TheArtOfService
Back to Frameworks

Australian Information Security Manual

Self-Assess
Australia
vISM March 2026 (OSCAL v2026.03.24)
22 domains
1081 controls

ACSC Information Security Manual. Australian Government cybersecurity controls baseline.

Verified

Get the official standard — this page is an AI-assisted companion tool, not a replacement for the authoritative text.

Visit cyber.gov.au

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (22)

Guidelines for communications infrastructure

53 controls
Controls in the Guidelines for communications infrastructure domain of Australian Information Security Manual53 controls
CodeTitle
ISM-0181Cabling infrastructure is installed in accordance with relevant Australian Standards, as d
ISM-0187SECRET cables, when bundled together or run in conduit, are run exclusively in their own i
ISM-0194In shared facilities, a visible smear of conduit glue is used to seal all plastic conduit
ISM-0195In shared facilities, uniquely identifiable SCEC-approved tamper-evident seals are used to
ISM-0198When penetrating a TOP SECRET audio secure room, the Australian Security Intelligence Orga
ISM-0201Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre
ISM-0206Cable labelling processes, and supporting cable labelling procedures, are developed, imple
ISM-0208A cable register contains the following for each cable: - cable identifier - cable colour
ISM-0211A cable register is developed, implemented, maintained and verified on a regular basis.
ISM-0213SECRET and TOP SECRET cables are terminated on their own individual patch panels.
ISM-0216TOP SECRET patch panels are installed in individual TOP SECRET cabinets.
ISM-0217Where spatial constraints demand non-TOP SECRET patch panels be installed in the same cabi
ISM-0218If TOP SECRET fibre-optic fly leads exceeding five metres in length are used to connect wa
ISM-0246When an emanation security risk assessment is required, it is sought as early as possible
ISM-0249System owners deploying SECRET or TOP SECRET systems in mobile platforms, or as a deployab
ISM-0250IT equipment meets industry and government standards relating to electromagnetic interfere
ISM-0926Non-classified, OFFICIAL: Sensitive and PROTECTED cables are coloured neither salmon pink
ISM-1095Wall outlet boxes denote the systems, cable identifiers and wall outlet box identifier.
ISM-1096Cables are labelled at each end with sufficient source and destination details to enable t
ISM-1098SECRET cables are terminated in an individual cabinet; or for small systems, a cabinet wit
ISM-1100TOP SECRET cables are terminated in an individual TOP SECRET cabinet.
ISM-1101In TOP SECRET areas, cable reticulation systems leading into cabinets in server rooms or c
ISM-1102Cable reticulation systems leading into cabinets are terminated as close as possible to th
ISM-1103In TOP SECRET areas, cable reticulation systems leading into cabinets not in server rooms
ISM-1105SECRET and TOP SECRET wall outlet boxes contain exclusively SECRET or TOP SECRET cables.
ISM-1107Non-classified, OFFICIAL: Sensitive and PROTECTED wall outlet boxes are coloured neither s
ISM-1109Wall outlet box covers are clear plastic.
ISM-1111Fibre-optic cables are used for cabling infrastructure instead of copper cables.
ISM-1112Cables in non-TOP SECRET areas are inspectable every five metres or less.
ISM-1114Cable bundles or conduits sharing a common cable reticulation system have a dividing parti
ISM-1115Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit.
ISM-1116A visible gap exists between TOP SECRET cabinets and non-TOP SECRET cabinets.
ISM-1119Cables in TOP SECRET areas are fully inspectable for their entire length.
ISM-1122Where wall penetrations exit a TOP SECRET area into a lower classified area, TOP SECRET ca
ISM-1123A power distribution board with a feed from an Uninterruptible Power Supply is used to pow
ISM-1130In shared facilities, cables are run in an enclosed cable reticulation system.
ISM-1133In shared facilities, TOP SECRET cables are not run in party walls.
ISM-1137System owners deploying SECRET or TOP SECRET systems within fixed facilities contact ASD f
ISM-1164In shared facilities, conduits or the front covers of ducts, cable trays in floors and cei
ISM-1216SECRET and TOP SECRET cables with non-conformant cable colouring are banded with the appro
ISM-1639Building management cables are labelled with their purpose in black writing on a yellow ba
ISM-1640Cables for foreign systems installed in Australian facilities are labelled at inspection p
ISM-1645Floor plan diagrams are developed, implemented, maintained and verified on a regular basis
ISM-1646Floor plan diagrams contain the following: - cable paths (including ingress and egress poi
ISM-1718SECRET cables are coloured salmon pink.
ISM-1719TOP SECRET cables are coloured red.
ISM-1720SECRET wall outlet boxes are coloured salmon pink.
ISM-1721TOP SECRET wall outlet boxes are coloured red.
ISM-1820Cables for individual systems use a consistent colour.
ISM-1821TOP SECRET cables, when bundled together or run in conduit, are run exclusively in their o
ISM-1822Wall outlet boxes for individual systems use a consistent colour.
ISM-1884Emanation security doctrine produced by ASD for the management of emanation security matte
ISM-1885Recommended actions contained within emanation security mitigation advice issued for syste

Guidelines for communications systems

33 controls
Controls in the Guidelines for communications systems domain of Australian Information Security Manual33 controls
CodeTitle
ISM-0229Personnel are advised of the permitted sensitivity or classification of information that c
ISM-0230Personnel are advised of security risks posed by non-secure telephone systems in areas whe
ISM-0231When using cryptographic equipment to permit different levels of conversation for differen
ISM-0232Telephone systems used for sensitive or classified conversations encrypt all traffic that
ISM-0233Cordless telephone handsets and headsets are not used for sensitive or classified conversa
ISM-0235Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone s
ISM-0236Off-hook audio protection features are used on telephone systems in areas where background
ISM-0245MFDs are not connected to digital telephone systems.
ISM-0546When video conferencing or IP telephony traffic passes through a gateway containing a fire
ISM-0547Video conferencing and IP telephony calls are conducted using a secure real-time transport
ISM-0548Video conferencing and IP telephony calls are established using a secure session initiatio
ISM-0549Video conferencing and IP telephony traffic is separated physically or logically from othe
ISM-0551IP telephony is configured such that: - IP phones authenticate themselves to the call cont
ISM-0553Authentication and authorisation is used for all actions on a video conferencing network,
ISM-0554An encrypted and non-replayable two-way authentication scheme is used for call authenticat
ISM-0555Authentication and authorisation is used for all actions on an IP telephony network, inclu
ISM-0556Workstations are not connected to video conferencing units or IP phones unless the worksta
ISM-0558IP phones used in public areas do not have the ability to access data networks, voicemail
ISM-0559Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET
ISM-0588An MFD usage policy is developed, implemented and maintained.
ISM-0589MFDs are not used to scan or copy documents above the sensitivity or classification of net
ISM-0590Authentication measures for MFDs are the same strength as those used for workstations on n
ISM-0931In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used to
ISM-1014Individual logins are implemented for IP phones used for SECRET or TOP SECRET conversation
ISM-1019A denial of service response plan for video conferencing and IP telephony services is deve
ISM-1036MFDs are located in areas where their use can be observed.
ISM-1078A telephone system usage policy is developed, implemented and maintained.
ISM-1450Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SE
ISM-1562Video conferencing and IP telephony infrastructure is hardened.
ISM-1805A denial of service response plan for video conferencing and IP telephony services contain
ISM-1854Users authenticate to MFDs before they can print, scan or copy documents.
ISM-1855Use of MFDs for printing, scanning and copying purposes, including the capture of shadow c
ISM-2075Fax machines, and online fax services, are not used for sending or receiving fax messages.

