Understanding the Australian Information Security Manual (ISM)

The Information Security Manual (ISM) by the Australian Signals Directorate is created to provide strategic guidance on how organizations can go about safeguarding their systems and data from cyberattacks. In this blog, we understand more about the ISM and the cybersecurity principles it entails.

Who are the Australian Signals Directorate or ASD?

The Australian Signals Directorate (ASD) is a crucial member of Australia’s national security community, working across all of the operations required of contemporary signals intelligence and security agencies: intelligence, cyber security and offensive operations in support of the Australian Government and Australian Defence Force (ADF).

What is the Information Security Manual (ISM)?

The purpose of the Australian Government Information Security Manual (ISM) is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and data from cyber threats. 

Who is the ISM intended for?

The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cyber security professionals and information technology managers.

Lock Down Your Cybersecurity & Compliance

Protect, Certify & Grow Your Business

Build resilient governance practices that can adapt and strengthen with evolving threats.



The ISM consists of cybersecurity principles and cybersecurity guidelines:

Cybersecurity principles: these principles provide strategic guidance on how organizations can protect their systems and data from cyber attacks and threats. These principles are divided into four key actions; govern, protect, detect and respond. To comply with the ISM, organizations must provide proof or demonstrate that they are adhering to these principles. 

Cybersecurity guidelines: these are practical guidelines that an organization can apply to safeguard its systems and data from cyber attack and threats. These cyber security guidelines cover governance, physical security, personnel security, and information and communications technology security matters. Organizations should consider the cyber security guidelines that are relevant to each of the systems that they operate.

Cybersecurity Principles

ISM's cybersecurity principles are grouped into four categories; govern, protect, detect and respond. Govern consists of principles surrounding identifying and managing security risks, protect consists of principles designed for implementing security controls to reduce security risks, detect consists of principles regarding detecting and understanding cyber security events and finally, respond is a category of principles designed around responding to and recovering from cyber security incidents. 

Below is a list of each of the principles under each respective category:

Govern Principles

G1: A Chief Information Security Officer provides leadership and oversight of cyber security.

G2: The identity and value of systems, applications and data is determined and documented.

G3: The confidentiality, integrity and availability requirements of systems, applications and data is determined and documented.

G4: Security risk management processes are embedded into organisational risk management frameworks.

G5: Security risks are identified, documented, managed and accepted both before systems and applications are authorised for use, and continuously throughout their operational life.

Protect Principles 

P1: Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements.

P2: Systems and applications are delivered and supported by trusted suppliers.

P3: Systems and applications are configured to reduce their attack surface.

P4: Systems and applications are administered in a secure, accountable and auditable manner.

P5: Security vulnerabilities in systems and applications are identified and mitigated in a timely manner.

P6: Only trusted and supported operating systems, applications and computer code can execute on systems.

P7: Data is encrypted at rest and in transit between different systems.

P8: Data communicated between different systems is controlled, inspectable and auditable.

P9: Data, applications and configuration settings are backed up in a secure and proven manner on a regular basis.

P10: Only trusted and vetted personnel are granted access to systems, applications and data repositories.

P11: Personnel are granted the minimum access to systems, applications and data repositories required for their duties.

P12: Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories.

P13: Personnel are provided with ongoing cyber security awareness training.

P14: Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel.

Detect Principle 

D1: Cyber security events and anomalous activities are detected, collected, correlated and analysed in a timely manner.

Respond Principle

R1: Cyber security incidents are identified and reported both internally and externally to relevant bodies in a timely manner.

R2: Cyber security incidents are contained, eradicated and recovered from in a timely manner.

R3: Business continuity and disaster recovery plans are enacted when required.

Maturity Modelling

Organisations when implementing the above cybersecurity principles can utilise the following maturity model to assess the implementation of individual principles, groups of principles or cyber security principles as a whole. 

The maturity model consists of five levels:

  1. Incomplete: The cyber security principles are either partially implemented or not implemented.
  2. Initial: The cyber security principles are implemented, but in a poor or ad hoc manner.
  3. Developing: The cyber security principles are sufficiently implemented, but on a project-by-project basis.
  4. Managing: The cyber security principles are established as standard business practices and robustly implemented throughout the organisation.
  5. Optimising: A deliberate focus on optimisation and continual improvement exists for the implementation of the cybersecurity principles throughout the organisation.

Now that you understand ISM in greater depth, are you planning to review your current systems, and become compliant with the Australian government's Information Security Manual.? StickmanCyber's expert team can help. 

The First Step is Crucial. Start with a Cybersecurity Assessment

Where are you at your cybersecurity maturity journey? Get an assessment of your current security posture and identify the gaps and challenges that you need to act upon.





Similar posts


Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.