1634; Revision: 0; Updated: Jan-21; Applicability: All; Essential Eight: N/A
    • System owners select security controls for each system and tailor them to achieve desired security objectives.
  • Security Control: ISM-1635; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • System owners implement security controls for each system and its operating environment.
  • Security Control: ISM-1636; Revision: 0; Updated: Jan-21; Applicability: All; Essential Eight: N/A
    • System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended.
  • Security Control: ISM-0027; Revision: 4; Updated: Jan-21; Applicability: All; Essential Eight: N/A
    • System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation.
  • Security Control: ISM-1526; Revision: 1; Updated: Jan-21; Applicability: All; Essential Eight: N/A
    • System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis.
  • Security Control: ISM-1587; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • System owners report the security status of each system to its authorising officer at least annually.

ISM Guidelines for Cyber Security Incidents

  • Security Control: ISM-0576; Revision: 7; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • An intrusion detection and prevention policy is developed and implemented.
  • Security Control: ISM-1626; Revision: 0; Updated: Nov-20; Applicability: All; Essential Eight: N/A
    • Legal advice is sought regarding the development and implementation of a trusted insider program.
  • Security Control: ISM-0120; Revision: 5; Updated: May-20; Applicability: All; Essential Eight: N/A
    • Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise.


ISM Guidelines for Outsourcing

  • Security Control: ISM-1631; Revision: 0; Updated: Dec-20; Applicability: All; Essential Eight: N/A
    • Components and services relevant to the security of systems are identified and understood.
  • Security Control: ISM-1452; Revision: 3; Updated: Dec-20; Applicability: All; Essential Eight: N/A
    • Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk.
  • Security Control: ISM-1567; Revision: 1; Updated: Dec-20; Applicability: All; Essential Eight: N/A
    • Suppliers and service providers identified as high risk are not used.
  • Security Control: ISM-1568; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products.
  • Security Control: ISM-1632; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems and cyber supply chains.
  • Security Control: ISM-1569; Revision: 1; Updated: Dec-20; Applicability: All; Essential Eight: N/A
    • A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party.
  • Security Control: ISM-1736; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A

A managed service register is maintained and verified on a regular basis.

  • Security Control: ISM-1737; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A managed service register contains the following for each managed service:
      • managed service provider’s name
      • purpose for using the managed service
      • sensitivity or classification of data involved
      • point of contact for users of the managed service
      • point of contact for the managed service provider.
  • Security Control: ISM-1637; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • An outsourced cloud service register is maintained and verified on a regular basis.
  • Security Control: ISM-1638; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • An outsourced cloud service register contains the following for each outsourced cloud service:
      • cloud service provider’s name
      • cloud service’s name
      • purpose for using the cloud service
      • sensitivity or classification of data involved
      • due date for the next security assessment of the cloud service
      • point of contact for users of the cloud service
      • point of contact for the cloud service provider.
  • Security Control: ISM-1570; Revision: 0; Updated: Jul-20; Applicability: All; Essential Eight: N/A
    • Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months.
  • Security Control: ISM-1529; Revision: 2; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Only community or private clouds are used for outsourced SECRET and TOP SECRET cloud services.
  • Security Control: ISM-1395; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Service providers provide an appropriate level of protection for any data entrusted to them or their services.
  • Security Control: ISM-0072; Revision: 7; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • Security requirements associated with the confidentiality, integrity and availability of data entrusted to a service provider are documented in contractual arrangements.
  • Security Control: ISM-1571; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The right to verify compliance with security requirements is documented in contractual arrangements.
  • Security Control: ISM-1738; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The right to verify compliance with security requirements documented in contractual arrangements is exercised on a regular and ongoing basis.
  • Security Control: ISM-1451; Revision: 3; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • Types of data and its ownership is documented in contractual arrangements.
  • Security Control: ISM-1572; Revision: 1; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • The regions or availability zones where data will be processed, stored and communicated is documented in contractual arrangements.
  • Security Control: ISM-1573; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Access to all logs relating to an organisation’s data and services is documented in contractual arrangements.
  • Security Control: ISM-1574; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The storage of data in a portable manner that allows for backups, service migration and service decommissioning without any loss of data is documented in contractual arrangements.
  • Security Control: ISM-1575; Revision: 0; Updated: Jul-20; Applicability: All; Essential Eight: N/A
    • A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements.
  • Security Control: ISM-1073; Revision: 5; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • An organisation’s systems and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so.
  • Security Control: ISM-1576; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • If an organisation’s systems or data are accessed or administered by a service provider in an unauthorised manner, the organisation is immediately notified.

ISM Guidelines for Security Documentation

  • Security Control: ISM-0039; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A cyber security strategy is developed and implemented.


  • Security Control: ISM-0047; Revision: 4; Updated: May-19; Applicability: All; Essential Eight: N/A
    • Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer.
  • Security Control: ISM-1739; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A system’s security architecture is approved prior to the development of the system.


  • Security Control: ISM-0888; Revision: 5; Updated: May-19; Applicability: All; Essential Eight: N/A
    • Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement.


  • Security Control: ISM-1602; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Security documentation, including notification of subsequent changes, is communicated to all stakeholders.
  • Security Control: ISM-0041; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Systems have a system security plan that includes a description of the system and an annex that covers both applicable security controls from this document and any additional security controls that have been identified.
  • Security Control: ISM-0043; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Systems have an incident response plan that covers the following:
      • guidelines on what constitutes a cyber security incident
      • the types of cyber security incidents likely to be encountered and the expected response to each type
      • how to report cyber security incidents, internally to an organisation and externally to relevant authorities
      • other parties which need to be informed in the event of a cyber security incident
      • the authority, or authorities, responsible for investigating and responding to cyber security incidents
      • the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the Australian Cyber Security Centre or other relevant authority
      • the steps necessary to ensure the integrity of evidence relating to a cyber security incident
      • system contingency measures or a reference to such details if they are located in a separate document.
  • Security Control: ISM-1163; Revision: 7; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Systems have a continuous monitoring plan that includes:
      • conducting vulnerability scans for systems at least monthly
      • conducting vulnerability assessments or penetration tests for systems at least annually
      • analysing identified security vulnerabilities to determine their potential impact

using a risk-based approach to prioritise the implementation of mitigations based on effectiveness and cost.

  • Security Control: ISM-1563; Revision: 0; Updated: May-20; Applicability: All; Essential Eight: N/A
    • At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:
      • the scope of the security assessment
      • the system’s strengths and weaknesses
      • security risks associated with the operation of the system
      • the effectiveness of the implementation of security controls
      • any recommended remediation actions.
  • Security Control: ISM-1564; Revision: 0; Updated: May-20; Applicability: All; Essential Eight: N/A
    • At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner.

ISM Guidelines for Physical Security

  • Security Control: ISM-0810; Revision: 5; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • Systems are secured in facilities that meet the requirements for a security zone suitable for their sensitivity or classification.
  • Security Control: ISM-1053; Revision: 3; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • Servers, network devices and cryptographic equipment are secured in server rooms or communications rooms that meet the requirements for a security zone suitable for their sensitivity or classification.
  • Security Control: ISM-1530; Revision: 1; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their sensitivity or classification taking into account the combination of security zones they reside in.
  • Security Control: ISM-0813; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Server rooms, communications rooms, security containers and secure rooms are not left in unsecured states.
  • Security Control: ISM-1074; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Keys or equivalent access mechanisms to server rooms, communications rooms, security containers and secure rooms are appropriately controlled.
  • Security Control: ISM-1296; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Physical security controls are implemented to protect network devices in public areas from physical damage or unauthorised access.
  • Security Control: ISM-1543; Revision: 3; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • An authorised RF and IR device register is maintained for SECRET and TOP SECRET areas and verified on a regular basis.
  • Security Control: ISM-0225; Revision: 3; Updated: Sep-21; Applicability: S, TS; Essential Eight: N/A
    • Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas.
  • Security Control: ISM-0829; Revision: 4; Updated: Mar-19; Applicability: S, TS; Essential Eight: N/A
    • Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas.
  • Security Control: ISM-0164; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities.
  • Security Control: ISM-0161; Revision: 5; Updated: Mar-19; Applicability: All; Essential Eight: N/A
    • ICT equipment and media are secured when not in use.

ISM Guidelines for Personnel Security

  • Security Control: ISM-0252; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Cyber security awareness training is undertaken annually by all personnel and covers:
      • the purpose of the cyber security awareness training
      • security appointments and contacts
      • authorised use of systems and their resources
      • protection of systems and their resources
      • reporting of cyber security incidents and suspected compromises of systems and their resources.
  • Security Control: ISM-1565; Revision: 0; Updated: Jun-20; Applicability: All; Essential Eight: N/A
    • Tailored privileged user training is undertaken annually by all privileged users.
  • Security Control: ISM-1740; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Personnel dealing with banking details and payment requests are advised of what business email compromise is, how to manage such situations and how to report it.
  • Security Control: ISM-0817; Revision: 4; Updated: Jan-20; Applicability: All; Essential Eight: N/A
    • Personnel are advised of what suspicious contact via online services is and how to report it.
  • Security Control: ISM-0820; Revision: 5; Updated: Jan-20; Applicability: All; Essential Eight: N/A
    • Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted.
  • Security Control: ISM-1146; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Personnel are advised to maintain separate work and personal accounts for online services.
  • Security Control: ISM-0821; Revision: 3; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information.
  • Security Control: ISM-0824; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Personnel are advised not to send or receive files via unauthorised online services.


  • Security Control: ISM-0432; Revision: 7; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Access requirements for a system and its resources are documented in its system security plan.
  • Security Control: ISM-0434; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Personnel undergo appropriate employment screening and, where necessary, hold an appropriate security clearance before being granted access to a system and its resources.
  • Security Control: ISM-0435; Revision: 3; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • Personnel receive any necessary briefings before being granted access to a system and its resources.
  • Security Control: ISM-0414; Revision: 4; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • Personnel granted access to a system and its resources are uniquely identifiable.
  • Security Control: ISM-0415; Revision: 3; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable.
  • Security Control: ISM-1583; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Personnel who are contractors are identified as such.
  • Security Control: ISM-0420; Revision: 11; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Where a system processes, stores or communicates AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality.