Guidelines for cryptography

73 controls
Controls in the Guidelines for cryptography domain of Australian Information Security Manual73 controls
CodeTitle
ISM-0142The compromise or suspected compromise of cryptographic equipment or associated keying mat
ISM-0455Where practical, cryptographic equipment, applications and libraries provide a means of da
ISM-0457Cryptographic equipment, applications or libraries that have completed a Common Criteria e
ISM-0459Full disk encryption, or partial encryption where access controls will only allow writing
ISM-0460HACE is used when encrypting media that contains SECRET or TOP SECRET data.
ISM-0462When a user authenticates to the encryption functionality of IT equipment or media, it is
ISM-0465Cryptographic equipment, applications or libraries that have completed a Common Criteria e
ISM-0467HACE is used to protect SECRET and TOP SECRET data when communicated over insufficiently s
ISM-0469An ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic protocol is
ISM-0471Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment,
ISM-0472When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is
ISM-0474When using ECDH for agreeing on encryption session keys, a base point order and key size o
ISM-0475When using ECDSA for digital signatures, a base point order and key size of at least 224 b
ISM-0476When using RSA for digital signatures, and transporting encryption session keys (and simil
ISM-0477When using RSA for digital signatures, and for transporting encryption session keys (and s
ISM-0479Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.
ISM-0481Only AACPs or high assurance cryptographic protocols are used by cryptographic equipment,
ISM-0484The SSH daemon is configured to: - only listen on the required interfaces (ListenAddress x
ISM-0485Public key-based authentication is used for SSH connections.
ISM-0487When using logins without a password for SSH connections, the following are disabled: - ac
ISM-0488If using remote access without the use of a password for SSH connections, the 'forced comm
ISM-0489When SSH-agent or similar key caching applications are used, it is limited to workstations
ISM-0490Versions of S/MIME earlier than S/MIME version 3.0 are not used for S/MIME connections.
ISM-0494Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel
ISM-0496The ESP protocol is used for authentication and encryption of IPsec connections.
ISM-0498A security association lifetime of less than four hours (14400 seconds) is used for IPsec
ISM-0499Communications security doctrine and policy produced by ASD for the management and operati
ISM-0501Keyed cryptographic equipment is transported based on the sensitivity or classification of
ISM-0507Cryptographic key management processes, and supporting cryptographic key management proced
ISM-0994ECDH is used in preference to DH.
ISM-0998AUTH_HMAC_SHA2_256_128, AUTH_HMAC_SHA2_384_192, AUTH_HMAC_SHA2_512_256 or NONE (only with
ISM-0999DH or ECDH is used for key establishment of IPsec connections, preferably 384-bit random E
ISM-1000PFS is used for IPsec connections.
ISM-1080An ASD-Approved Cryptographic Algorithm (AACA) or high assurance cryptographic algorithm i
ISM-1091Keying material is changed when compromised or suspected of being compromised.
ISM-1139Only the latest version of TLS is used for TLS connections.
ISM-1233IKE version 2 is used for key exchange when establishing IPsec connections.
ISM-1369AES-GCM is used for encryption of TLS connections.
ISM-1370Only server-initiated secure renegotiation is used for TLS connections.
ISM-1372DH or ECDH is used for key establishment of TLS connections.
ISM-1373Anonymous DH is not used for TLS connections.
ISM-1374SHA-2-based certificates are used for TLS connections.
ISM-1375SHA-2 is used for the Hash-based Message Authentication Code (HMAC) and pseudorandom funct
ISM-1446When using elliptic curve cryptography, a suitable curve from NIST SP 800-186 is used.
ISM-1448When using DH or ECDH for key establishment of TLS connections, the ephemeral variant is u
ISM-1449SSH private keys are protected with a password or a key encryption key.
ISM-1453Perfect Forward Secrecy (PFS) is used for TLS connections.
ISM-1506The use of SSH version 1 is disabled for SSH connections.
ISM-1553TLS compression is disabled for TLS connections.
ISM-1629When using DH for agreeing on encryption session keys, a modulus and associated parameters
ISM-1759When using DH for agreeing on encryption session keys, a modulus of at least 3072 bits is
ISM-1761When using ECDH for agreeing on encryption session keys, NIST P-256, P-384 or P-521 curves
ISM-1762When using ECDH for agreeing on encryption session keys, NIST P-384 or P-521 curves are us
ISM-1763When using ECDSA for digital signatures, NIST P-256, P-384 or P-521 curves are used, prefe
ISM-1764When using ECDSA for digital signatures, NIST P-384 or P-521 curves are used, preferably t
ISM-1765When using RSA for digital signatures, and transporting encryption session keys (and simil
ISM-1766When using SHA-2 for hashing, an output size of at least 224 bits is used, preferably SHA-
ISM-1767When using SHA-2 for hashing, an output size of at least 256 bits is used, preferably SHA-
ISM-1768When using SHA-2 for hashing, an output size of at least 384 bits is used, preferably SHA-
ISM-1769When using AES for encryption, AES-128, AES-192 or AES-256 is used, preferably AES-256.
ISM-1770When using AES for encryption, AES-192 or AES-256 is used, preferably AES-256.
ISM-1771AES is used for encrypting IPsec connections, preferably ENCR_AES_GCM_16.
ISM-1772PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384 or PRF_HMAC_SHA2_512 is used for IPsec connections, p
ISM-1802HACE are issued an Approval for Use by ASD and operated in accordance with the latest vers
ISM-1917The development and procurement of new cryptographic equipment, applications and libraries
ISM-1990When using ML-DSA and ML-KEM, as per FIPS 204 and FIPS 203 respectively, adherence to pre-
ISM-1991When using ML-DSA for digital signatures, ML-DSA-65 or ML-DSA-87 is used, preferably ML-DS
ISM-1992When using ML-DSA for digital signatures, the hedged variant is used whenever possible.
ISM-1993Pre-hashed variants of ML-DSA-65 and ML-DSA-87 are only used when the performance of defau
ISM-1994When the pre-hashed variants of ML-DSA-65 and ML-DSA-87 are used, at least SHA-384 and SHA
ISM-1995When using ML-KEM for encapsulating encryption session keys (and similar keys), ML-KEM-768
ISM-1996When a post-quantum traditional hybrid scheme is used, either the post-quantum cryptograph
ISM-2073A post-quantum cryptography transition plan is developed, implemented and maintained.

Guidelines for cyber security documentation

11 controls
Controls in the Guidelines for cyber security documentation domain of Australian Information Security Manual11 controls
CodeTitle
ISM-0039A cyber security strategy is developed, implemented and maintained.
ISM-0041Systems have a system security plan that includes an overview of the system (covering the
ISM-0043Systems have a cyber security incident response plan that covers the following: - guidelin
ISM-0047Organisational-level cyber security documentation is approved by the chief information sec
ISM-0888Cyber security documentation is reviewed at least annually and includes a 'current as at \
ISM-0912Systems have a change and configuration management plan that includes: - the establishment
ISM-1163Systems have a continuous monitoring plan that includes: - conducting vulnerability scans
ISM-1563At the conclusion of a security assessment for a system, a security assessment report is p
ISM-1564At the conclusion of a security assessment for a system, a plan of action and milestones i
ISM-1602Cyber security documentation, including notification of subsequent changes, is communicate
ISM-1739A system's security architecture is approved prior to the development of the system.

Guidelines for cyber security incidents

22 controls
Controls in the Guidelines for cyber security incidents domain of Australian Information Security Manual22 controls
CodeTitle
ISM-0120Cyber security personnel have access to sufficient data sources and tools to ensure that s
ISM-0123Cyber security incidents are reported to the chief information security officer, or one of
ISM-0125A cyber security incident register is developed, implemented and maintained.
ISM-0133When a data spill occurs, data owners are advised and access to the data is restricted.
ISM-0137Legal advice is sought before allowing intrusion activity to continue on a system for the
ISM-0138The integrity of evidence gathered during an investigation is maintained by investigators:
ISM-0140Cyber security incidents are reported to ASD as soon as possible after they occur or are d
ISM-0576A cyber security incident management policy, and associated cyber security incident respon
ISM-0917When malicious code is detected, the following steps are taken to handle the infection: -
ISM-1213Following intrusion remediation activities, full network traffic is captured for at least
ISM-1609System owners are consulted before allowing intrusion activity to continue on a system for
ISM-1625An insider threat mitigation program is developed, implemented and maintained.
ISM-1626Legal advice is sought regarding the development and implementation of an insider threat m
ISM-1731Planning and coordination of intrusion remediation activities are conducted on a separate
ISM-1732To the extent possible, all intrusion remediation activities are conducted in a coordinate
ISM-1784The cyber security incident management policy, including the associated cyber security inc
ISM-1803A cyber security incident register contains the following for each cyber security incident
ISM-1819Following the identification of a cyber security incident, the cyber security incident res
ISM-1880Cyber security incidents that involve customer data are reported to customers and the publ
ISM-1881Cyber security incidents that do not involve customer data are reported to customers and t
ISM-1969Malicious code, when stored or communicated, is treated beforehand to prevent accidental e
ISM-1970Malicious code processed for cyber security incident response or research purposes is done

