Governance, Risk & Compliance

The 22 Cybersecurity Guidelines of the ISM

Understand the 22 key ISM cybersecurity guidelines to help intelligently set up your cybersecurity systems and strategy.


The Information Security Manual's cybersecurity guidelines are created to provide practical guidance on how organizations can go about safeguarding their systems and data from cyber attacks. These cyber security guidelines cover governance, physical security, personnel security, and information and communications technology security matters. Organisations should consider the cyber security guidelines that are relevant to each of the systems that they operate.

The ISM Cyber Security Guidelines 


Guidelines for Cybersecurity roles - An organisation contains a number of key cyber security roles, including a Chief Information Security Officer and system owners. This section of the ISM guidelines provides an outline on the purpose and responsibilities of these cyber security roles. 

Guidelines for Cybersecurity incidents - Cybersecurity incidents are unwanted or unexpected cybersecurity event or series of such events, that have a significant probability of compromising business operations. This section of the ISM guidelines provides an outline on how to detect, manage and report cyber security incidents.

Guidelines for Outsourcing - Outsourcing can be a cost-effective option for providing information technology and cloud services. However, third-party risks can be introduced as a consequence and should be appropriately managed. This section of the ISM guidelines provides an outline on selecting, managing, using and reviewing these services.

Guidelines for Security Documentation - Security documentation can be used to define an organisation's cyber security strategy and how to protect their systems. This section of the ISM guidelines outlines how to develop and maintain security documentation, as well as explaining security documentation that an organisation can use to support security assessment and assurance activities.

Guidelines for Physical Security -  Protecting physical assets is an important part of ensuring an organisation’s cyber security. This section of the ISM guidelines, outlines physical security measures for facilities and systems, ICT equipment and media, and wireless devices and Radio Frequency transmitters.

Guidelines for Personnel Security  - Personnel security is an important part of ensuring an organisation’s cyber security. This section of the ISM Guidelines, outlines how to conduct cyber security awareness training and control access to systems and their resources.

Guidelines for Communication Infrastructure - Communications infrastructure refers to a cable management system, including cables, cable reticulation systems and wall outlet boxes. This section of the ISM Guidelines, outlines cable management, cable labelling and registration, cable patching, and emanation security.

Guidelines for Communication Systems - Communications systems include telephone systems, video conferencing and Internet Protocol telephony, and fax machines and multifunction devices. This section of the ISM guidelines, outlines how to harden these communication systems.

Guidelines for Enterprise mobility - Enterprise mobility refers to the usage of mobile devices within an organisation. This section of the ISM guidelines, outlines the management and use of mobile devices.

Guidelines for Evaluated Products - The Australian Signals Directorate performs product evaluations in order to provide a level of assurance in a product’s security functionality. This section of the ISM Guidelines, outlines how to acquire and use an evaluated product.

Guidelines for ICT Equipment - ICT equipment is capable of processing, storing or communicating large volumes of data. This section of the ISM Guidelines, outlines the management, maintenance, repair, sanitisation and disposal for ICT equipment.

Guidelines for Media - Media is capable of storing large volumes of information and should be managed appropriately. This section of the ISM guidelines, outlines the usage, sanitisation, destruction and disposal of media.

Guidelines for System Hardening - System hardening is the process of securing systems in order to reduce their attack surface. Different tools and techniques can be used to perform system hardening. This section of the ISM guidelines outlines system hardening processes for operating systems, applications and authentication mechanisms.

Guidelines for System Management - System management activities ensure not only the operation of systems but also their security. This section of the ISM guidelines, outlines system management activities that are integral to ensuring system security, such as system administration, system patching, change management, and data backup and restoration.

Guidelines for System Monitoring - System monitoring is able to contribute to the security posture of a system, detect potential cyber security incidents and contribute to investigations following cyber security incidents. This section of the ISM guidelines, outlines how system events can be logged and audited.

Guidelines for Software Development - Secure coding practices should be embedded into an organisation’s software development process. This section of the ISM guidelines, outlines securing the development of traditional, mobile and web applications.

Guidelines for Database Systems - Databases can contain large volumes of information and should be secured appropriately. This section of the ISM guidelines, outlines how database servers, database management system software and databases can be hardened.

Guidelines for Email - Emails are a common vehicle for delivering malicious code, for example, malware is often delivered via phishing emails. This section of the ISM guidelines, outlines secure email usage and how to secure email gateways and servers.

Guidelines for Networking - A secure network design is an important part of ensuring an organisation’s overall security posture. This section of the ISM guidelines, outlines the design and configuration of networks, and provides specific guidance on wireless network security and how to ensure service continuity for online services.

Guidelines for Cryptography - The purpose of cryptography is to provide confidentiality, integrity, authentication and non-repudiation of information. Encryption of data at rest can be used to reduce the physical storage and handling requirements for ICT equipment and media while encryption of data in transit can be used to provide protection for information communicated over public network infrastructure. This section of the ISM guidelines, outlines cryptographic fundamentals; ASD Approved Cryptographic Algorithms; ASD Approved Cryptographic Protocols such as Transport Layer Security, Secure Shell, Secure/Multipurpose Internet Mail Extension and Internet Protocol Security; and how to manage cryptographic systems appropriately.

Guidelines for Gateways - Gateways act as information flow control mechanisms at the network layer and may also control information at the higher layers of the Open System Interconnect model. This section of the ISM guidelines, outlines different types of gateways, including the use of Cross Domain Solutions, firewalls, diodes, web proxies and content filters, and peripheral switches.

Guidelines for Data Transfers - Data transfers when conducted appropriately can ensure the confidentiality and integrity of data is maintained. This section of the ISM guidelines, outlines securing data transfers between systems.

Now that you understand ISM in greater depth, are you planning to review your current systems, and become compliant with the Australian government's Information Security Manual.? StickmanCyber's expert team can help. 

Similar posts

Get notified for new cybersecurity insights

Subscribe for a weekly round-up of the latest in cybersecurity - from knowing the potential threats, to best practices, to insights on how to manage, evolve and strengthen your cybersecurity posture - we'll share it all.