  • Security Control: ISM-0405; Revision: 7; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Requests for unprivileged access to systems, applications and data repositories are validated when first requested.
  • Security Control: ISM-1566; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Use of unprivileged access is logged.
  • Security Control: ISM-1714; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Unprivileged access event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
  • Security Control: ISM-0409; Revision: 7; Updated: Jun-21; Applicability: S, TS; Essential Eight: N/A
    • Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL data unless effective security controls are in place to ensure such data is not accessible to them.
  • Security Control: ISM-0411; Revision: 6; Updated: Jun-21; Applicability: S, TS; Essential Eight: N/A
    • Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO data unless effective security controls are in place to ensure such data is not accessible to them.
  • Security Control: ISM-1507; Revision: 2; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Requests for privileged access to systems and applications are validated when first requested.
  • Security Control: ISM-1733; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Requests for privileged access to data repositories are validated when first requested.
  • Security Control: ISM-1508; Revision: 2; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties.
  • Security Control: ISM-1175; Revision: 4; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Privileged user accounts are prevented from accessing the internet, email and web services.
  • Security Control: ISM-1653; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Privileged service accounts are prevented from accessing the internet, email and web services.
  • Security Control: ISM-1649; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Just-in-time administration is used for administering systems and applications.
  • Security Control: ISM-0445; Revision: 6; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access.
  • Security Control: ISM-1509; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Use of privileged access is logged.
  • Security Control: ISM-1650; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Changes to privileged accounts and groups are logged.
  • Security Control: ISM-1651; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Privileged access event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
  • Security Control: ISM-1652; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Privileged account and group change event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
  • Security Control: ISM-0446; Revision: 5; Updated: Jun-21; Applicability: S, TS; Essential Eight: N/A
    • Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL data.
  • Security Control: ISM-0447; Revision: 4; Updated: Jun-21; Applicability: S, TS; Essential Eight: N/A
    • Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO data.
  • Security Control: ISM-0430; Revision: 7; Updated: Sep-19; Applicability: All; Essential Eight: N/A
    • Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access.
  • Security Control: ISM-1591; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities.
  • Security Control: ISM-1404; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Unprivileged access to systems and applications is automatically disabled after 45 days of inactivity.
  • Security Control: ISM-1648; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Privileged access to systems and applications is automatically disabled after 45 days of inactivity.
  • Security Control: ISM-1716; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Access to data repositories is automatically disabled after 45 days of inactivity.
  • Security Control: ISM-1647; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Privileged access to systems and applications is automatically disabled after 12 months unless revalidated.
  • Security Control: ISM-1734; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Privileged access to data repositories is automatically disabled after 12 months unless revalidated.
  • Security Control: ISM-0407; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • A secure record is maintained for the life of each system covering:
      • all personnel authorised to access the system, and their user identification
      • who provided authorisation for access
      • when access was granted
      • the level of access that was granted
      • when access, and the level of access, was last reviewed
      • when the level of access was changed, and to what extent (if applicable)
      • when access was withdrawn (if applicable).


  • Security Control: ISM-0441; Revision: 7; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only data required for them to undertake their duties.
  • Security Control: ISM-0443; Revision: 3; Updated: Sep-18; Applicability: S, TS; Essential Eight: N/A
    • Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information.
  • Security Control: ISM-1610; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.
  • Security Control: ISM-1611; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Break glass accounts are only used when normal authentication processes cannot be used.
  • Security Control: ISM-1612; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Break glass accounts are only used for specific authorised activities.
  • Security Control: ISM-1614; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Break glass account credentials are changed by the account custodian after they are accessed by any other party.
  • Security Control: ISM-1615; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Break glass accounts are tested after credentials are changed.
  • Security Control: ISM-1613; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Use of break glass accounts is logged.
  • Security Control: ISM-1715; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Break glass event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
  • Security Control: ISM-0078; Revision: 5; Updated: Jun-21; Applicability: S, TS; Essential Eight: N/A
    • Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under the control of an Australian national working for or on behalf of the Australian Government.
  • Security Control: ISM-0854; Revision: 6; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • AUSTEO and AGAO data can only be accessed from systems under the sole control of the Australian Government that are located within facilities authorised by the Australian Government.

ISM Guidelines for Communications Infrastructure

  • Security Control: ISM-0181; Revision: 3; Updated: Mar-21; Applicability: All; Essential Eight: N/A
    • Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority.
  • Security Control: ISM-1111; Revision: 3; Updated: Mar-21; Applicability: All; Essential Eight: N/A
    • Fibre-optic cables are used for cabling infrastructure instead of copper cables.
  • Security Control: ISM-0211; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A cable register is maintained and verified on a regular basis.
  • Security Control: ISM-0208; Revision: 6; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • A cable register contains the following for each cable:
      • cable identifier
      • cable colour
      • sensitivity/classification
      • source
      • destination
      • location
      • seal numbers (if applicable).
  • Security Control: ISM-1645; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Floor plan diagrams are maintained and verified on a regular basis.
  • Security Control: ISM-1646; Revision: 0; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • Floor plan diagrams contain the following:
      • cable paths (including ingress and egress points between floors)
      • cable reticulation system and conduit paths
      • floor concentration boxes
      • wall outlet boxes
      • network cabinets.
  • Security Control: ISM-0206; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Cable labelling processes, and supporting cable labelling procedures, are developed and implemented.
  • Security Control: ISM-1096; Revision: 2; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable.
  • Security Control: ISM-1639; Revision: 0; Updated: Mar-21; Applicability: All; Essential Eight: N/A
    • Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals.
  • Security Control: ISM-1640; Revision: 0; Updated: Mar-21; Applicability: All; Essential Eight: N/A
    • Cables for foreign systems installed in Australian facilities are labelled at inspection points.
  • Security Control: ISM-0926; Revision: 9; Updated: Dec-21; Applicability: O, P; Essential Eight: N/A
    • OFFICIAL and PROTECTED cables are coloured neither salmon pink nor red.
  • Security Control: ISM-1718; Revision: 0; Updated: Dec-21; Applicability: S; Essential Eight: N/A
    • SECRET cables colours are coloured salmon pink.
  • Security Control: ISM-1719; Revision: 0; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • TOP SECRET cables colours are coloured red.
  • Security Control: ISM-1216; Revision: 3; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • SECRET and TOP SECRET cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points.
  • Security Control: ISM-1112; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Cables are inspectable at a minimum of five-metre intervals.
  • Security Control: ISM-1119; Revision: 2; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • Cables in TOP SECRET areas are fully inspectable for their entire length.
  • Security Control: ISM-0187; Revision: 7; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • SECRET and TOP SECRET systems belong exclusively to their own cable groups.
  • Security Control: ISM-0189; Revision: 4; Updated: Sep-21; Applicability: All; Essential Eight: N/A
    • Cables only carry a single cable group, unless each cable group belongs to a different subunit.
  • Security Control: ISM-1114; Revision: 3; Updated: Mar-21; Applicability: All; Essential Eight: N/A
    • Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups.
  • Security Control: ISM-1130; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • In shared facilities, cables are run in an enclosed cable reticulation system.
  • Security Control: ISM-1164; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • In shared facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic.
  • Security Control: ISM-0195; Revision: 6; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • In shared facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on TOP SECRET cable reticulation systems.
  • Security Control: ISM-0194; Revision: 3; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • In shared facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and TOP SECRET conduits connected by threaded lock nuts.
  • Security Control: ISM-0201; Revision: 3; Updated: Mar-21; Applicability: TS; Essential Eight: N/A
    • Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ‘TS RUN’.
  • Security Control: ISM-1115; Revision: 4; Updated: Dec-19; Applicability: All; Essential Eight: N/A
    • Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit.
  • Security Control: ISM-1133; Revision: 3; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • In shared facilities, TOP SECRET cables are not run in party walls.
  • Security Control: ISM-1122; Revision: 2; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • Where wall penetrations exit a TOP SECRET area into a lower classified area, TOP SECRET cables are encased in conduit with all gaps between the TOP SECRET conduit and the wall filled with an appropriate sealing compound.
  • Security Control: ISM-1104; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different systems.
  • Security Control: ISM-1105; Revision: 3; Updated: Mar-21; Applicability: All; Essential Eight: N/A
    • Different cables groups do not share a wall outlet box.
  • Security Control: ISM-1095; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Wall outlet boxes denote the systems, cable identifiers and wall outlet box identifier.
  • Security Control: ISM-1107; Revision: 5; Updated: Dec-21; Applicability: O, P; Essential Eight: N/A
    • OFFICIAL and PROTECTED wall outlet boxes are coloured neither salmon pink nor red.
  • Security Control: ISM-1720; Revision: 0; Updated: Dec-21; Applicability: S; Essential Eight: N/A
    • SECRET wall outlet boxes are coloured salmon pink.
  • Security Control: ISM-1721; Revision: 0; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • TOP SECRET wall outlet boxes are coloured red.
  • Security Control: ISM-1109; Revision: 3; Updated: Dec-19; Applicability: All; Essential Eight: N/A
    • Wall outlet box covers are clear plastic.
  • Security Control: ISM-0218; Revision: 6; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • If TOP SECRET fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box’s identifier.
  • Security Control: ISM-1102; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet.
  • Security Control: ISM-1101; Revision: 3; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • In TOP SECRET areas, cable reticulation systems leading into cabinets in server rooms or communications rooms are terminated as close as possible to the cabinet.
  • Security Control: ISM-1103; Revision: 3; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • In TOP SECRET areas, cable reticulation systems leading into cabinets not in server rooms or communications rooms are terminated at the boundary of the cabinet.
  • Security Control: ISM-1098; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups.
  • Security Control: ISM-1100; Revision: 1; Updated: Sep-18; Applicability: TS; Essential Eight: N/A
    • TOP SECRET cables are terminated in an individual TOP SECRET cabinet.
  • Security Control: ISM-0213; Revision: 3; Updated: Mar-21; Applicability: All; Essential Eight: N/A
    • Different cable groups do not terminate on the same patch panel.
  • Security Control: ISM-1116; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS; Essential Eight: N/A
    • There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications.
  • Security Control: ISM-0216; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS; Essential Eight: N/A
    • TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets.
  • Security Control: ISM-0217; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS; Essential Eight: N/A
    • Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:
      • a physical barrier in the cabinet is provided to separate patch panels
      • only personnel holding a Positive Vetting security clearance have access to the cabinet
      • approval from the TOP SECRET system’s authorising officer is obtained prior to installation.
  • Security Control: ISM-0198; Revision: 3; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • When penetrating a TOP SECRET audio secure room, the Australian Security Intelligence Organisation is consulted and all directions provided are complied with.
  • Security Control: ISM-1123; Revision: 3; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • A power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment.
  • Security Control: ISM-0248; Revision: 6; Updated: Dec-21; Applicability: O, P; Essential Eight: N/A
    • System owners deploying OFFICIAL or PROTECTED systems with Radio Frequency transmitters that will be co-located with SECRET or TOP SECRET systems contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment.
  • Security Control: ISM-0247; Revision: 4; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • System owners deploying SECRET or TOP SECRET systems with Radio Frequency transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment.
  • Security Control: ISM-1137; Revision: 3; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • System owners deploying SECRET or TOP SECRET systems in shared facilities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment.
  • Security Control: ISM-0249; Revision: 4; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • System owners deploying systems or military platforms overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment.
  • Security Control: ISM-0246; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Essential Eight: N/A
    • An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications.
  • Security Control: ISM-0250; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • ICT equipment meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility.