Guidelines for cyber security roles

42 controls
Controls in the Guidelines for cyber security roles domain of Australian Information Security Manual42 controls
CodeTitle
ISM-0009System owners, in consultation with each system's authorising officer, identify any supple
ISM-0027System owners obtain an authorisation to operate for each non-classified, OFFICIAL: Sensit
ISM-0714A CISO is appointed to provide cyber security leadership and guidance for their organisati
ISM-0717The CISO oversees the management of cyber security personnel within their organisation.
ISM-0718The CISO regularly reports directly to their organisation's board of directors or executiv
ISM-0720The CISO oversees the development, implementation and maintenance of a cyber security comm
ISM-0724The CISO implements cyber security measurement metrics and key performance indicators for
ISM-0725The CISO coordinates cyber security and business alignment through a cyber security steeri
ISM-0726The CISO coordinates security risk management activities between cyber security and busine
ISM-0731The CISO oversees cyber supply chain risk management activities for their organisation.
ISM-0732The CISO receives and manages a dedicated cyber security budget for their organisation.
ISM-0733The CISO is fully aware of all cyber security incidents within their organisation.
ISM-0734The CISO contributes to the development, implementation and maintenance of business contin
ISM-0735The CISO oversees the development, implementation and maintenance of their organisation's
ISM-1071Each system has a designated system owner.
ISM-1203System owners, in consultation with each system's authorising officer, conduct a threat an
ISM-1478The CISO oversees their organisation's cyber security program and ensures their organisati
ISM-1525System owners register each system with its authorising officer.
ISM-1526System owners continuously monitor the security of each system, and manage associated cybe
ISM-1587System owners report the security status of each system to its authorising officer at leas
ISM-1617The CISO regularly reviews and updates their organisation's cyber security program to ensu
ISM-1618The CISO oversees their organisation's response to cyber security incidents.
ISM-1633System owners, in consultation with each system's authorising officer, determine the syste
ISM-1634System owners, in consultation with each system's authorising officer, select controls for
ISM-1635System owners implement controls for each system and its operating environment.
ISM-1636System owners, in consultation with each system's authorising officer, ensure controls for
ISM-1918The CISO regularly reports directly to their organisation's audit, risk and compliance com
ISM-1966The CISO develops, implements, maintains and verifies on a regular basis a register of sys
ISM-1967System owners, in consultation with each system's authorising officer, ensure controls for
ISM-1968System owners obtain an authorisation to operate for each TOP SECRET system, including for
ISM-1997The board of directors or executive committee defines clear roles and responsibilities for
ISM-1998The board of directors or executive committee ensures that cyber security is integrated th
ISM-1999The board of directors or executive committee ensures the cyber security strategy for thei
ISM-2000The board of directors or executive committee seeks regular briefings or reporting on the
ISM-2001The board of directors or executive committee champions a positive cyber security culture
ISM-2002The board of directors or executive committee maintains a sufficient level of cyber securi
ISM-2003The board of directors or executive committee maintains awareness of key cyber security re
ISM-2004The board of directors or executive committee supports the development of cyber security s
ISM-2005The board of directors or executive committee understands the business criticality of thei
ISM-2006The board of directors or executive committee plans for major cyber security incidents, in
ISM-2020The CISO ensures sufficient cyber security personnel, with the right skills and experience
ISM-2021System owners implement and maintain data minimisation practices for each of their systems

Guidelines for data transfers

14 controls
Controls in the Guidelines for data transfers domain of Australian Information Security Manual14 controls
CodeTitle
ISM-0657When manually importing data to systems, the data is scanned for malicious and active cont
ISM-0660Data transfer logs for SECRET and TOP SECRET systems are fully verified at least monthly.
ISM-0661Users transferring data to and from systems are held accountable for data transfers they p
ISM-0663Data transfer processes, and supporting data transfer procedures, are developed, implement
ISM-0664Data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trustwort
ISM-0665Trustworthy sources for SECRET and TOP SECRET systems are limited to people and services t
ISM-0669When manually exporting data from SECRET and TOP SECRET systems, digital signatures are va
ISM-0675Data authorised for export from SECRET and TOP SECRET systems is digitally signed by a tru
ISM-1187When manually exporting data from systems, the data is checked for unsuitable protective m
ISM-1294Data transfer logs for systems are partially verified at least monthly.
ISM-1535Processes, and supporting procedures, are developed, implemented and maintained to prevent
ISM-1586Data transfer logs are used to record all data imports and exports from systems.
ISM-1778When manually importing data to systems, all data that fails security checks is quarantine
ISM-1779When manually exporting data from systems, all data that fails security checks is quaranti

Guidelines for database systems

13 controls
Controls in the Guidelines for database systems domain of Australian Information Security Manual13 controls
CodeTitle
ISM-0393Databases and their contents are classified based on the sensitivity or classification of
ISM-1243A database register is developed, implemented, maintained and verified on a regular basis.
ISM-1255Database users' ability to access, insert, modify and remove database contents is restrict
ISM-1256File-based access controls are applied to database files.
ISM-1268The need-to-know principle is enforced for database contents through the application of mi
ISM-1269Database servers and web servers are functionally separated.
ISM-1270Database servers are placed on a different network segment to user workstations.
ISM-1271Network access controls are implemented to restrict database server communications to stri
ISM-1272If only local access to a database is required, networking functionality of database manag
ISM-1273Database servers for development, testing, staging and production environments are segrega
ISM-1274Database contents from production environments are not used in non-production environments
ISM-1277Data communicated between database servers and web servers is encrypted.
ISM-1537Security-relevant events for databases are centrally logged, including: - access or modifi

Guidelines for email

26 controls
Controls in the Guidelines for email domain of Australian Information Security Manual26 controls
CodeTitle
ISM-0264An email usage policy is developed, implemented and maintained.
ISM-0267Access to non-approved webmail services is blocked.
ISM-0269Emails containing Australian Eyes Only, Australian Government Access Only or Releasable To
ISM-0270Protective markings are applied to emails and reflect the highest sensitivity or classific
ISM-0271Protective marking tools do not automatically insert protective markings into emails.
ISM-0272Protective marking tools do not allow users to select protective markings that a system ha
ISM-0565Email servers are configured to block, log and report emails with inappropriate protective
ISM-0567Email servers only relay emails destined for or originating from their domains (including
ISM-0569Emails are routed via centralised email gateways.
ISM-0570Where backup or alternative email gateways are in place, they are maintained at the same s
ISM-0571When users send or receive emails, an authenticated and encrypted channel is used to route
ISM-0572Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing em
ISM-0574SPF is used to specify authorised email servers (or lack thereof) for an organisation's do
ISM-0861DKIM signing is enabled on emails originating from an organisation's domains (including su
ISM-1023The intended recipients of blocked inbound emails, and the senders of blocked outbound ema
ISM-1024Notifications of undeliverable emails are only sent to senders that can be verified via SP
ISM-1026DKIM signatures on incoming emails are verified.
ISM-1027Email distribution list applications used by external senders is configured such that it d
ISM-1089Protective marking tools do not allow users replying to or forwarding emails to select pro
ISM-1151SPF is used to verify the authenticity of incoming emails.
ISM-1183A hard fail SPF record is used when specifying authorised email servers (or lack thereof)
ISM-1234Email content filtering is implemented to filter potentially harmful content in email bodi
ISM-1502Emails arriving via an external connection where the email source address uses an internal
ISM-1540DMARC records are configured for an organisation's domains (including subdomains) such tha
ISM-1589MTA-STS is enabled to prevent the unencrypted transfer of emails between email servers.
ISM-1799Incoming emails are rejected if they do not pass DMARC checks.

Guidelines for enterprise mobility

50 controls
Controls in the Guidelines for enterprise mobility domain of Australian Information Security Manual50 controls
CodeTitle
ISM-0240Paging, Multimedia Message Service, Short Message Service and messaging apps are not used
ISM-0682Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices.
ISM-0687Mobile devices that access SECRET or TOP SECRET systems or data use mobile platforms that
ISM-0694Privately-owned mobile devices and desktop computers do not access SECRET and TOP SECRET s
ISM-0701Mobile device emergency sanitisation processes, and supporting mobile device emergency san
ISM-0702If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a SE
ISM-0705When accessing an organisation's network via a VPN connection, split tunnelling is disable
ISM-0863Mobile devices prevent personnel from installing non-approved applications once provisione
ISM-0864Mobile devices prevent personnel from disabling or modifying security functionality once p
ISM-0866Sensitive or classified data is not viewed on mobile devices in public locations unless ca
ISM-0869Mobile devices encrypt their internal storage and any removable media.
ISM-0870Mobile devices are carried or stored in a secured state when not being actively used.
ISM-0871Mobile devices are kept under continual direct supervision when being actively used.
ISM-0874Mobile devices and desktop computers access the internet via an organisation's internet ga
ISM-1082A mobile device usage policy is developed, implemented and maintained.
ISM-1083Personnel are advised of the sensitivity or classification permitted for voice and data co
ISM-1084If unable to carry or store mobile devices in a secured state, they are physically transfe
ISM-1085Mobile devices encrypt all sensitive or classified data communicated over public network i
ISM-1088Personnel report the potential compromise of mobile devices, removable media or credential
ISM-1145Privacy filters are applied to the screens of SECRET and TOP SECRET mobile devices.
ISM-1195Mobile Device Management solutions that have completed a Common Criteria evaluation agains
ISM-1196Non-classified, OFFICIAL: Sensitive and PROTECTED mobile devices are configured to remain
ISM-1198Bluetooth pairing for non-classified, OFFICIAL: Sensitive and PROTECTED mobile devices is
ISM-1199Bluetooth pairings for non-classified, OFFICIAL: Sensitive and PROTECTED mobile devices ar
ISM-1200Bluetooth pairing for non-classified, OFFICIAL: Sensitive and PROTECTED mobile devices is
ISM-1297Legal advice is sought prior to allowing privately-owned mobile devices and desktop comput
ISM-1298Personnel are advised of privacy and security risks when travelling overseas with mobile d
ISM-1299Personnel are advised to take the following precautions when using mobile devices: - never
ISM-1300Upon returning from travelling overseas with mobile devices, personnel take the following
ISM-1366Security updates are applied to mobile devices as soon as they become available.
ISM-1400Personnel using privately-owned mobile devices or desktop computers to access OFFICIAL: Se
ISM-1482Personnel using organisation-owned mobile devices or desktop computers to access classifie
ISM-1533A mobile device management policy is developed, implemented and maintained.
ISM-1554If travelling overseas with mobile devices to high or extreme risk countries, personnel ar
ISM-1555Before travelling overseas with mobile devices, personnel take the following actions: - re
ISM-1556If returning from travelling overseas with mobile devices to high or extreme risk countrie
ISM-1644Sensitive or classified phone calls and conversations are not conducted in public location
ISM-1866Personnel using privately-owned mobile devices or desktop computers to access OFFICIAL: Se
ISM-1867Mobile devices that access OFFICIAL: Sensitive or PROTECTED systems or data use mobile pla
ISM-1868SECRET and TOP SECRET mobile devices do not use removable media unless approved beforehand
ISM-1886Mobile devices are configured to operate in a supervised (or equivalent) mode.
ISM-1887Mobile devices are configured with remote locate and wipe functionality.
ISM-1888Mobile devices are configured with secure password-based lock screens.
ISM-2095Personnel using privately-owned mobile devices or desktop computers to access OFFICIAL: Se
ISM-2096Mobile devices are configured to enforce separation between organisational and personal mo
ISM-2097Mobile devices are configured with always on VPN functionality.
ISM-2098Mobile devices are configured to prevent data transfers over Universal Serial Bus connecti
ISM-2099Mobile devices are not connected to the infotainment systems of connected vehicles.
ISM-2100Sensitive or classified data is not viewed on mobile devices within or near connected vehi
ISM-2101Sensitive or classified phone calls and conversations are not conducted within or near con

Guidelines for evaluated products

5 controls
Controls in the Guidelines for evaluated products domain of Australian Information Security Manual5 controls
CodeTitle
ISM-0280If procuring an evaluated product, a product that has completed a PP-based evaluation, inc
ISM-0285Evaluated products are delivered in a manner consistent with any delivery procedures defin
ISM-0286When procuring high assurance information technology (IT) equipment, ASD is contacted for
ISM-0289Evaluated products are installed, configured, administered and operated in an evaluated co
ISM-0290High assurance IT equipment is installed, configured, administered and operated in an eval

Guidelines for gateways

63 controls
Controls in the Guidelines for gateways domain of Australian Information Security Manual63 controls
CodeTitle
ISM-0100Non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET gateways undergo an IRAP assessm
ISM-0260All web access, including that by internal servers, is conducted through web proxies.
ISM-0261The following details are centrally logged for websites accessed via web proxies: - web ad
ISM-0263TLS traffic communicated through gateways is decrypted and inspected.
ISM-0591Evaluated peripheral switches are used when sharing peripherals between systems.
ISM-0597When planning, designing, implementing or introducing additional connectivity to CDSs, ASD
ISM-0610Users are trained on the secure use of CDSs before access is granted.
ISM-0611System administrators for gateways are assigned the minimum privileges required to perform
ISM-0612System administrators for gateways are formally trained on the operation and management of
ISM-0613System administrators for gateways that connect to Australian Eyes Only or Releasable To n
ISM-0616Separation of duties is implemented in performing administrative activities for gateways.
ISM-0619Users authenticate to other networks accessed via gateways.
ISM-0622IT equipment authenticates to other networks accessed via gateways.
ISM-0626CDSs are implemented between SECRET or TOP SECRET networks and any other networks belongin
ISM-0628Gateways are implemented between networks belonging to different security domains.
ISM-0629For gateways between networks belonging to different security domains, any shared componen
ISM-0631Gateways only allow explicitly authorised data flows.
ISM-0634Security-relevant events for gateways are centrally logged, including: - data packets and
ISM-0635CDSs implement isolated upward and downward network paths.
ISM-0637Gateways implement a demilitarised zone if external parties require access to an organisat
ISM-0639Evaluated firewalls are used between networks belonging to different security domains.
ISM-0643Evaluated diodes are used for controlling the data flow of unidirectional gateways between
ISM-0645Evaluated diodes used for controlling the data flow of unidirectional gateways between SEC
ISM-0649Files imported or exported via gateways or CDSs are filtered for allowed file types.
ISM-0651Files identified by content filtering checks as malicious, or that cannot be inspected, ar
ISM-0652Files identified by content filtering checks as suspicious are quarantined until reviewed
ISM-0659Files imported or exported via gateways or CDSs undergo content filtering checks.
ISM-0670Security-relevant events for CDSs are centrally logged.
ISM-0677Files imported or exported via gateways or CDSs that have a digital signature or cryptogra
ISM-0958An organisation-approved list of domain names, or list of website categories, is implement
ISM-0961Client-side active content is restricted by web content filters to an organisation-approve
ISM-0963Web content filtering is implemented to filter potentially harmful web-based content.
ISM-1037Gateways undergo testing following configuration changes, and at regular intervals no more
ISM-1157Evaluated diodes are used for controlling the data flow of unidirectional gateways between
ISM-1158Evaluated diodes used for controlling the data flow of unidirectional gateways between SEC
ISM-1171Attempts to access websites through their IP addresses instead of their domain names are b
ISM-1192Gateways inspect and filter data flows at the transport and above network layers.
ISM-1236Malicious domain names, dynamic domain names and domain names that can be registered anony
ISM-1237Web content filtering is applied to outbound web traffic where appropriate.
ISM-1284Files imported or exported via gateways or CDSs undergo content validation.
ISM-1286Files imported or exported via gateways or CDSs undergo content conversion.
ISM-1287Files imported or exported via gateways or CDSs undergo content sanitisation.
ISM-1288Files imported or exported via gateways or CDSs undergo antivirus scanning using multiple
ISM-1289Archive files imported or exported via gateways or CDSs are unpacked in order to undergo c
ISM-1290Archive files are unpacked in a controlled manner to ensure content filter performance or
ISM-1293Encrypted files imported or exported via gateways or CDSs are decrypted in order to underg
ISM-1389Executable files imported via gateways or CDSs are automatically executed in a sandbox to
ISM-1427Gateways perform ingress traffic filtering to detect and prevent IP source address spoofin
ISM-1457Evaluated peripheral switches used for sharing peripherals between SECRET and TOP SECRET s
ISM-1480Evaluated peripheral switches used for sharing peripherals between SECRET or TOP SECRET sy
ISM-1520System administrators for gateways undergo appropriate employment screening, and where nec
ISM-1521CDSs implement protocol breaks at each network layer.
ISM-1522CDSs implement independent security-enforcing functions for upward and downward network pa
ISM-1523A sample of security-relevant events relating to data transfer policies are taken at least
ISM-1524Content filters used by CDSs undergo rigorous security testing to ensure they perform as e
ISM-1528Evaluated firewalls are used between an organisation's networks and public network infrast
ISM-1773System administrators for gateways that connect to Australian Government Access Only netwo
ISM-1774Gateways are managed via a secure path isolated from all connected networks.
ISM-1783Public IP addresses controlled by, or used by, an organisation are signed by valid ROA rec
ISM-1862If using a WAF, disclosing the IP addresses of web servers under an organisation's control
ISM-1965Files imported or exported via gateways or CDSs undergo content checking.
ISM-2018Routes for RPKI-registered IP addresses that are advertised from invalid Autonomous System
ISM-2019TOP SECRET gateways undergo a security assessment by ASD assessors (or their delegates), u