ISM Guidelines for Communications Systems

  • Security Control: ISM-1078; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • A telephone system usage policy is developed and implemented.
  • Security Control: ISM-0229; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems.
  • Security Control: ISM-0230; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur.
  • Security Control: ISM-0231; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • When using cryptographic equipment to permit different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made.
  • Security Control: ISM-0232; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems.
  • Security Control: ISM-0233; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Cordless telephone systems are not used for sensitive or classified conversations.
  • Security Control: ISM-0235; Revision: 4; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in an audio secure room, the room is audio secure during conversations and only personnel involved in conversations are present in the room.
  • Security Control: ISM-0236; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Off-hook audio protection features are used on telephone systems in areas where background conversations may exceed the sensitivity or classification that the telephone system is authorised for communicating.
  • Security Control: ISM-0931; Revision: 6; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used to meet any off-hook audio protection requirements.
  • Security Control: ISM-1562; Revision: 0; Updated: Dec-19; Applicability: All; Essential Eight: N/A
    • Video conferencing and IP telephony infrastructure is hardened.
  • Security Control: ISM-0546; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video-aware or voice-aware firewall is used.
  • Security Control: ISM-0548; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Video conferencing and IP telephony calls are established using a secure session initiation protocol.
  • Security Control: ISM-0547; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Video conferencing and IP telephony calls are conducted using a secure real-time transport protocol.
  • Security Control: ISM-0554; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation.
  • Security Control: ISM-0553; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings.
  • Security Control: ISM-0555; Revision: 3; Updated: Dec-19; Applicability: All; Essential Eight: N/A
    • Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail.
  • Security Control: ISM-0551; Revision: 7; Updated: Jan-20; Applicability: All; Essential Eight: N/A
    • IP telephony is configured such that:
      • IP phones authenticate themselves to the call controller upon registration
      • auto-registration is disabled and only authorised devices are allowed to access the network
      • unauthorised devices are blocked by default
      • all unused and prohibited functionality is disabled.
  • Security Control: ISM-1014; Revision: 6; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Individual logins are implemented for IP phones used for SECRET or TOP SECRET conversations.
  • Security Control: ISM-0549; Revision: 4; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • Video conferencing and IP telephony traffic is separated physically or logically from other data traffic.
  • Security Control: ISM-0556; Revision: 5; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses Virtual Local Area Networks or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic.
  • Security Control: ISM-0558; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • IP phones used in public areas do not have the ability to access data networks, voicemail and directory services.
  • Security Control: ISM-0559; Revision: 5; Updated: Dec-21; Applicability: O, P; Essential Eight: N/A
    • Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas.
  • Security Control: ISM-1450; Revision: 2; Updated: Dec-21; Applicability: O, P, S; Essential Eight: N/A
    • Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas.
  • Security Control: ISM-1019; Revision: 8; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • A denial of service response plan is developed and implemented for video conferencing and IP telephony services that includes:
      • how to identify signs of a denial-of-service attack
      • how to identify the source of a denial-of-service attack
      • how capabilities can be maintained during a denial-of-service attack
      • what actions can be taken to respond to a denial-of-service attack.
  • Security Control: ISM-0588; Revision: 3; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • A fax machine and MFD usage policy is developed and implemented.
  • Security Control: ISM-1092; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages.
  • Security Control: ISM-0241; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure.
  • Security Control: ISM-1075; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is sent and for the receiver to notify the sender if the fax message does not arrive in an agreed amount of time.
  • Security Control: ISM-0590; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Security controls for MFDs connected to networks are of a similar strength to those for other devices on networks.
  • Security Control: ISM-0245; Revision: 5; Updated: Dec-19; Applicability: All; Essential Eight: N/A
    • A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected.
  • Security Control: ISM-0589; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • MFDs connected to networks are not used to copy documents above the sensitivity or classification of connected networks.
  • Security Control: ISM-1036; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Fax machines and MFDs are located in areas where their use can be observed.

ISM Guidelines for Enterprise Mobility

  • Security Control: ISM-1533; Revision: 2; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • A mobile device management policy is developed and implemented.
  • Security Control: ISM-1195; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices.
  • Security Control: ISM-0687; Revision: 8; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Mobile devices do not process, store or communicate SECRET or TOP SECRET data until approved for use by the ACSC.
  • Security Control: ISM-1297; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Legal advice is sought prior to allowing privately-owned mobile devices to access systems or data.
  • Security Control: ISM-1400; Revision: 6; Updated: Dec-21; Applicability: O, P; Essential Eight: N/A
    • Personnel accessing OFFICIAL and PROTECTED systems or data using a privately-owned mobile device use an ACSC-approved platform, a security configuration in accordance with ACSC guidance and have enforced separation of work data from any personal data.
  • Security Control: ISM-0694; Revision: 7; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Privately-owned mobile devices do not access SECRET and TOP SECRET systems or data.
  • Security Control: ISM-1482; Revision: 5; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • Personnel accessing systems or data using an organisation-owned mobile device use an ACSC-approved platform with a security configuration in accordance with ACSC guidance.
  • Security Control: ISM-0869; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Mobile devices encrypt their internal storage and any removable media.
  • Security Control: ISM-1085; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure.
  • Security Control: ISM-1196; Revision: 1; Updated: Sep-18; Applicability: O, P; Essential Eight: N/A
    • Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing.
  • Security Control: ISM-1200; Revision: 4; Updated: Dec-21; Applicability: O, P; Essential Eight: N/A
    • Bluetooth pairing is performed using Secure Connections, preferably with Numeric Comparison if supported.
  • Security Control: ISM-1198; Revision: 1; Updated: Sep-18; Applicability: O, P; Essential Eight: N/A
    • Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices.
  • Security Control: ISM-1199; Revision: 2; Updated: Dec-21; Applicability: O, P; Essential Eight: N/A
    • Bluetooth pairings are removed when there is no longer a requirement for their use.
  • Security Control: ISM-0682; Revision: 5; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices.
  • Security Control: ISM-0863; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Mobile devices prevent personnel from installing or uninstalling non-approved applications once provisioned.
  • Security Control: ISM-0864; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Mobile devices prevent personnel from disabling or modifying security functionality once provisioned.
  • Security Control: ISM-1366; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Security updates are applied to mobile devices as soon as they become available.
  • Security Control: ISM-0874; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Mobile devices access the internet via a VPN connection to an organisation’s internet gateway rather than via a direct connection to the internet.
  • Security Control: ISM-0705; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • When accessing an organisation’s network via a VPN connection, split tunnelling is disabled.


  • Security Control: ISM-1082; Revision: 2; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • A mobile device usage policy is developed and implemented.
  • Security Control: ISM-1083; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices.
  • Security Control: ISM-0240; Revision: 7; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data.
  • Security Control: ISM-0866; Revision: 5; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed.
  • Security Control: ISM-1145; Revision: 4; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Privacy filters are applied to the screens of SECRET and TOP SECRET mobile devices.
  • Security Control: ISM-1644; Revision: 0; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard.
  • Security Control: ISM-0871; Revision: 3; Updated: Apr-19; Applicability: All; Essential Eight: N/A
    • Mobile devices are kept under continual direct supervision when being actively used.
  • Security Control: ISM-0870; Revision: 3; Updated: Apr-19; Applicability: All; Essential Eight: N/A
    • Mobile devices are carried or stored in a secured state when not being actively used.
  • Security Control: ISM-1084; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag.


  • Security Control: ISM-0701; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Mobile device emergency sanitisation processes, and supporting mobile device emergency sanitisation procedures, are developed and implemented.
  • Security Control: ISM-0702; Revision: 5; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a SECRET or TOP SECRET mobile device, the function is used as part of mobile device emergency sanitisation processes and procedures.
  • Security Control: ISM-1298; Revision: 2; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • Personnel are advised of privacy and security risks when travelling overseas with mobile devices.
  • Security Control: ISM-1554; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • If travelling overseas with mobile devices to high or extreme risk countries, personnel are:
      • issued with newly provisioned accounts, mobile devices and removable media from a pool of dedicated travel ** devices which are used solely for work-related activities
      • advised on how to apply and inspect tamper seals to key areas of mobile devices
      • advised to avoid taking any personal mobile devices, especially if rooted or jailbroken.
  • Security Control: ISM-1555; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Before travelling overseas with mobile devices, personnel take the following actions:
      • record all details of the mobile devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers
      • update all operating systems and applications
      • remove all non-essential accounts, applications and data
      • apply security configuration settings, such as lock screens
      • configure remote locate and wipe functionality
      • enable encryption, including for any removable media
      • backup all important data and configuration settings.
      • While travelling overseas with mobile devices
  • Security Control: ISM-1299; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Personnel take the following precautions when travelling overseas with mobile devices:
      • never leaving mobile devices or removable media unattended for any period of time, including by placing them ** in checked-in luggage or leaving them in hotel safes
      • never storing credentials with mobile devices that they grant access to, such as in laptop bags
      • never lending mobile devices or removable media to untrusted people, even if briefly
      • never allowing untrusted people to connect their mobile devices or removable media, including for charging
      • never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people
      • avoiding connecting mobile devices to open or untrusted Wi-Fi networks
      • using a VPN connection to encrypt all mobile device communications
      • using encrypted messaging apps for communications instead of using foreign telecommunication networks
      • disabling any communications capabilities of mobile devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication
      • avoiding reuse of removable media once used with other parties’ systems or mobile devices
      • ensuring any removable media used for data transfers are thoroughly checked for malicious code beforehand
      • never using any gifted mobile devices, especially removable media, when travelling or upon returning from travelling.
  • Security Control: ISM-1088; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Personnel report the potential compromise of mobile devices, removable media or credentials to their organisation as soon as possible, especially if they:
      • provide credentials to foreign government officials
      • decrypt mobile devices for foreign government officials
      • have mobile devices taken out of sight by foreign government officials
      • have mobile devices or removable media stolen that are later returned
      • lose mobile devices or removable media that are later found
      • observe unusual behaviour of mobile devices.
      • After travelling overseas with mobile devices
  • Security Control: ISM-1300; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Upon returning from travelling overseas with mobile devices, personnel take the following actions:
      • sanitise and reset mobile devices, including all removable media
      • decommission any physical credentials that left their possession during their travel
      • report if significant doubt exists as to the integrity of any mobile devices or removable media.
  • Security Control: ISM-1556; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • If returning from travelling overseas with mobile devices to high or extreme risk countries, personnel take the following additional actions:
      • reset user credentials used with mobile devices, including those used for remote access to their organisation’s systems
      • monitor accounts for any indicators of compromise, such as failed logon attempts.

ISM Guidelines for Evaluated Products

  • Security Control: ISM-0280; Revision: 7; Updated: Sep-19; Applicability: All; Essential Eight: N/A
    • If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation.
  • Security Control: ISM-0285; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation.
  • Security Control: ISM-0286; Revision: 6; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures.
  • Security Control: ISM-0289; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation.
  • Security Control: ISM-0290; Revision: 6; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC.
  • Security Control: ISM-0292; Revision: 6; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • High assurance ICT equipment is always operated in an evaluated configuration.

ISM Guidelines for ICT Equipment

  • Security Control: ISM-1551; Revision: 0; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • An ICT equipment management policy is developed and implemented.
  • Security Control: ISM-0336; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • An ICT equipment register is maintained and verified on a regular basis.
  • Security Control: ISM-0294; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.
  • Security Control: ISM-0296; Revision: 5; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment.
  • Security Control: ISM-0293; Revision: 5; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • ICT equipment is classified based on the highest sensitivity or classification of data that it is approved for processing, storing or communicating.
  • Security Control: ISM-1599; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • ICT equipment is handled in a manner suitable for its sensitivity or classification.
  • Security Control: ISM-1079; Revision: 5; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • The ACSC’s approval is sought before undertaking any maintenance or repairs to high assurance ICT equipment.
  • Security Control: ISM-0305; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Maintenance and repairs of ICT equipment is carried out on site by an appropriately cleared technician.
  • Security Control: ISM-0307; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken.
  • Security Control: ISM-0306; Revision: 5; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:
      • is appropriately cleared and briefed
      • takes due care to ensure that data is not disclosed
      • takes all responsible measures to ensure the integrity of the ICT equipment
      • has the authority to direct the technician
      • is sufficiently familiar with the ICT equipment to understand the work being performed.
  • Security Control: ISM-0310; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • ICT equipment maintained or repaired off site is done so at facilities approved for handling the sensitivity or classification of the ICT equipment.
  • Security Control: ISM-1598; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place.
  • Security Control: ISM-0313; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • ICT equipment sanitisation processes, and supporting ICT equipment sanitisation procedures, are developed and implemented.
  • Security Control: ISM-1741; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • ICT equipment destruction processes, and supporting ICT equipment destruction procedures, are developed and implemented.
  • Security Control: ISM-0311; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • ICT equipment containing media is sanitised by removing the media from the ICT equipment or by sanitising the media in situ.
  • Security Control: ISM-1742; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • ICT equipment that cannot be sanitised is destroyed.
  • Security Control: ISM-1218; Revision: 4; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data, is sanitised in situ.
  • Security Control: ISM-0312; Revision: 6; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data that cannot be sanitised in situ, is returned to Australia for destruction.
  • Security Control: ISM-0315; Revision: 8; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • High assurance ICT equipment is destroyed prior to its disposal.
  • Security Control: ISM-0317; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum.
  • Security Control: ISM-1219; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or a print is visible on the image transfer roller.
  • Security Control: ISM-1220; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Printer and MFD platens are inspected and destroyed if any text or images are retained on the platen.
  • Security Control: ISM-1221; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam.
  • Security Control: ISM-0318; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices.
  • Security Control: ISM-1534; Revision: 0; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Printer ribbons in printers and MFDs are removed and destroyed.
  • Security Control: ISM-1076; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time.
  • Security Control: ISM-1222; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Televisions and computer monitors that cannot be sanitised are destroyed.
  • Security Control: ISM-1223; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Memory in network devices is sanitised using the following processes, in order of preference:
      • following device-specific guidance provided in evaluation documentation
      • following vendor sanitisation guidance
      • loading a dummy configuration file, performing a factory reset and then reinstalling firmware.
  • Security Control: ISM-1225; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed.
  • Security Control: ISM-1226; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam.
  • Security Control: ISM-1550; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • ICT equipment disposal processes, and supporting ICT equipment disposal procedures, are developed and implemented.
  • Security Control: ISM-1217; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate ICT equipment with its prior use are removed prior to its disposal.
  • Security Control: ISM-0321; Revision: 4; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • When disposing of ICT equipment that has been designed or modified to meet emanation security standards, the ACSC is contacted for requirements relating to its disposal.
  • Security Control: ISM-0316; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Following sanitisation, destruction or declassification, a formal administrative decision is made to release ICT equipment, or its waste, into the public domain.

ISM Guidelines for Media

  • Security Control: ISM-1549; Revision: 0; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • A media management policy is developed and implemented.
  • Security Control: ISM-1359; Revision: 3; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • A removable media usage policy is developed and implemented.
  • Security Control: ISM-1713; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A removable media register is maintained and verified on a regular basis.
  • Security Control: ISM-0332; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.
  • Security Control: ISM-0323; Revision: 8; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Media is classified to the highest sensitivity or classification of data it stores, unless the media has been classified to a higher sensitivity or classification.
  • Security Control: ISM-0337; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification.
  • Security Control: ISM-0325; Revision: 6; Updated: Apr-21; Applicability: All; Essential Eight: N/A
    • Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured.
  • Security Control: ISM-0330; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Before reclassifying media to a lower sensitivity or classification, the media is sanitised or destroyed, and a formal administrative decision is made to reclassify it.


  • Security Control: ISM-0831; Revision: 5; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Media is handled in a manner suitable for its sensitivity or classification.
  • Security Control: ISM-1059; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • All data stored on media is encrypted.


  • Security Control: ISM-1600; Revision: 1; Updated: Apr-21; Applicability: All; Essential Eight: N/A
    • Media is sanitised before it is used for the first time.
  • Security Control: ISM-1642; Revision: 0; Updated: Apr-21; Applicability: All; Essential Eight: N/A
    • Media is sanitised before it is reused in a different security domain.


  • Security Control: ISM-0347; Revision: 5; Updated: Apr-21; Applicability: All; Essential Eight: N/A
    • When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured.
  • Security Control: ISM-0947; Revision: 6; Updated: Apr-21; Applicability: All; Essential Eight: N/A
    • When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer.
  • Security Control: ISM-0348; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Media sanitisation processes, and supporting media sanitisation procedures, are developed and implemented.


  • Security Control: ISM-0351; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Volatile media is sanitised by removing its power for at least 10 minutes.
  • Security Control: ISM-0352; Revision: 4; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • SECRET and TOP SECRET volatile media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification.
  • Security Control: ISM-0835; Revision: 4; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • Following sanitisation, TOP SECRET volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time.
  • Security Control: ISM-0354; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Non-volatile magnetic media is sanitised by overwriting it at least once (or three times if pre-2001 or under 15 GB) in its entirety with a random pattern followed by a read back for verification.
  • Security Control: ISM-1065; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • The host-protected area and device configuration overlay table are reset prior to the sanitisation of non-volatile magnetic hard drives.
  • Security Control: ISM-1067; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • The ATA secure erase command is used, in addition to block overwriting software, to ensure the growth defects table of non-volatile magnetic hard drives is overwritten.
  • Security Control: ISM-0356; Revision: 6; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification.


  • Security Control: ISM-0357; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Non-volatile EPROM media is sanitised by applying three times the manufacturer’s specified ultraviolet erasure time and then overwriting it at least once in its entirety with a random pattern followed by a read back for verification.


  • Security Control: ISM-0836; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Non-volatile EEPROM media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification.


  • Security Control: ISM-0358; Revision: 6; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification.


  • Security Control: ISM-0359; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Non-volatile flash memory media is sanitised by overwriting it at least twice in its entirety with a random pattern followed by a read back for verification.


  • Security Control: ISM-0360; Revision: 6; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification.
  • Security Control: ISM-1735; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Faulty or damaged media that cannot be successfully sanitised is destroyed prior to its disposal.
  • Security Control: ISM-0363; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Media destruction processes, and supporting media destruction procedures, are developed and implemented.
  • Security Control: ISM-0350; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • The following media types are destroyed prior to their disposal:
      • microfiche and microfilm
      • optical discs
      • programmable read-only memory
      • read-only memory
      • other types of media that cannot be sanitised.
      • Media destruction equipment
      • When physically destroying media, using approved equipment can provide a level of assurance that the data it stores is actually destroyed.


  • Security Control: ISM-1361; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • SCEC or ASIO-approved equipment is used when destroying media.
  • Security Control: ISM-1160; Revision: 2; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used.
  • Security Control: ISM-1517; Revision: 0; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm.
  • Security Control: ISM-1722; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Electrostatic memory devices are destroyed using a furnace/incinerator, hammer mill, disintegrator or grinder/sander.
  • Security Control: ISM-1723; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Magnetic floppy disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, degausser or by cutting.
  • Security Control: ISM-1724; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Magnetic hard disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grinder/sander or degausser.
  • Security Control: ISM-1725; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Magnetic tapes are destroyed using a furnace/incinerator, hammer mill, disintegrator, degausser or by cutting.
  • Security Control: ISM-1726; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Optical disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grinder/sander or by cutting.
  • Security Control: ISM-1727; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Semiconductor memory is destroyed using a furnace/incinerator, hammer mill or disintegrator.
  • Security Control: ISM-0368; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Media destroyed using a hammer mill, disintegrator, grinder/sander or by cutting results in media waste particles no larger than 9 mm.


  • Security Control: ISM-1728; Revision: 0; Updated: Dec-21; Applicability: S; Essential Eight: N/A
    • The resulting media waste particles from the destruction of SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, PROTECTED if greater than 3 mm and less than or equal to 6 mm, or SECRET if greater than 6 mm and less than or equal to 9 mm.
  • Security Control: ISM-1729; Revision: 0; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • The resulting media waste particles from the destruction of TOP SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, or SECRET if greater than 3 mm and less than or equal to 9 mm.


  • Security Control: ISM-0361; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Magnetic media is destroyed using a degausser with a suitable magnetic field strength and magnetic orientation.
  • Security Control: ISM-0362; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Product-specific directions provided by degausser manufacturers are followed.
  • Security Control: ISM-1641; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Following the use of a degausser, magnetic media is physically damaged by deforming any internal platters.
  • Security Control: ISM-0370; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • The destruction of media is performed under the supervision of at least one person cleared to its sensitivity or classification.
  • Security Control: ISM-0371; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Personnel supervising the destruction of media supervise its handling to the point of destruction and ensure that the destruction is completed successfully.
  • Security Control: ISM-0372; Revision: 5; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • The destruction of media storing accountable material is performed under the supervision of at least two personnel cleared to its sensitivity or classification.
  • Security Control: ISM-0373; Revision: 4; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • Personnel supervising the destruction of media storing accountable material supervise its handling to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards.
  • Security Control: ISM-0840; Revision: 3; Updated: Sep-18; Applicability: O, P, S; Essential Eight: N/A
    • When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used.
  • Security Control: ISM-0839; Revision: 3; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A
    • The destruction of media storing accountable material is not outsourced.
  • Security Control: ISM-0374; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Media disposal processes, and supporting media disposal procedures, are developed and implemented.
  • Security Control: ISM-0378; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate media with its prior use are removed prior to its disposal.
  • Security Control: ISM-0375; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Following sanitisation, destruction or declassification, a formal administrative decision is made to release media, or its waste, into the public domain.

ISM Guidelines for System Hardening

  • Security Control: ISM-1743; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Operating systems are chosen from vendors that have made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products.
  • Security Control: ISM-1407; Revision: 4; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • The latest release, or the previous release, of operating systems are used for workstations, servers and network devices.
  • Security Control: ISM-1744; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The latest release, or the previous release, of operating systems are used for other ICT equipment.
  • Security Control: ISM-1408; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Where supported, 64-bit versions of operating systems are used for workstations, servers, network devices and other ICT equipment.


  • Security Control: ISM-1406; Revision: 2; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • SOEs are used for workstations and servers.
  • Security Control: ISM-1608; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • SOEs provided by third parties are scanned for malicious code and configurations.
  • Security Control: ISM-1588; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • SOEs are reviewed and updated at least annually.
  • Security Control: ISM-1409; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems.
  • Security Control: ISM-0380; Revision: 9; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Unneeded accounts, components, services and functionality of operating systems are disabled or removed.
  • Security Control: ISM-0383; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Default credentials for pre-configured accounts are changed.
  • Security Control: ISM-0341; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Automatic execution features for removable media are disabled.
  • Security Control: ISM-1654; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Internet Explorer 11 is disabled or removed.
  • Security Control: ISM-1655; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • .NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
  • Security Control: ISM-1492; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Operating system exploit protection functionality is enabled.
  • Security Control: ISM-1745; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Early Launch Antimalware, Secure Boot, Trusted Boot and Measured Boot functionality is enabled.
  • Security Control: ISM-1584; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: N/A
    • Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems.
  • Security Control: ISM-1491; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Unprivileged users are prevented from running script execution engines, including:
      • Windows Script Host (cscript.exe and wscript.exe)
      • PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)
      • Command Prompt (cmd.exe)
      • Windows Management Instrumentation (wmic.exe)
      • Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).