Guidelines for information technology equipment

35 controls
Controls in the Guidelines for information technology equipment domain of Australian Information Security Manual35 controls
CodeTitle
ISM-0293IT equipment is classified based on the highest sensitivity or classification of data that
ISM-0294IT equipment, with the exception of high assurance IT equipment, is labelled with protecti
ISM-0296ASD's approval is sought before applying labels to external surfaces of high assurance IT
ISM-0305Maintenance and repairs of IT equipment is carried out on site by an appropriately cleared
ISM-0306If an appropriately cleared technician is not used to undertake maintenance or repairs of
ISM-0307If an appropriately cleared technician is not used to undertake maintenance or repairs of
ISM-0310IT equipment maintained or repaired off site is done so at facilities approved for handlin
ISM-0311IT equipment containing media is sanitised by removing the media from the IT equipment or
ISM-0312IT equipment, including associated media, that is located overseas and has processed, stor
ISM-0313IT equipment sanitisation processes, and supporting IT equipment sanitisation procedures,
ISM-0315High assurance IT equipment is destroyed prior to its disposal.
ISM-0316Following sanitisation, destruction or declassification, a formal administrative decision
ISM-0317At least three pages of random text with no blank areas are printed on each colour printer
ISM-0318When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per e
ISM-0321When disposing of IT equipment that has been designed or modified to meet emanation securi
ISM-0336A networked IT equipment register is developed, implemented, maintained and verified on a
ISM-1076Televisions and computer monitors with minor burn-in or image persistence are sanitised by
ISM-1079ASD's approval is sought before undertaking any maintenance or repairs to high assurance I
ISM-1217Labels and markings indicating the owner, sensitivity, classification or any other marking
ISM-1218IT equipment, including associated media, that is located overseas and has processed, stor
ISM-1219MFD print drums and image transfer rollers are inspected and destroyed if there is remnant
ISM-1220Printer and MFD platens are inspected and destroyed if any text or images are retained on
ISM-1221Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a pa
ISM-1222Televisions and computer monitors that cannot be sanitised are destroyed.
ISM-1223Memory in network devices is sanitised using the following processes, in order of preferen
ISM-1534Printer ribbons in printers and MFDs are removed and destroyed.
ISM-1550IT equipment disposal processes, and supporting IT equipment disposal procedures, are deve
ISM-1551An IT equipment management policy is developed, implemented and maintained.
ISM-1598Following maintenance or repair activities for IT equipment, the IT equipment is inspected
ISM-1599IT equipment is handled in a manner suitable for its sensitivity or classification.
ISM-1741IT equipment destruction processes, and supporting IT equipment destruction procedures, ar
ISM-1742IT equipment that cannot be sanitised is destroyed.
ISM-1858IT equipment is hardened using ASD and vendor hardening guidance, with the most restrictiv
ISM-1869A non-networked IT equipment register is developed, implemented, maintained and verified o
ISM-1913Approved configurations for IT equipment are developed, implemented and maintained.

Guidelines for media

54 controls
Controls in the Guidelines for media domain of Australian Information Security Manual54 controls
CodeTitle
ISM-0323Media is classified to the highest sensitivity or classification of data it stores, unless
ISM-0325Any media connected to a system with a higher sensitivity or classification than the media
ISM-0330Before reclassifying media to a lower sensitivity or classification, the media is sanitise
ISM-0332Media, with the exception of internally mounted fixed media within information technology
ISM-0337Media is only used with systems that are authorised to process, store or communicate its s
ISM-0347When transferring data manually between two systems belonging to different security domain
ISM-0348Media sanitisation processes, and supporting media sanitisation procedures, are developed,
ISM-0350The following media types are destroyed prior to their disposal: - microfiche and microfil
ISM-0351Volatile media is sanitised by removing its power for at least 10 minutes.
ISM-0352SECRET and TOP SECRET volatile media is sanitised by overwriting it at least once in its e
ISM-0354Non-volatile magnetic media is sanitised by overwriting it at least once (or three times i
ISM-0356Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its clas
ISM-0357Non-volatile EPROM media is sanitised by applying three times the manufacturer's specified
ISM-0358Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains
ISM-0359Non-volatile flash memory media is sanitised by overwriting it at least twice in its entir
ISM-0360Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its
ISM-0361Magnetic media is destroyed using a degausser with a suitable magnetic field strength and
ISM-0362Product-specific directions provided by degausser manufacturers are followed.
ISM-0363Media destruction processes, and supporting media destruction procedures, are developed, i
ISM-0368Media destroyed using a hammer mill, disintegrator, grinder/sander or by cutting results i
ISM-0370The destruction of media is performed under the supervision of at least one cleared person
ISM-0371Personnel supervising the destruction of media supervise its handling to the point of dest
ISM-0372The destruction of media storing accountable material is performed under the supervision o
ISM-0373Personnel supervising the destruction of media storing accountable material supervise its
ISM-0374Media disposal processes, and supporting media disposal procedures, are developed, impleme
ISM-0375Following sanitisation, destruction or declassification, a formal administrative decision
ISM-0378Labels and markings indicating the owner, sensitivity, classification or any other marking
ISM-0831Media is handled in a manner suitable for its sensitivity or classification.
ISM-0835Following sanitisation, TOP SECRET volatile media retains its classification if it stored
ISM-0836Non-volatile EEPROM media is sanitised by overwriting it at least once in its entirety wit
ISM-0839The destruction of media storing accountable material is not outsourced.
ISM-0840When outsourcing the destruction of media storing non-accountable material, a National Ass
ISM-0947When transferring data manually between two systems belonging to different security domain
ISM-1059All data stored on media is encrypted.
ISM-1065The host-protected area and device configuration overlay table are reset prior to the sani
ISM-1067The ATA secure erase command is used, in addition to block overwriting software, to ensure
ISM-1160If using degaussers to destroy media, degaussers evaluated by the United States' National
ISM-1359A removable media usage policy is developed, implemented and maintained.
ISM-1361Security Construction and Equipment Committee-approved equipment or ASIO-approved equipmen
ISM-1517Equipment that is capable of reducing microform to a fine powder, with resultant particles
ISM-1549A media management policy is developed, implemented and maintained.
ISM-1600Media is sanitised before it is used for the first time.
ISM-1641Following the use of a degausser, magnetic media is physically damaged by deforming any in
ISM-1642Media is sanitised before it is reused in a different security domain.
ISM-1713A removable media register is developed, implemented, maintained and verified on a regular
ISM-1722Electrostatic memory devices are destroyed using a furnace/incinerator, hammer mill, disin
ISM-1723Magnetic floppy disks are destroyed using a furnace/incinerator, hammer mill, disintegrato
ISM-1724Magnetic hard disks are destroyed using a furnace/incinerator, hammer mill, disintegrator,
ISM-1725Magnetic tapes are destroyed using a furnace/incinerator, hammer mill, disintegrator, dega
ISM-1726Optical disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grind
ISM-1727Semiconductor memory is destroyed using a furnace/incinerator, hammer mill or disintegrato
ISM-1728The resulting media waste particles from the destruction of SECRET media is stored and han
ISM-1729The resulting media waste particles from the destruction of TOP SECRET media is stored and
ISM-1735Media that cannot be successfully sanitised is destroyed prior to its disposal.

Guidelines for networking

71 controls
Controls in the Guidelines for networking domain of Australian Information Security Manual71 controls
CodeTitle
ISM-0385Servers maintain effective functional separation with other servers allowing them to opera
ISM-0516Network documentation includes high-level network diagrams showing all connections into ne
ISM-0518Network documentation is developed, implemented and maintained.
ISM-0520Network access controls are implemented on networks to prevent the connection of unauthori
ISM-0521IPv6 functionality is disabled in dual-stack network devices unless it is being used.
ISM-0529VLANs are not used to separate network traffic between networks belonging to different sec
ISM-0530Network devices managing VLANs are administered from the most trusted security domain.
ISM-0534Unused physical ports on network devices are disabled.
ISM-0535Network devices managing VLANs belonging to different security domains do not share VLAN t
ISM-0536Public wireless networks provided for general public use are segregated from all other org
ISM-1006Security measures are implemented to prevent unauthorised access to network management tra
ISM-1013The effective range of wireless communications outside an organisation's area of control i
ISM-1028A NIDS or NIPS is deployed in gateways between an organisation's networks and other networ
ISM-1030A NIDS or NIPS is located immediately inside the outermost firewall for gateways and confi
ISM-1178Network documentation provided to a third party, or published in public tender documentati
ISM-1181Networks are segregated into multiple network zones according to the criticality of server
ISM-1182Network access controls are implemented to limit the flow of network traffic within and be
ISM-1186IPv6 capable network security appliances are used on IPv6 and dual-stack networks.
ISM-1304Default user accounts or credentials for network devices, including for any pre-configured
ISM-1311SNMP version 1 and SNMP version 2 are not used on networks.
ISM-1312All default SNMP community strings on network devices are changed and write access is disa
ISM-1314All wireless devices are Wi-Fi Alliance certified.
ISM-1315The administrative interface on wireless access points is disabled for wireless network co
ISM-1316Default SSIDs of wireless access points are changed.
ISM-1317SSIDs of non-public wireless networks are not readily associated with an organisation, the
ISM-1318SSID broadcasting is not disabled on wireless access points.
ISM-1319Static addressing is not used for assigning IP addresses on wireless networks.
ISM-1320MAC address filtering is not used to restrict which devices can connect to wireless networ
ISM-1321802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentic
ISM-1322Evaluated supplicants, authenticators, wireless access points and authentication servers a
ISM-1323Certificates are required for devices and users accessing wireless networks.
ISM-1324Certificates are generated using an evaluated certificate authority or hardware security m
ISM-1327Certificates are protected by logical and physical access controls, encryption, and user a
ISM-1330The PMK caching period is not set to greater than 1440 minutes (24 hours).
ISM-1332WPA3-Enterprise 192-bit mode is used to protect the confidentiality and integrity of all w
ISM-1334Wireless networks implement sufficient frequency separation from other wireless networks.
ISM-1335Wireless access points enable the use of the 802.11w amendment to protect management frame
ISM-1338Instead of deploying a small number of wireless access points that broadcast on high power
ISM-1364Network devices managing VLANs terminate VLANs belonging to different security domains on
ISM-1428Unless explicitly required, IPv6 tunnelling is disabled on all network devices.
ISM-1429IPv6 tunnelling is blocked by network security appliances at externally-connected network
ISM-1430Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protoco
ISM-1431Denial-of-service attack mitigation strategies are discussed with cloud service providers,
ISM-1432Domain names for online services are protected via registrar locking and confirming that d
ISM-1436Critical online services are segregated from other online services that are more likely to
ISM-1437Cloud service providers are used for hosting online services.
ISM-1438Where a high availability requirement exists for website hosting, CDNs that cache websites
ISM-1439If using CDNs, disclosing the IP addresses of web servers under an organisation's control
ISM-1454Communications between authenticators and a RADIUS server are encapsulated with an additio
ISM-1479Servers minimise communications with other servers at the network and file system level.
ISM-1532VLANs are not used to separate network traffic between an organisation's networks and publ
ISM-1577An organisation's networks are segregated from their service providers' networks.
ISM-1579Cloud service providers' ability to dynamically scale resources in response to a genuine s
ISM-1580Where a high availability requirement exists for online services, the services are archite
ISM-1581Continuous real-time monitoring of the capacity and availability of online services is per
ISM-1627Inbound network connections from anonymity networks are blocked.
ISM-1628Outbound network connections to anonymity networks are blocked.
ISM-1710Settings for wireless access points are hardened.
ISM-1711User identity confidentiality is used if available with EAP-TLS implementations.
ISM-1712The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications a
ISM-1781All data communicated over network infrastructure is encrypted.
ISM-1782A protective DNS service is used to block access to known malicious domain names.
ISM-1800Network devices are flashed with trusted firmware before they are used for the first time.
ISM-1801Network devices are restarted on at least a monthly basis.
ISM-1863Networked management interfaces for IT equipment are not directly exposed to the internet.
ISM-1912Network documentation includes device settings for all critical servers, high-value server
ISM-1962SMB version 1 is not used on networks.
ISM-1963Security-relevant events for internet-facing network devices are centrally logged.
ISM-1964Security-relevant events for non-internet-facing network devices are centrally logged.
ISM-2017DNS traffic is encrypted by clients and servers wherever supported.
ISM-2068Internet connectivity for networked devices is strictly limited to those that require acce