  • Security Control: ISM-1592; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Unprivileged users do not have the ability to install unapproved software.
  • Security Control: ISM-0382; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Unprivileged users do not have the ability to uninstall or disable approved software.
  • Security Control: ISM-0843; Revision: 9; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Application control is implemented on workstations.
  • Security Control: ISM-1490; Revision: 3; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Application control is implemented on internet-facing servers.
  • Security Control: ISM-1656; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Application control is implemented on non-internet-facing servers.
  • Security Control: ISM-1657; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.
  • Security Control: ISM-1658; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Application control restricts the execution of drivers to an organisation-approved set.
  • Security Control: ISM-0955; Revision: 6; Updated: Apr-20; Applicability: All; Essential Eight: N/A
    • Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules.
  • Security Control: ISM-1582; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Application control rulesets are validated on an annual or more frequent basis.
  • Security Control: ISM-1471; Revision: 2; Updated: Apr-20; Applicability: All; Essential Eight: N/A
    • When implementing application control using publisher certificate rules, both publisher names and product names are used.
  • Security Control: ISM-1392; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When implementing application control using path rules, only approved users can write to and modify content within approved folders and files.
  • Security Control: ISM-1746; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When implementing application control using path rules, only approved users can change file system permissions for approved folders and files.
  • Security Control: ISM-1544; Revision: 2; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Microsoft’s ‘recommended block rules’ are implemented.
  • Security Control: ISM-1659; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Microsoft’s ‘recommended driver block rules’ are implemented.
  • Security Control: ISM-0846; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be exempted from application control.
  • Security Control: ISM-1660; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Allowed and blocked executions on workstations are logged.
  • Security Control: ISM-1661; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Allowed and blocked executions on internet-facing servers are logged.
  • Security Control: ISM-1662; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Allowed and blocked executions on non-internet facing servers are logged.
  • Security Control: ISM-1663; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Application control event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
  • Security Control: ISM-1621; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Windows PowerShell 2.0 is disabled or removed.
  • Security Control: ISM-1622; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: ML3
    • PowerShell is configured to use Constrained Language Mode.
  • Security Control: ISM-1623; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • PowerShell is configured to use module logging, script block logging and transcription functionality.
  • Security Control: ISM-1624; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • PowerShell script block logs are protected by Protected Event Logging functionality.
  • Security Control: ISM-1664; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Blocked PowerShell script executions are logged.
  • Security Control: ISM-1665; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • PowerShell event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
  • Security Control: ISM-1341; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • A HIPS is implemented on workstations.
  • Security Control: ISM-1034; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A HIPS is implemented on critical servers and high-value servers.
  • Security Control: ISM-1416; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A software firewall is implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-approved set of applications and services.
  • Security Control: ISM-1417; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Antivirus software is implemented on workstations and servers with:
      • signature-based detection functionality enabled and set to a high level
      • heuristic-based detection functionality enabled and set to a high level
      • reputation rating functionality enabled
      • ransomware protection functionality enabled
      • detection signatures configured to update on at least a daily basis
      • regular scanning configured for all fixed disks and removable media.
  • Security Control: ISM-1418; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • If there is no business requirement for reading from removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces.
  • Security Control: ISM-0343; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • If there is no business requirement for writing to removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces.
  • Security Control: ISM-0345; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • External communication interfaces that allow DMA are disabled.
  • Security Control: ISM-0582; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The following events are logged for operating systems:
      • application and operating system crashes and error messages
      • changes to security policies and system configurations
      • successful user logons and logoffs, failed user logons and account lockouts
      • failures, restarts and changes to important processes and services
      • requests to access internet resources
      • security product-related events
      • system startups and shutdowns.
  • Security Control: ISM-1747; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Operating system event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.


  • Security Control: ISM-0938; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Applications are chosen from vendors that have made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products.
  • Security Control: ISM-1467; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The latest release of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used.
  • Security Control: ISM-1483; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The latest release of web server applications, and other internet-accessible server applications, are used.
  • Security Control: ISM-1412; Revision: 3; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF software is implemented.
  • Security Control: ISM-1470; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed.
  • Security Control: ISM-1235; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Add-ons, extensions and plug-ins for office productivity suites, web browsers, email clients, PDF software and security products are restricted to an organisation-approved set.
  • Security Control: ISM-1486; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Web browsers do not process Java from the internet.
  • Security Control: ISM-1485; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Web browsers do not process web advertisements from the internet.
  • Security Control: ISM-1666; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2
    • Internet Explorer 11 does not process content from the internet.
  • Security Control: ISM-1667; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Microsoft Office is blocked from creating child processes.
  • Security Control: ISM-1668; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Microsoft Office is blocked from creating executable content.
  • Security Control: ISM-1669; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Microsoft Office is blocked from injecting code into other processes.
  • Security Control: ISM-1542; Revision: 0; Updated: Jan-19; Applicability: All; Essential Eight: ML2, ML3
    • Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
  • Security Control: ISM-1670; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • PDF software is blocked from creating child processes.
  • Security Control: ISM-1601; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Microsoft’s Attack Surface Reduction rules are implemented.
  • Security Control: ISM-1585; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Web browser, Microsoft Office and PDF software security settings cannot be changed by users.
  • Security Control: ISM-1748; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Office productivity suite, email client and security product security settings cannot be changed by users.
  • Security Control: ISM-1671; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
  • Security Control: ISM-1488; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Microsoft Office macros in files originating from the internet are blocked.
  • Security Control: ISM-1672; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Microsoft Office macro antivirus scanning is enabled.
  • Security Control: ISM-1673; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Microsoft Office macros are blocked from making Win32 API calls.
  • Security Control: ISM-1674; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.
  • Security Control: ISM-1487; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations.
  • Security Control: ISM-1675; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.
  • Security Control: ISM-1676; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis.
  • Security Control: ISM-1489; Revision: 0; Updated: Sep-18; Applicability: All; Essential Eight: ML2, ML3
    • Microsoft Office macro security settings cannot be changed by users.
  • Security Control: ISM-1677; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Allowed and blocked Microsoft Office macro executions are logged.
  • Security Control: ISM-1678; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Microsoft Office macro event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
  • Security Control: ISM-1546; Revision: 0; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • Users are authenticated before they are granted access to a system and its resources.


  • Security Control: ISM-0974; Revision: 6; Updated: Sep-21; Applicability: All; Essential Eight: N/A
    • Multi-factor authentication is used to authenticate unprivileged users of systems.
  • Security Control: ISM-1173; Revision: 4; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Multi-factor authentication is used to authenticate privileged users of systems.
  • Security Control: ISM-1504; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.
  • Security Control: ISM-1679; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data.
  • Security Control: ISM-1680; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data.
  • Security Control: ISM-1681; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.
  • Security Control: ISM-1505; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Multi-factor authentication is used to authenticate users accessing important data repositories.
  • Security Control: ISM-1401; Revision: 5; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.
  • Security Control: ISM-1682; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Multi-factor authentication is verifier impersonation resistant.
  • Security Control: ISM-1559; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Memorised secrets used for multi-factor authentication are a minimum of 6 characters, unless more stringent requirements apply.
  • Security Control: ISM-1560; Revision: 2; Updated: Mar-22; Applicability: S; Essential Eight: N/A
    • Memorised secrets used for multi-factor authentication on SECRET systems are a minimum of 8 characters.
  • Security Control: ISM-1561; Revision: 2; Updated: Mar-22; Applicability: TS; Essential Eight: N/A
    • Memorised secrets used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters.
  • Security Control: ISM-1683; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Successful and unsuccessful multi-factor authentications are logged.
  • Security Control: ISM-1684; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Multi-factor authentication event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.


  • Security Control: ISM-0417; Revision: 5; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead.
  • Security Control: ISM-0421; Revision: 8; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply.
  • Security Control: ISM-1557; Revision: 2; Updated: Dec-21; Applicability: S; Essential Eight: N/A
    • Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters.
  • Security Control: ISM-0422; Revision: 8; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
    • Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters.
  • Security Control: ISM-1558; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Passphrases used for single-factor authentication are not a list of categorised words; do not form a real sentence in a natural language; and are not constructed from song lyrics, movies, literature or any other publicly available material.
  • Security Control: ISM-1596; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Passphrases are not reused for single-factor authentication across different systems.
  • Security Control: ISM-1593; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Users provide sufficient evidence to verify their identity when requesting new credentials.
  • Security Control: ISM-1227; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Credentials set for user accounts are randomly generated.
  • Security Control: ISM-1594; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Credentials are provided to users via a secure communications channel or, if not possible, split into two parts with one part provided to users and the other part provided to supervisors.
  • Security Control: ISM-1595; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Credentials provided to users are changed on first use.
  • Security Control: ISM-1619; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • Service accounts are created as group Managed Service Accounts.
  • Security Control: ISM-1403; Revision: 2; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • Accounts are locked out after a maximum of five failed logon attempts.
  • Security Control: ISM-1603; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Authentication methods susceptible to replay attacks are disabled.
  • Security Control: ISM-1055; Revision: 4; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • LAN Manager and NT LAN Manager authentication methods are disabled.
  • Security Control: ISM-1620; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A
    • Privileged accounts are members of the Protected Users security group.
  • Security Control: ISM-1685; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Credentials for local administrator accounts and service accounts are unique, unpredictable and managed.
  • Security Control: ISM-0418; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Physical credentials are stored separately from systems to which they grant access.
  • Security Control: ISM-1597; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Credentials are obscured as they are entered into systems.
  • Security Control: ISM-1402; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Credentials stored on systems are protected by a password manager; a hardware security module; or by hashing, salting and stretching them before storage within a database.
  • Security Control: ISM-1686; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled.
  • Security Control: ISM-1749; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Cached credentials are limited to one previous logon.
  • Security Control: ISM-1590; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Credentials are changed if:
      • they are directly compromised
      • they are suspected of being compromised
      • they appear in an online data breach database
      • they are discovered stored on networks in the clear
      • they are discovered being transferred across networks in the clear membership of a shared account changes
      • they have not been changed in the past 12 months.
  • Security Control: ISM-0853; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Outside of business hours, after an appropriate period of inactivity, user sessions are automatically terminated and workstations are rebooted.
  • Security Control: ISM-0428; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Systems are configured with a session or screen lock that:
      • activates after a maximum of 15 minutes of user inactivity, or if manually activated by users
      • conceals all session content on the screen
      • ensures that the screen does not enter a power saving state before the session or screen lock is activated
      • requires users to reauthenticate to unlock the session
      • denies users the ability to disable the session or screen locking mechanism.
  • Security Control: ISM-0408; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted.
  • Security Control: ISM-0979; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Legal advice is sought on the exact wording of logon banners.
  • Security Control: ISM-1460; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that has made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products.
  • Security Control: ISM-1604; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism.
  • Security Control: ISM-1605; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system is hardened.
  • Security Control: ISM-1606; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When using a software-based isolation mechanism to share a physical server’s hardware, patches, updates or vendor mitigations for security vulnerabilities are applied to the isolation mechanism and underlying operating system in a timely manner.
  • Security Control: ISM-1607; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner.
  • Security Control: ISM-1461; Revision: 5; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • When using a software-based isolation mechanism to share a physical server’s hardware for SECRET or TOP SECRET computing environments, the physical server and all computing environments are of the same classification and belong to the same security domain.

ISM Guidelines for System Management

  • Security Control: ISM-0042; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • System administration processes, and supporting system administration procedures, are developed and implemented.
  • Security Control: ISM-1211; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • System administrators document requirements for administrative activities, consider potential security impacts, obtain any necessary approvals, notify users of any disruptions or outages, and maintain system and security documentation.
  • Security Control: ISM-1380; Revision: 5; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Privileged users use separate privileged and unprivileged operating environments.
  • Security Control: ISM-1687; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Privileged operating environments are not virtualised within unprivileged operating environments.
  • Security Control: ISM-1688; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Unprivileged accounts cannot logon to privileged operating environments.
  • Security Control: ISM-1689; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
  • Security Control: ISM-1385; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Administrative infrastructure is segregated from the wider network.
  • Security Control: ISM-1750; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Administrative infrastructure for critical servers, high-value servers and regular servers is segregated from each other.
  • Security Control: ISM-1386; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Network management traffic can only originate from administrative infrastructure.
  • Security Control: ISM-1387; Revision: 2; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Administrative activities are conducted through jump servers.
  • Security Control: ISM-1381; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Only privileged operating environments can communicate with jump servers.
  • Security Control: ISM-1388; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Only jump servers can communicate with assets requiring administrative activities to be performed.
  • Security Control: ISM-1143; Revision: 8; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Patch management processes, and supporting patch management procedures, are developed and implemented.
  • Security Control: ISM-0298; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware.


  • Security Control: ISM-1493; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Software registers are maintained for workstations, servers, network devices and other ICT equipment and verified on a regular basis.
  • Security Control: ISM-1643; Revision: 0; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • Software registers contain versions and patch histories of applications, drivers, operating systems and firmware.
  • Security Control: ISM-1690; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
  • Security Control: ISM-1691; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.
  • Security Control: ISM-1692; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours if an exploit exists.
  • Security Control: ISM-1693; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month.
  • Security Control: ISM-1694; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
  • Security Control: ISM-1695; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release.
  • Security Control: ISM-1696; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within 48 hours if an exploit exists.
  • Security Control: ISM-1751; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Patches, updates or vendor mitigations for security vulnerabilities in operating systems of other ICT equipment are applied within two weeks of release, or within 48 hours if an exploit exists.
  • Security Control: ISM-1697; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: N/A
    • Patches, updates or vendor mitigations for security vulnerabilities in drivers and firmware are applied within two weeks of release, or within 48 hours if an exploit exists.
  • Security Control: ISM-0300; Revision: 8; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Patches, updates or vendor mitigations for security vulnerabilities in high assurance ICT equipment are applied only when approved by the ACSC, and in doing so, using methods and timeframes prescribed by the ACSC.
  • Security Control: ISM-1698; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services.
  • Security Control: ISM-1699; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
  • Security Control: ISM-1700; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications.
  • Security Control: ISM-1701; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • A vulnerability scanner is used at least daily to identify missing patches for security vulnerabilities in operating systems of internet-facing services.
  • Security Control: ISM-1702; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices.
  • Security Control: ISM-1752; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in operating systems of other ICT equipment.
  • Security Control: ISM-1703; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: N/A
    • A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in drivers and firmware.
  • Security Control: ISM-1704; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
  • Security Control: ISM-0304; Revision: 6; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Applications that are no longer supported by vendors are removed.
  • Security Control: ISM-1501; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Operating systems that are no longer supported by vendors are replaced.
  • Security Control: ISM-1753; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Network devices and other ICT equipment that are no longer supported by vendors are replaced.
  • Security Control: ISM-1510; Revision: 1; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • A digital preservation policy is developed and implemented.
  • Security Control: ISM-1547; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Data backup processes, and supporting data backup procedures, are developed and implemented.
  • Security Control: ISM-1548; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Data restoration processes, and supporting data restoration procedures, are developed and implemented.


  • Security Control: ISM-1511; Revision: 2; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.
  • Security Control: ISM-1705; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Unprivileged accounts, and privileged accounts (excluding backup administrators) cannot access other account’s backups.
  • Security Control: ISM-1706; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Unprivileged accounts, and privileged accounts (excluding backup administrators) cannot access their own account’s backups.
  • Security Control: ISM-1707; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Unprivileged accounts, and privileged accounts (excluding backup administrators), are prevented from modifying or deleting backups.
  • Security Control: ISM-1708; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
    • Backup administrators (excluding backup break glass accounts), are prevented from modifying or deleting backups.
  • Security Control: ISM-1515; Revision: 2; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
    • Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.

ISM Guidelines for System Monitoring

  • Security Control: ISM-0580; Revision: 6; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • An event logging policy is developed and implemented.
  • Security Control: ISM-0585; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • For each event logged, the date and time of the event, the relevant user or process, the relevant filename, the event description, and the ICT equipment involved are recorded.
  • Security Control: ISM-1405; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A centralised event logging facility is implemented and systems are configured to save event logs to the facility as soon as possible after each event occurs.
  • Security Control: ISM-0988; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • An accurate time source is established and used consistently across systems to assist with identifying connections between events.
  • Security Control: ISM-0109; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Event logs are analysed in a timely manner to detect cyber security events.
  • Security Control: ISM-1228; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Cyber security events are analysed in a timely manner to identify cyber security incidents.
  • Security Control: ISM-0859; Revision: 3; Updated: Jan-20; Applicability: All; Essential Eight: N/A
    • Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication.
  • Security Control: ISM-0991; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Domain Name System and web proxy event logs are retained for at least 18 months.

ISM Guidelines for Software Development

  • Security Control: ISM-0400; Revision: 5; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Development, testing and production environments are segregated.
  • Security Control: ISM-1419; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Development and modification of software only takes place in development environments.
  • Security Control: ISM-1420; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment.
  • Security Control: ISM-1422; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Unauthorised access to the authoritative source for software is prevented.
  • Security Control: ISM-0401; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Secure-by-design principles and secure programming practices are used as part of application development.
  • Security Control: ISM-1238; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Threat modelling is used in support of application development.
  • Security Control: ISM-1730; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • A software bill of materials is produced and made available to consumers of software.
  • Security Control: ISM-0402; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Applications are robustly tested for security vulnerabilities by software developers, as well as independent parties, prior to their initial release and following any maintenance activities.
  • Security Control: ISM-1754; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Security vulnerabilities identified in applications are resolved by software developers.
  • Security Control: ISM-1616; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
  • Security Control: ISM-1755; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A vulnerability disclosure policy is developed and implemented.
  • Security Control: ISM-1756; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed and implemented.
  • Security Control: ISM-1717; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of security vulnerabilities in an organisation’s products and services.
  • Security Control: ISM-0971; Revision: 7; Updated: Apr-19; Applicability: All; Essential Eight: N/A
    • The OWASP Application Security Verification Standard is followed when developing web applications.
  • Security Control: ISM-1239; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Robust web application frameworks are used in the development of web applications.
  • Security Control: ISM-1552; Revision: 0; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • All web application content is offered exclusively using HTTPS.
  • Security Control: ISM-1240; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Validation or sanitisation is performed on all input handled by web applications.
  • Security Control: ISM-1241; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Output encoding is performed on all output produced by web applications.
  • Security Control: ISM-1424; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Web applications implement Content-Security-Policy, HSTS and X-Frame-Options via security policy in response headers.
  • Security Control: ISM-1536; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The following events are logged for web applications: attempted access that is denied, crashes and error messages, and search queries initiated by users.
  • Security Control: ISM-1757; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Web application event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.

ISM Guidelines for Database Systems

  • Security Control: ISM-0400; Revision: 5; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Development, testing and production environments are segregated.
  • Security Control: ISM-1419; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Development and modification of software only takes place in development environments.
  • Security Control: ISM-1420; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment.
  • Security Control: ISM-1422; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Unauthorised access to the authoritative source for software is prevented.
  • Security Control: ISM-0401; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Secure-by-design principles and secure programming practices are used as part of application development.
  • Security Control: ISM-1238; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Threat modelling is used in support of application development.
  • Security Control: ISM-1730; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • A software bill of materials is produced and made available to consumers of software.
  • Security Control: ISM-0402; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Applications are robustly tested for security vulnerabilities by software developers, as well as independent parties, prior to their initial release and following any maintenance activities.
  • Security Control: ISM-1754; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Security vulnerabilities identified in applications are resolved by software developers.
  • Security Control: ISM-1616; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services.
  • Security Control: ISM-1755; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A vulnerability disclosure policy is developed and implemented.
  • Security Control: ISM-1756; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed and implemented.
  • Security Control: ISM-1717; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of security vulnerabilities in an organisation’s products and services.
  • Security Control: ISM-0971; Revision: 7; Updated: Apr-19; Applicability: All; Essential Eight: N/A
    • The OWASP Application Security Verification Standard is followed when developing web applications.


  • Security Control: ISM-1239; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Robust web application frameworks are used in the development of web applications.


  • Security Control: ISM-1552; Revision: 0; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • All web application content is offered exclusively using HTTPS.
  • Security Control: ISM-1240; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Validation or sanitisation is performed on all input handled by web applications.
  • Security Control: ISM-1241; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Output encoding is performed on all output produced by web applications.
  • Security Control: ISM-1424; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Web applications implement Content-Security-Policy, HSTS and X-Frame-Options via security policy in response headers.
  • Security Control: ISM-1536; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The following events are logged for web applications: attempted access that is denied, crashes and error messages, and search queries initiated by users.
  • Security Control: ISM-1757; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Web application event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.

ISM Guidelines for EMail

  • Security Control: ISM-0264; Revision: 3; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • An email usage policy is developed and implemented.
  • Security Control: ISM-0267; Revision: 7; Updated: Mar-19; Applicability: All; Essential Eight: N/A
    • Access to non-approved webmail services is blocked.
  • Security Control: ISM-0270; Revision: 6; Updated: Jun-21; Applicability: All; Essential Eight: N/A
    • Protective markings are applied to emails and reflect the highest sensitivity or classification of the subject, body and attachments.
  • Security Control: ISM-0271; Revision: 3; Updated: Mar-19; Applicability: All; Essential Eight: N/A
    • Protective marking tools do not automatically insert protective markings into emails.
  • Security Control: ISM-0272; Revision: 4; Updated: Mar-19; Applicability: All; Essential Eight: N/A
    • Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate.
  • Security Control: ISM-1089; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Protective marking tools do not allow users replying to or forwarding emails to select protective markings lower than previously used.


  • Security Control: ISM-0565; Revision: 4; Updated: Mar-19; Applicability: All; Essential Eight: N/A
    • Email servers are configured to block, log and report emails with inappropriate protective markings.
  • Security Control: ISM-1023; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The intended recipients of blocked inbound emails, and the senders of blocked outbound emails, are notified.


  • Security Control: ISM-0269; Revision: 5; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Emails containing Australian Eyes Only, Australian Government Access Only or Releasable To data are not sent to email distribution lists unless the nationality of all members of email distribution lists can be confirmed.
  • Security Control: ISM-0569; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Emails are routed via a centralised email gateway.
  • Security Control: ISM-0571; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When users send or receive emails, an authenticated and encrypted channel is used to route emails via their organisation’s centralised email gateway.
  • Security Control: ISM-0570; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway.
  • Security Control: ISM-0567; Revision: 4; Updated: Mar-19; Applicability: All; Essential Eight: N/A
    • Email servers only relay emails destined for or originating from their domains.
  • Security Control: ISM-0572; Revision: 4; Updated: Sep-21; Applicability: All; Essential Eight: N/A
    • Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure.
  • Security Control: ISM-1589; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: N/A
    • MTA-STS is enabled to prevent the transfer of unencrypted emails between complying servers.
  • Security Control: ISM-0574; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • SPF is used to specify authorised email servers (or lack thereof) for all domains.
  • Security Control: ISM-1183; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • A hard fail SPF record is used when specifying email servers.
  • Security Control: ISM-1151; Revision: 3; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • SPF is used to verify the authenticity of incoming emails.
  • Security Control: ISM-1152; Revision: 3; Updated: Mar-19; Applicability: All; Essential Eight: N/A
    • Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients.
  • Security Control: ISM-0861; Revision: 2; Updated: Mar-19; Applicability: All; Essential Eight: N/A
    • DKIM signing is enabled on emails originating from an organisation’s domains.
  • Security Control: ISM-1026; Revision: 5; Updated: Jan-20; Applicability: All; Essential Eight: N/A
    • DKIM signatures on received emails are verified.
  • Security Control: ISM-1027; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature.
  • Security Control: ISM-1540; Revision: 1; Updated: Oct-19; Applicability: All; Essential Eight: N/A
    • DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks.
  • Security Control: ISM-1234; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Email content filtering is implemented for email bodies and attachments.
  • Security Control: ISM-1502; Revision: 1; Updated: Mar-19; Applicability: All; Essential Eight: N/A
    • Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway.
  • Security Control: ISM-1024; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Notifications of undeliverable emails are only sent to senders that can be verified via SPF or other trusted means.