Guidelines for personnel security

53 controls
Controls in the Guidelines for personnel security domain of Australian Information Security Manual53 controls
CodeTitle
ISM-0078Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under
ISM-0252Cyber security awareness training is undertaken annually by all personnel and covers: - th
ISM-0258A web usage policy is developed, implemented and maintained.
ISM-0405Requests for unprivileged access to systems and their resources are validated when first r
ISM-0407A secure record is maintained for the life of systems and their resources that covers the
ISM-0409Foreign nationals, including seconded foreign nationals, do not have access to systems tha
ISM-0411Foreign nationals, excluding seconded foreign nationals, do not have access to systems tha
ISM-0414Personnel granted access to systems and their resources are uniquely identifiable.
ISM-0415The use of shared user accounts is strictly controlled, and personnel using such accounts
ISM-0420Where systems process, store or communicate AUSTEO, AGAO or REL data, personnel who are fo
ISM-0430Access to systems and their resources are removed or suspended the same day personnel no l
ISM-0432Access requirements for systems and their resources are documented in their system securit
ISM-0434Personnel undergo appropriate employment screening and, where necessary, hold an appropria
ISM-0435Personnel receive any necessary briefings before being granted access to systems and their
ISM-0441When personnel are granted temporary access to systems and their resources, effective cont
ISM-0443Temporary access is not granted to systems that process, store or communicate caveated or
ISM-0445Privileged users are assigned a dedicated privileged user account to be used solely for du
ISM-0446Foreign nationals, including seconded foreign nationals, do not have privileged access to
ISM-0447Foreign nationals, excluding seconded foreign nationals, do not have privileged access to
ISM-0817Personnel are advised of what suspicious contact via online services is and how to report
ISM-0820Personnel are advised to not post work information to unauthorised online services and to
ISM-0821Personnel are advised of security risks associated with posting personal information to on
ISM-0824Personnel are advised not to send or receive files via unauthorised online services.
ISM-0854AUSTEO and AGAO data can only be accessed from systems under the sole control of the Austr
ISM-1146Personnel are advised to maintain separate work and personal user accounts for online serv
ISM-1175Privileged user accounts (excluding those explicitly authorised to access online services)
ISM-1263Unique privileged user accounts are used for administering individual server applications.
ISM-1404Unprivileged access to systems and their resources are disabled after 45 days of inactivit
ISM-1507Requests for privileged access to systems and their resources are validated when first req
ISM-1508Privileged access to systems and their resources is limited to only what is required for u
ISM-1509Privileged access events are centrally logged.
ISM-1565Tailored privileged user training is undertaken annually by all privileged users.
ISM-1566Use of unprivileged access is centrally logged.
ISM-1583Personnel who are contractors are identified as such.
ISM-1591Access to systems and their resources are removed or suspended as soon as practicable when
ISM-1610A method of emergency access to systems and their resources is documented and tested at le
ISM-1611Break glass accounts are only used when normal authentication processes cannot be used.
ISM-1612Break glass accounts are only used for specific authorised activities.
ISM-1613Use of break glass accounts is centrally logged.
ISM-1614Break glass account credentials are changed by the account custodian after they are access
ISM-1615Break glass accounts are tested after credentials are changed.
ISM-1647Privileged access to systems and their resources are disabled after 12 months unless reval
ISM-1648Privileged access to systems and their resources are disabled after 45 days of inactivity.
ISM-1649Just-in-time administration is used for the administration of systems and their resources.
ISM-1650Privileged user account and security group management events are centrally logged.
ISM-1740Personnel dealing with banking details and payment requests are advised of what business e
ISM-1852Unprivileged access to systems and their resources is limited to only what is required for
ISM-1864A system usage policy is developed, implemented and maintained.
ISM-1865Personnel agree to abide by system usage policies before being granted access to systems a
ISM-1883Privileged user accounts explicitly authorised to access online services are strictly limi
ISM-2022A cyber security awareness training register is developed, implemented and maintained.
ISM-2071Personnel dealing with user account details are advised of what social engineering attacks
ISM-2074A general-purpose artificial intelligence usage policy is developed, implemented and maint

Guidelines for physical security

19 controls
Controls in the Guidelines for physical security domain of Australian Information Security Manual19 controls
CodeTitle
ISM-0161IT equipment and media are secured when not in use.
ISM-0164Unauthorised people are prevented from observing systems, in particular workstation displa
ISM-0225Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas.
ISM-0810Classified systems are secured in facilities that meet the requirements for a security zon
ISM-0813Server rooms, communications rooms and security containers are not left in unsecured state
ISM-0829Security measures are used to detect and respond to unauthorised RF devices in SECRET and
ISM-1053Classified servers, network devices and cryptographic equipment are secured in server room
ISM-1074Keys or equivalent access mechanisms to server rooms, communications rooms and security co
ISM-1296Physical security is implemented to protect network devices in public areas from physical
ISM-1530Classified servers, network devices and cryptographic equipment are secured in security co
ISM-1543An authorised RF and IR device register for SECRET and TOP SECRET areas is developed, impl
ISM-1973Non-classified systems are secured in suitably secure facilities.
ISM-1974Non-classified servers, network devices and cryptographic equipment are secured in suitabl
ISM-1975Non-classified servers, network devices and cryptographic equipment are secured in suitabl
ISM-2007An authorised medical device register for SECRET and TOP SECRET areas is developed, implem
ISM-2008Medical devices that are authorised to be brought into SECRET and TOP SECRET areas meet, a
ISM-2009Unauthorised medical devices are not brought into SECRET and TOP SECRET areas.
ISM-2069An authorised photographic and video recording device register for SECRET and TOP SECRET a
ISM-2070Unauthorised photographic and video recording devices are not brought into SECRET and TOP

Guidelines for procurement and outsourcing

38 controls
Controls in the Guidelines for procurement and outsourcing domain of Australian Information Security Manual38 controls
CodeTitle
ISM-0072Security requirements associated with the confidentiality, integrity and availability of d
ISM-0141The requirement for service providers to report cyber security incidents to a designated p
ISM-1073An organisation's systems are not accessed or administered by a service provider unless a
ISM-1395Service providers, including any subcontractors, provide an appropriate level of protectio
ISM-1451Types of data and its ownership is documented in contractual arrangements with service pro
ISM-1452A supply chain risk assessment is performed for suppliers of operating systems, applicatio
ISM-1529Only community or private clouds are used for outsourced SECRET and TOP SECRET cloud servi
ISM-1567Suppliers identified as high risk by a cyber supply chain risk assessment are not used.
ISM-1568Operating systems, applications, IT equipment, OT equipment and services are procured from
ISM-1569A shared responsibility model is created, documented and shared between suppliers and thei
ISM-1570Outsourced cloud service providers and their non-classified, OFFICIAL: Sensitive, PROTECTE
ISM-1571The right to verify compliance with security requirements is documented in contractual arr
ISM-1572The regions or availability zones where data will be processed, stored and communicated, a
ISM-1573Access to all logs relating to an organisation's data and services is documented in contra
ISM-1574The storage of data in a portable manner that allows for backups, service migration and se
ISM-1575A minimum notification period of one month for the cessation of any services by a service
ISM-1576If an organisation's systems are accessed or administered by a service provider in an unau
ISM-1631Suppliers of operating systems, applications, IT equipment, OT equipment and services asso
ISM-1632Operating systems, applications, IT equipment, OT equipment and services are procured from
ISM-1637An outsourced cloud service register is developed, implemented, maintained and verified on
ISM-1638An outsourced cloud service register contains the following for each outsourced cloud serv
ISM-1736A managed service register is developed, implemented, maintained and verified on a regular
ISM-1737A managed service register contains the following for each managed service: - managed serv
ISM-1738The right to verify compliance with security requirements documented in contractual arrang
ISM-1785A supplier relationship management policy is developed, implemented and maintained.
ISM-1786An approved supplier list is developed, implemented and maintained.
ISM-1787Operating systems, applications, IT equipment, OT equipment and services are sourced from
ISM-1788Multiple potential suppliers are identified for sourcing critical operating systems, appli
ISM-1789Sufficient spares of critical IT equipment and OT equipment are sourced and kept in reserv
ISM-1790Operating systems, applications, IT equipment, OT equipment and services are delivered in
ISM-1791The integrity of operating systems, applications, IT equipment, OT equipment and services
ISM-1792The authenticity of operating systems, applications, IT equipment, OT equipment and servic
ISM-1793Managed service providers and their non-classified, OFFICIAL: Sensitive, PROTECTED and SEC
ISM-1794A minimum notification period of one month by service providers for significant changes to
ISM-1804Break clauses associated with failure to meet security requirements are documented in cont
ISM-1882Operating systems, applications, IT equipment, OT equipment and services are procured from
ISM-1971Managed service providers and their TOP SECRET managed services, including sensitive compa
ISM-1972Outsourced cloud service providers and their TOP SECRET cloud services, including sensitiv

Guidelines for software development

104 controls
Controls in the Guidelines for software development domain of Australian Information Security Manual104 controls
CodeTitle
ISM-0400Development, testing, staging and production environments are segregated.
ISM-0401Secure by Design principles and practices are followed throughout the software development
ISM-0402Software is comprehensively tested for vulnerabilities, using SAST, DAST and SCA prior to
ISM-0971The OWASP Application Security Verification Standard is used in the development of web app
ISM-1238Threat modelling is used in support of the software development life cycle.
ISM-1239Robust web application frameworks are used in the development of web applications.
ISM-1240Validation and sanitisation are performed on all input received over the internet by softw
ISM-1241Output encoding is performed on all output produced by web applications.
ISM-1275All queries to databases from software are filtered for legitimate content and correct syn
ISM-1276Parameterised queries or stored procedures, instead of dynamically generated queries, are
ISM-1278Software is designed or configured to provide as little error information as possible abou
ISM-1419Development and modification of software only takes place in development environments.
ISM-1420Data from production environments is not used in non-production environments unless the no
ISM-1422Unauthorised access to the authoritative source for software is prevented.
ISM-1424Content-Security-Policy, Hypertext Transfer Protocol Strict Transport Security and X-Frame
ISM-1536All queries to databases from software that are initiated by users, and any resulting cras
ISM-1552All web application content is offered exclusively using HTTPS.
ISM-1616A vulnerability disclosure program is implemented to assist with the secure development an
ISM-1717A 'security.txt' file is hosted for each of an organisation's internet-facing website doma
ISM-1730A software bill of materials is produced and made available to consumers of software.
ISM-1754Vulnerabilities identified in software are resolved in a timely manner.
ISM-1755A vulnerability disclosure policy is developed, implemented and maintained.
ISM-1756Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, ar
ISM-1780SecDevOps practices are used for software development.
ISM-1796Files containing executable content are digitally signed by a certificate with a verifiabl
ISM-1797Installers, patches and updates are digitally signed or provided with cryptographic checks
ISM-1798Secure configuration guidance, in the form of a hardening guide or loosening guide, is pro
ISM-1816Unauthorised modification of the authoritative source for software is prevented.
ISM-1817Authentication and authorisation of clients is performed when clients call network APIs th
ISM-1818Authentication and authorisation of clients is performed when clients call network APIs th
ISM-1849The OWASP Top 10 Proactive Controls are used in the development of web applications.
ISM-1850The OWASP Top 10 are mitigated in the development of web applications.
ISM-1851The OWASP API Security Top 10 are mitigated in the development of web APIs.
ISM-1908Vulnerabilities identified in software are publicly disclosed in a responsible and timely
ISM-1909In resolving vulnerabilities, root cause analysis is performed and, to the greatest extent
ISM-1910Network API calls that facilitate modification of data, or access to data not authorised f
ISM-1911Security-relevant usage, error messages and crashes for software are centrally logged.
ISM-1922The OWASP Mobile Application Security Verification Standard is used in the development of
ISM-1924Generative artificial intelligence applications evaluate user prompts to detect and mitiga
ISM-2013Authentication and authorisation of clients is performed when clients call network APIs th
ISM-2014Authentication and authorisation of clients is performed when clients call network APIs th
ISM-2015Network API calls that facilitate modification of data, or access to data not authorised f
ISM-2016Validation and sanitisation are performed on all input received over a local network by so
ISM-2023An authoritative source for software is established and maintained.
ISM-2024The authoritative source for software is used for all software development activities.
ISM-2025An issue tracking solution is used to link software development tasks to security issues a
ISM-2026All software artefacts are scanned for malicious content before being imported into the au
ISM-2027All software artefacts are verified by a digital signature, or a secure hash provided over
ISM-2028All software artefacts are tested to detect known weaknesses using static application secu
ISM-2029The authoritative source for software restricts the use and import of third-party librarie
ISM-2030Scanning is used during commits to identify plain text or encoded secrets and keys, which
ISM-2031Compilers, interpreters and build tools (including pipelines) that provide security featur
ISM-2032The build solution ensures that all automated testing is completed without warnings, alert
ISM-2033All software security requirements are documented, stored securely and maintained througho
ISM-2034Security design decisions are documented and reviewed throughout the software development
ISM-2035Security roles, responsibilities and knowledge requirements required to support the softwa
ISM-2036Security responsibilities for software developers are identified and documented.
ISM-2037Software developers that lack sufficient cyber security knowledge and skills required for
ISM-2038A software developer cyber security knowledge and skills register is implemented and maint
ISM-2039The software threat model is reviewed throughout the software development life cycle to en
ISM-2040Secure programming practices for the chosen programming language are used for software dev
ISM-2041Memory-safe programming languages, or less preferably memory-safe programming practices, a
ISM-2042Secure by Default principles and practices are followed throughout the software developmen
ISM-2043Software is architected and structured to support readability and maintainability.
ISM-2044Software has no default credentials; however, if credentials are required, they are create
ISM-2045Application backwards compatibility does not compromise any security measures or features.
ISM-2046Where software allows user impersonation, sensitive data is not logged and appropriate per
ISM-2047Where software allows an authentication factor to be reset, the user is notified of the re
ISM-2048Where software supports multiple user roles, non-administrative users are prevented from a
ISM-2049When user permissions or credentials are changed, software forces all impacted users to re
ISM-2050When digital signatures are processed by software, they are validated against a certificat
ISM-2051Software generates sufficient event logs to support the detection of cyber security events
ISM-2052Event logs produced by software ensure that any sensitive data is protected.
ISM-2053End of life procedures for software, covering how to remove the software and how to archiv
ISM-2054If a software bill of materials is available for imported third-party software components,
ISM-2055If a software build provenance is available for imported third-party software components,
ISM-2056A software build provenance is produced and made available to consumers of software.
ISM-2057All input validation rules are documented, matched in code and tested with both positive a
ISM-2058Data sources and serialised data inputs are validated before being deserialised.
ISM-2059File uploads or input are restricted to specific file types, with malicious content scanni
ISM-2060Code reviews are utilised to ensure software meets Secure by Design principles and practic
ISM-2061Software developer-supported security-focused peer reviews are conducted on all critical a
ISM-2062Unit testing and integration testing, covering both positive and negative use cases, are u
ISM-2063If supported, web application session cookies set the HttpOnly flag, Secure flag and the S
ISM-2064Web application session cookies contain only digitally signed opaque bearer tokens.
ISM-2065Web application session cookies using opaque bearer tokens that are not digitally signed u
ISM-2066Web application sessions are centrally managed server side.
ISM-2067Web applications that support Single Sign On equally support Single Logout.
ISM-2072Artificial intelligence models are stored in a non-executable file format that does not al
ISM-2082If a cryptographic bill of materials is available for imported third-party software compon
ISM-2083A cryptographic bill of materials is produced and made available to consumers of software.
ISM-2084Artificial intelligence-specific documentation, including model and system cards (or equiv
ISM-2085The exposure of exact artificial intelligence model confidence scores in API responses or
ISM-2086The source and integrity of artificial intelligence models, structures and weights are ver
ISM-2087The source and integrity of training data for artificial intelligence models is verified.
ISM-2088Data validation and verification techniques are used to ensure the reliability and accurac
ISM-2089Artificial intelligence model performance metrics are monitored and anomalies are investig
ISM-2090Rate limiting is applied to inference queries for artificial intelligence models.
ISM-2091Resource limits are enforced for artificial intelligence models.
ISM-2092Access control policies are implemented to enforce fine-grained permissions for artificial
ISM-2093Role-based access controls are implemented for artificial intelligence applications to res
ISM-2094Content filtering is implemented by artificial intelligence applications to detect and blo
ISM-2102Existing software artefacts in the authoritative source for software are periodically test
ISM-2103Organisational data generated, collected or processed by artificial intelligence applicati