ISM Guidelines for Networking

  • Security Control: ISM-0516; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Network documentation includes high-level network diagrams showing all connections into networks and logical network diagrams showing all critical servers, high-value servers, network devices and network security appliances.
  • Security Control: ISM-0518; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement.
  • Security Control: ISM-1178; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services.
  • Security Control: ISM-1181; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Networks are segregated into multiple network zones according to the criticality of servers, services and data.
  • Security Control: ISM-1577; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • An organisation’s networks are segregated from their service providers’ networks.
  • Security Control: ISM-1532; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • VLANs are not used to separate network traffic between an organisation’s networks and public network infrastructure.
  • Security Control: ISM-0529; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • VLANs are not used to separate network traffic between networks belonging to different security domains.
  • Security Control: ISM-0530; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Network devices managing VLANs are administered from the most trusted security domain.
  • Security Control: ISM-0535; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Network devices managing VLANs belonging to different security domains do not share VLAN trunks.
  • Security Control: ISM-1364; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Network devices managing VLANs terminate VLANs belonging to different security domains on separate physical network interfaces.
  • Security Control: ISM-0521; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • IPv6 functionality is disabled in dual-stack network devices unless it is being used.
  • Security Control: ISM-1186; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • IPv6 capable network security appliances are used on IPv6 and dual-stack networks.
  • Security Control: ISM-1428; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Unless explicitly required, IPv6 tunnelling is disabled on all network devices.
  • Security Control: ISM-1429; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • IPv6 tunnelling is blocked by network security appliances at externally-connected network boundaries.
  • Security Control: ISM-1430; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised event logging facility.
  • Security Control: ISM-0520; Revision: 6; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Network access controls are implemented on networks to prevent the connection of unauthorised network devices.
  • Security Control: ISM-1182; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Network access controls are implemented to limit network traffic within and between network segments to only those required for business purposes.
  • Security Control: ISM-1304; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A

Default accounts for network devices are disabled, renamed or have their credentials changed.

  • Security Control: ISM-0534; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Unused physical ports on network devices are disabled.
  • Security Control: ISM-0385; Revision: 6; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Servers maintain effective functional separation with other servers allowing them to operate independently.
  • Security Control: ISM-1479; Revision: 0; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Servers minimise communications with other servers at both the network and file system level.
  • Security Control: ISM-1006; Revision: 6; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Security measures are implemented to prevent unauthorised access to network management traffic.
  • Security Control: ISM-1311; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • SNMP version 1 and 2 are not used on networks.
  • Security Control: ISM-1312; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • All default SNMP community strings on network devices are changed and write access is disabled.
  • Security Control: ISM-1028; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A NIDS or NIPS is deployed in gateways between an organisation’s networks and other networks they do not manage.
  • Security Control: ISM-1030; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A NIDS or NIPS is located immediately inside the outermost firewall for gateways and configured to generate event logs and alerts for network traffic that contravenes any rule in a firewall ruleset.
  • Security Control: ISM-1185; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When deploying a NIDS or NIPS in non-internet gateways, it is configured for anomaly-based detection rather than signature-based detection.


  • Security Control: ISM-1627; Revision: 0; Updated: Nov-20; Applicability: All; Essential Eight: N/A
    • Inbound network connections from anonymity networks to internet-facing services are blocked.
  • Security Control: ISM-1628; Revision: 0; Updated: Nov-20; Applicability: All; Essential Eight: N/A
    • Outbound network connections to anonymity networks are blocked.

ISM Guidelines for Cryptography

  • Security Control: ISM-0499; Revision: 9; Updated: Jun-21; Applicability: S, TS; Essential Eight: N/A
    • All communications security and equipment-specific doctrine produced by the ACSC for the management and use of HACE is complied with.
  • Security Control: ISM-0506; Revision: 4; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Areas in which HACE are used are separated from other areas and designated as cryptographic controlled areas.
  • Security Control: ISM-0457; Revision: 9; Updated: Mar-22; Applicability: O, P; Essential Eight: N/A
    • Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used when encrypting media that contains OFFICIAL: Sensitive or PROTECTED data.
  • Security Control: ISM-0460; Revision: 11; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • HACE is used when encrypting media that contains SECRET or TOP SECRET data.
  • Security Control: ISM-0459; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition, is implemented when encrypting data at rest.
  • Security Control: ISM-1080; Revision: 4; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • An ASD-Approved Cryptographic Algorithm (AACA) or high assurance cryptographic algorithm is used to encrypt AUSTEO and AGAO data when at rest on a system.
  • Security Control: ISM-0465; Revision: 9; Updated: Mar-22; Applicability: O, P; Essential Eight: N/A
    • Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.
  • Security Control: ISM-0467; Revision: 10; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • HACE is used to protect SECRET and TOP SECRET data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.
  • Security Control: ISM-0469; Revision: 5; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • An ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic protocol is used to protect AUSTEO and AGAO data when communicated over network infrastructure.
  • Security Control: ISM-0455; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Where practical, cryptographic equipment and software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure.
  • Security Control: ISM-0462; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When a user authenticates to the encryption functionality of ICT equipment or media, it is treated in accordance with its original sensitivity or classification until the user deauthenticates from the encryption functionality.
  • Security Control: ISM-0501; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Keyed cryptographic equipment is transported based on the sensitivity or classification of its keying material.
  • Security Control: ISM-0142; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • The compromise or suspected compromise of cryptographic equipment or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs.
  • Security Control: ISM-1091; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Keying material is changed when compromised or suspected of being compromised.
  • Security Control: ISM-0471; Revision: 7; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment and software.
  • Security Control: ISM-0994; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • ECDH and ECDSA are used in preference to DH and DSA.
  • Security Control: ISM-0472; Revision: 6; Updated: Mar-22; Applicability: O, P; Essential Eight: N/A
    • When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used, preferably 3072 bits.
  • Security Control: ISM-1759; Revision: 0; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • When using DH for agreeing on encryption session keys, a modulus of at least 3072 bits is used, preferably 3072 bits.
  • Security Control: ISM-1629; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3.
  • Security Control: ISM-0473; Revision: 5; Updated: Dec-20; Applicability: O, P; Essential Eight: N/A
    • When using DSA for digital signatures, a modulus of at least 2048 bits is used.
  • Security Control: ISM-1630; Revision: 2; Updated: Mar-22; Applicability: O, P; Essential Eight: N/A
    • When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4.
  • Security Control: ISM-1760; Revision: 0; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • DSA is not used for digital signatures.
  • Security Control: ISM-1446; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • When using elliptic curve cryptography, a curve from FIPS 186-4 is used.
  • Security Control: ISM-0474; Revision: 6; Updated: Mar-22; Applicability: O, P; Essential Eight: N/A
    • When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used, preferably the NIST P-384 curve.
  • Security Control: ISM-1761; Revision: 0; Updated: Mar-22; Applicability: S; Essential Eight: N/A
    • When using ECDH for agreeing on encryption session keys, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve.
  • Security Control: ISM-1762; Revision: 0; Updated: Mar-22; Applicability: TS; Essential Eight: N/A
    • When using ECDH for agreeing on encryption session keys, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve.
  • Security Control: ISM-0475; Revision: 6; Updated: Mar-22; Applicability: O, P; Essential Eight: N/A
    • When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used, preferably the P-384 curve.
  • Security Control: ISM-1763; Revision: 0; Updated: Mar-22; Applicability: S; Essential Eight: N/A
    • When using ECDSA for digital signatures, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve.
  • Security Control: ISM-1764; Revision: 0; Updated: Mar-22; Applicability: TS; Essential Eight: N/A
    • When using ECDSA for digital signatures, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve.


  • Security Control: ISM-0476; Revision: 7; Updated: Mar-22; Applicability: O, P; Essential Eight: N/A
    • When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used, preferably 3072 bits.
  • Security Control: ISM-1765; Revision: 0; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 3072 bits is used, preferably 3072 bits.
  • Security Control: ISM-0477; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When using RSA for digital signatures, and for passing encryption session keys or similar keys, a different key pair is used for digital signatures and passing encrypted session keys.


  • Security Control: ISM-1766; Revision: 0; Updated: Mar-22; Applicability: O, P; Essential Eight: N/A
    • When using SHA-2 for hashing, an output size of at least 224 bits is used, preferably SHA-384.
  • Security Control: ISM-1767; Revision: 0; Updated: Mar-22; Applicability: S; Essential Eight: N/A
    • When using SHA-2 for hashing, an output size of at least 256 bits is used, preferably SHA-384.
  • Security Control: ISM-1768; Revision: 0; Updated: Mar-22; Applicability: TS; Essential Eight: N/A
    • When using SHA-2 for hashing, an output size of at least 384 bits is used, preferably SHA-384.


  • Security Control: ISM-1769; Revision: 0; Updated: Mar-22; Applicability: O, P, S; Essential Eight: N/A
    • When using AES for encryption, AES-128, AES-192 or AES-256 is used, preferably AES-256.
  • Security Control: ISM-1770; Revision: 0; Updated: Mar-22; Applicability: TS; Essential Eight: N/A
    • When using AES for encryption, AES-192 or AES-256 is used, preferably AES-256.
  • Security Control: ISM-0479; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.
  • Security Control: ISM-0481; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Only AACPs or high assurance cryptographic protocols are used by cryptographic equipment and software.
  • Security Control: ISM-1139; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Only the latest version of TLS is used for TLS connections.
  • Security Control: ISM-1369; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • AES-GCM is used for encryption of TLS connections.
  • Security Control: ISM-1370; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Only server-initiated secure renegotiation is used for TLS connections.
  • Security Control: ISM-1372; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • DH or ECDH is used for key establishment of TLS connections.
  • Security Control: ISM-1448; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When using DH or ECDH for key establishment of TLS connections, the ephemeral variant is used.
  • Security Control: ISM-1373; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Anonymous DH is not used for TLS connections.
  • Security Control: ISM-1374; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • SHA-2-based certificates are used for TLS connections.
  • Security Control: ISM-1375; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • SHA-2 is used for the Hash-based Message Authentication Code (HMAC) and pseudorandom function (PRF) for TLS connections.
  • Security Control: ISM-1553; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • TLS compression is disabled for TLS connections.
  • Security Control: ISM-1453; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Perfect Forward Secrecy (PFS) is used for TLS connections.
  • Security Control: ISM-1506; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The use of SSH version 1 is disabled for SSH connections.
  • Security Control: ISM-0484; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • The SSH daemon is configured to:
      • only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx)
      • have a suitable login banner (Banner x)
      • have a login authentication timeout of no more than 60 seconds (LoginGraceTime 60)
      • disable host-based authentication (HostbasedAuthentication no)
      • disable rhosts-based authentication (IgnoreRhosts yes)
      • disable the ability to login directly as root (PermitRootLogin no)
      • disable empty passwords (PermitEmptyPasswords no)
      • disable connection forwarding (AllowTCPForwarding no)
      • disable gateway ports (GatewayPorts no)
      • disable X11 forwarding (X11Forwarding no).
  • Security Control: ISM-0485; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Public key-based authentication is used for SSH connections.
  • Security Control: ISM-1449; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • SSH private keys are protected with a passphrase or a key encryption key.
  • Security Control: ISM-0487; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When using logins without a passphrase for SSH connections, the following are disabled:
      • access from IP addresses that do not require access
      • port forwarding
      • agent credential forwarding
      • X11 display remoting
      • console access.


  • Security Control: ISM-0488; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • If using remote access without the use of a passphrase for SSH connections, the ‘forced command’ option is used to specify what command is executed and parameter checking is enabled.


  • Security Control: ISM-0489; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When SSH-agent or similar key caching programs are used, it is limited to workstations and servers with screen locks and key caches that are set to expire within four hours of inactivity.


  • Security Control: ISM-0490; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Versions of S/MIME earlier than S/MIME version 3.0 are not used for S/MIME connections.
  • Security Control: ISM-0494; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used.
  • Security Control: ISM-0496; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The ESP protocol is used for authentication and encryption of IPsec connections.
  • Security Control: ISM-1233; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • IKE version 2 is used for key exchange when establishing IPsec connections.
  • Security Control: ISM-1771; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • AES is used for encrypting IPsec connections, preferably ENCR_AES_GCM_16.
  • Security Control: ISM-1772; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384 or PRF_HMAC_SHA2_512 is used for IPsec connections, preferably PRF_HMAC_SHA2_512.
  • Security Control: ISM-0998; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • AUTH_HMAC_SHA2_256_128, AUTH_HMAC_SHA2_384_192, AUTH_HMAC_SHA2_512_256 or NONE (only with AES-GCM) is used for authenticating IPsec connections, preferably NONE.
  • Security Control: ISM-0999; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • DH or ECDH is used for key establishment of IPsec connections, preferably 384-bit random ECP group, 3072-bit MODP Group or 4096-bit MODP Group.
  • Security Control: ISM-0498; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • A security association lifetime of less than four hours (14400 seconds) is used for IPsec connections.
  • Security Control: ISM-1000; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A
    • PFS is used for IPsec connections.

ISM Guidelines for Gateways

  • Security Control: ISM-0628; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Gateways are implemented between networks belonging to different security domains.
  • Security Control: ISM-0637; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Gateways implement a demilitarised zone if external parties require access to an organisation’s services.
  • Security Control: ISM-0631; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Gateways only allow explicitly authorised data flows.
  • Security Control: ISM-1192; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Gateways inspect and filter data flows at the transport and above network layers.
  • Security Control: ISM-1427; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Gateways perform ingress traffic filtering to detect and prevent IP source address spoofing.
  • Security Control: ISM-1520; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • System administrators for gateways undergo appropriate employment screening and, where necessary, hold an appropriate security clearance based on the sensitivity or classification of gateways.
  • Security Control: ISM-0613; Revision: 6; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • System administrators for gateways that connect to Australian Eyes Only or Releasable To networks are Australian nationals.
  • Security Control: ISM-1773; Revision: 0; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • System administrators for gateways that connect to Australian Government Access Only networks are Australian nationals or seconded foreign nationals.
  • Security Control: ISM-0611; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • System administrators for gateways are assigned the minimum privileges required to perform their duties.
  • Security Control: ISM-0616; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Separation of duties is implemented in performing administrative activities for gateways.
  • Security Control: ISM-0612; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • System administrators for gateways are formally trained on the operation and management of gateways.
  • Security Control: ISM-1774; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Gateways are managed via a secure path isolated from all connected networks.
  • Security Control: ISM-0629; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • For gateways between networks belonging to different security domains, any shared components are managed by system administrators for the higher security domain or by system administrators from a mutually-agreed third party.
  • Security Control: ISM-0619; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Users authenticate to other networks accessed via gateways.
  • Security Control: ISM-0622; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • ICT equipment authenticates to other networks accessed via gateways.
  • Security Control: ISM-0634; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Gateways are configured to:
      • log network traffic permitted through gateways
      • log network traffic attempting to leave gateways
      • provide real-time alerts for attempted intrusions and unusual usage patterns.
  • Security Control: ISM-1775; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Gateway event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.


  • Security Control: ISM-1037; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Gateways are subject to rigorous testing following configuration changes, and at irregular intervals no more than six months apart, to determine the effectiveness of security controls.
  • Security Control: ISM-0626; Revision: 6; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • CDSs are implemented between SECRET or TOP SECRET networks and any other networks belonging to different security domains.
  • Security Control: ISM-0597; Revision: 7; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • When planning, designing, implementing or introducing additional connectivity to CDSs, the ACSC is consulted and any directions provided by the ACSC are complied with.
  • Security Control: ISM-0635; Revision: 7; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • CDSs implement isolated upward and downward network paths.
  • Security Control: ISM-1522; Revision: 3; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • CDSs implement independent security-enforcing functions for upward and downward network paths.
  • Security Control: ISM-1521; Revision: 3; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • CDSs implement protocol breaks at each network layer.
  • Security Control: ISM-0670; Revision: 5; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • All security-relevant events generated by CDSs are logged.
  • Security Control: ISM-1776; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • CDS event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
  • Security Control: ISM-1523; Revision: 1; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • A sample of security-relevant events relating to data transfer policies are taken at least every 3 months and assessed against security policies for CDSs to identify any operational failures.
  • Security Control: ISM-0610; Revision: 8; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Users are trained on the secure use of CDSs before access is granted.
  • Security Control: ISM-1528; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Evaluated firewalls are used between an organisation’s networks and public network infrastructure.
  • Security Control: ISM-0639; Revision: 9; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Evaluated firewalls are used between networks belonging to different security domains.
  • Security Control: ISM-0643; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Evaluated diodes are used for controlling the data flow of unidirectional gateways between an organisation’s networks and public network infrastructure.
  • Security Control: ISM-0645; Revision: 7; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and public network infrastructure complete a high assurance evaluation.
  • Security Control: ISM-1157; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Evaluated diodes are used for controlling the data flow of unidirectional gateways between networks.
  • Security Control: ISM-1158; Revision: 6; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and any other networks complete a high assurance evaluation.
  • Security Control: ISM-0648; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The volume of data transferred across diodes is monitored.
  • Security Control: ISM-0258; Revision: 3; Updated: Aug-19; Applicability: All; Essential Eight: N/A
    • A web usage policy is developed and implemented.
  • Security Control: ISM-0260; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • All web access, including that by internal servers, is conducted through web proxies.
  • Security Control: ISM-0261; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • The following details are logged for websites accessed via web proxies:
      • address
      • date and time
      • user
      • amount of data uploaded and downloaded
      • internal and external IP addresses.
  • Security Control: ISM-1777; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Web proxy event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.


  • Security Control: ISM-0963; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Web content filters are used to filter potentially harmful web-based content.
  • Security Control: ISM-0961; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Client-side active content is restricted by web content filters to an organisation-approved list of domain names.
  • Security Control: ISM-1237; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Web content filtering is applied to outbound web traffic where appropriate.
  • Security Control: ISM-0958; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • An organisation-approved list of domain names, or list of website categories, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through gateways.
  • Security Control: ISM-1236; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Malicious domain names, dynamic domain names and domain names that can be registered anonymously for free are blocked by web content filters.
  • Security Control: ISM-1171; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Attempts to access websites through their IP addresses instead of their domain names are blocked by web content filters.
  • Security Control: ISM-0659; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Files imported or exported via gateways or CDSs undergo content filtering checks.
  • Security Control: ISM-0651; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Files identified by content filtering checks as malicious, or that cannot be inspected, are blocked.
  • Security Control: ISM-0652; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Files identified by content filtering checks as suspicious are quarantined until reviewed and subsequently approved or not approved for release.
  • Security Control: ISM-1524; Revision: 2; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Content filters used by CDSs undergo rigorous security testing to ensure they perform as expected and cannot be bypassed.
  • Security Control: ISM-1293; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Encrypted files imported or exported via gateways or CDSs are decrypted in order to undergo content filtering checks.
  • Security Control: ISM-1289; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Archive files imported or exported via gateways or CDSs are unpacked in order to undergo content filtering checks.
  • Security Control: ISM-1290; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Archive files are unpacked in a controlled manner to ensure content filter performance or availability is not adversely affected.
  • Security Control: ISM-1288; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Files imported or exported via gateways or CDSs undergo antivirus scanning using multiple different scanning engines.
  • Security Control: ISM-1389; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Executable files imported via gateways or CDSs are automatically executed in a sandbox to detect any suspicious behaviour.
  • Security Control: ISM-0649; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Files imported or exported via gateways or CDSs are filtered for allowed file types.
  • Security Control: ISM-1284; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Files imported or exported via gateways or CDSs undergo content validation.
  • Security Control: ISM-1286; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Files imported or exported via gateways or CDSs undergo content conversion.
  • Security Control: ISM-1287; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Files imported or exported via gateways or CDSs undergo content sanitisation.
  • Security Control: ISM-0677; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Files imported or exported via gateways or CDSs that have a digital signature or checksum are validated.
  • Security Control: ISM-0591; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Evaluated peripheral switches are used when sharing peripherals between systems.
  • Security Control: ISM-1457; Revision: 4; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Evaluated peripheral switches used for sharing peripherals between SECRET and TOP SECRET systems, or between SECRET or TOP SECRET systems belonging to different security domains, preferably complete a high assurance evaluation.
  • Security Control: ISM-1480; Revision: 2; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Evaluated peripheral switches used for sharing peripherals between SECRET or TOP SECRET systems and any non-SECRET or TOP SECRET systems complete a high assurance evaluation.

ISM Guidelines for Data Transfers

  • Security Control: ISM-0663; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
    • Data transfer processes, and supporting data transfer procedures, are developed and implemented.
  • Security Control: ISM-1535; Revision: 4; Updated: Mar-22; Applicability: S, TS
    • Processes, and supporting procedures, are developed and implemented to prevent AUSTEO, AGAO and REL data in both textual and non-textual formats from being exported to unsuitable foreign systems.
  • Security Control: ISM-0661; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Users transferring data to and from systems are held accountable for data transfers they perform.
  • Security Control: ISM-0657; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When manually importing data to systems, the data is scanned for malicious and active content.
  • Security Control: ISM-0658; Revision: 6; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • When manually importing data to SECRET and TOP SECRET systems, the data undergoes data formatting checks.
  • Security Control: ISM-1778; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When manually importing data to systems, all data that fails security checks is quarantined until reviewed and subsequently approved or not approved for release.
  • Security Control: ISM-0664; Revision: 7; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trusted source beforehand.
  • Security Control: ISM-0675; Revision: 6; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Data authorised for export from SECRET and TOP SECRET systems is digitally signed by a trusted source.
  • Security Control: ISM-0665; Revision: 6; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
    • Trusted sources for SECRET and TOP SECRET systems are limited to people and services that have been authorised as such by an organisation’s Chief Information Security Officer.
  • Security Control: ISM-1187; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When manually exporting data from systems, the data is checked for unsuitable protective markings.
  • Security Control: ISM-0669; Revision: 5; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • When manually exporting data from SECRET and TOP SECRET systems, the data undergoes data formatting checks, data type and size checks, signature checks, and keyword checks within all textual data.
  • Security Control: ISM-1779; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • When manually exporting data from systems, all data that fails security checks is quarantined until reviewed and subsequently approved or not approved for release.
  • Security Control: ISM-1586; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
    • Data transfer logs are used to record all data imports and exports from systems.
  • Security Control: ISM-1294; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
    • Data transfer logs for systems are partially verified at least monthly.
  • Security Control: ISM-0660; Revision: 9; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
    • Data transfer logs for SECRET and TOP SECRET systems are fully verified at least monthly.

Links