Guidelines for system hardening

215 controls
Controls in the Guidelines for system hardening domain of Australian Information Security Manual215 controls
CodeTitle
ISM-0341Automatic execution features for removable media are disabled.
ISM-0343If there is no business requirement for writing to removable media and devices, such funct
ISM-0345External communication interfaces that allow DMA are disabled.
ISM-0380Unneeded user accounts, components, services and functionality of operating systems are di
ISM-0382Unprivileged users do not have the ability to uninstall or disable approved applications.
ISM-0383Default user accounts or credentials for operating systems, including for any pre-configur
ISM-0408Systems have a logon banner that reminds users of their security responsibilities when acc
ISM-0417When systems cannot support multi-factor authentication, single-factor authentication usin
ISM-0418Physical credentials are kept separate from systems they are used to authenticate to, exce
ISM-0421Passwords used for single-factor authentication on non-classified, OFFICIAL: Sensitive and
ISM-0422Passwords used for single-factor authentication on TOP SECRET systems are a minimum of 20
ISM-0428Services are configured with a session lock that: - activates after a maximum of 15 minute
ISM-0582Security-relevant events for Microsoft Windows operating systems are centrally logged.
ISM-0843Application control is implemented on workstations.
ISM-0846All users (with the exception of local administrator accounts and break glass accounts) ca
ISM-0853On a daily basis, outside of business hours and after an appropriate period of inactivity,
ISM-0938Vendors that have demonstrated a commitment to Secure by Design and Secure by Default prin
ISM-0955Application control is implemented using cryptographic hash rules, publisher certificate r
ISM-0974Multi-factor authentication is used to authenticate unprivileged users of systems.
ISM-1034A HIPS or EDR solution is implemented on critical servers and high-value servers.
ISM-1055LAN Manager and NT LAN Manager authentication methods are disabled.
ISM-1173Multi-factor authentication is used to authenticate privileged users of systems.
ISM-1227Credentials set for user accounts are randomly generated.
ISM-1235Add-ons, extensions and plug-ins for office productivity suites, web browsers, email clien
ISM-1245All temporary installation files and logs created during server application installation p
ISM-1246Server applications are hardened using ASD and vendor hardening guidance, with the most re
ISM-1247Unneeded user accounts, components, services and functionality of server applications are
ISM-1249Server applications are configured to run as a separate user account with the minimum priv
ISM-1250The user accounts under which server applications run have limited access to their underly
ISM-1260Default user accounts or credentials for server applications, including for any pre-config
ISM-1341A HIPS or EDR solution is implemented on workstations.
ISM-1392When implementing application control using path rules, only approved users can modify app
ISM-1401Multi-factor authentication uses either: something users have and something users know, or
ISM-1402Credentials stored on systems are protected by a password manager; a hardware security mod
ISM-1403User accounts, except for break glass accounts, are locked out after a maximum of five fai
ISM-1406SOEs are used for workstations and servers.
ISM-1407The latest release, or the previous release, of operating systems are used.
ISM-1408Where supported, 64-bit versions of operating systems are used.
ISM-1409Operating systems are hardened using ASD and vendor hardening guidance, with the most rest
ISM-1412Web browsers are hardened using ASD and vendor hardening guidance, with the most restricti
ISM-1416A software firewall is implemented on workstations and servers to restrict inbound and out
ISM-1417An antivirus application is implemented on workstations and servers with: - signature-base
ISM-1418If there is no business requirement for reading from removable media and devices, such fun
ISM-1460When using a software-based isolation mechanism to share a physical server's hardware, the
ISM-1461When using a software-based isolation mechanism to share a physical server's hardware for
ISM-1467The latest release of office productivity suites, web browsers and their extensions, email
ISM-1470Unneeded components, services and functionality of office productivity suites, web browser
ISM-1471When implementing application control using publisher certificate rules, publisher names a
ISM-1483The latest release of internet-facing server applications are used.
ISM-1485Web browsers do not process web advertisements from the internet.
ISM-1486Web browsers do not process Java from the internet.
ISM-1487Only privileged users responsible for checking that Microsoft Office macros are free of ma
ISM-1488Microsoft Office macros in files originating from the internet are blocked.
ISM-1489Microsoft Office macro security settings cannot be changed by users.
ISM-1490Application control is implemented on internet-facing servers.
ISM-1491Unprivileged users are prevented from running script execution engines, including: - Windo
ISM-1492Operating system exploit protection functionality is enabled.
ISM-1504Multi-factor authentication is used to authenticate users to their organisation's online s
ISM-1505Multi-factor authentication is used to authenticate users of data repositories.
ISM-1542Microsoft Office is configured to prevent activation of Object Linking and Embedding packa
ISM-1544Microsoft's recommended application blocklist is implemented.
ISM-1546Users are authenticated before they are granted access to a system and its resources.
ISM-1557Passwords used for single-factor authentication on SECRET systems are a minimum of 17 char
ISM-1558Passwords using a sequence of words for single-factor authentication are not constructed u
ISM-1559Passwords used for multi-factor authentication on non-classified, OFFICIAL: Sensitive and
ISM-1560Passwords used for multi-factor authentication on SECRET systems are a minimum of 8 charac
ISM-1561Passwords used for multi-factor authentication on TOP SECRET systems are a minimum of 10 c
ISM-1582Application control rulesets are validated on an annual or more frequent basis.
ISM-1584Unprivileged users are prevented from bypassing, disabling or modifying security functiona
ISM-1585Web browser security settings cannot be changed by users.
ISM-1588SOEs are reviewed and updated at least annually.
ISM-1590Credentials for user accounts are changed if: - they are compromised - they are suspected
ISM-1592Unprivileged users do not have the ability to install unapproved applications.
ISM-1593Users provide sufficient evidence to verify their identity when requesting new credentials
ISM-1594Credentials are provided to users via a secure communications channel or, if not possible,
ISM-1595Credentials provided to users are changed on first use.
ISM-1596Credentials are not reused by users across different systems.
ISM-1597Credentials are obscured as they are entered into systems.
ISM-1601Microsoft's attack surface reduction rules are implemented.
ISM-1603Authentication methods susceptible to replay attacks are disabled.
ISM-1604When using a software-based isolation mechanism to share a physical server's hardware, the
ISM-1605When using a software-based isolation mechanism to share a physical server's hardware, the
ISM-1606When using a software-based isolation mechanism to share a physical server's hardware, pat
ISM-1607When using a software-based isolation mechanism to share a physical server's hardware, int
ISM-1608SOEs provided by third parties are scanned for malicious code and configurations.
ISM-1619Service accounts are created as group Managed Service Accounts.
ISM-1620Privileged user accounts are members of the Protected Users security group.
ISM-1621Windows PowerShell 2.0 is disabled or removed.
ISM-1622PowerShell is configured to use Constrained Language Mode.
ISM-1623PowerShell module logging, script block logging and transcription events are centrally log
ISM-1624PowerShell script block logs are protected by Protected Event Logging functionality.
ISM-1654Internet Explorer 11 is disabled or removed.
ISM-1655.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
ISM-1656Application control is implemented on non-internet-facing servers.
ISM-1657Application control restricts the execution of executables, libraries, scripts, installers
ISM-1658Application control restricts the execution of drivers to an organisation-approved set.
ISM-1659Microsoft's vulnerable driver blocklist is implemented.
ISM-1660Allowed and blocked application control events are centrally logged.
ISM-1667Microsoft Office is blocked from creating child processes.
ISM-1668Microsoft Office is blocked from creating executable content.
ISM-1669Microsoft Office is blocked from injecting code into other processes.
ISM-1670PDF applications are blocked from creating child processes.
ISM-1671Microsoft Office macros are disabled for users that do not have a demonstrated business re
ISM-1672Microsoft Office macro antivirus scanning is enabled.
ISM-1673Microsoft Office macros are blocked from making Win32 API calls.
ISM-1674Only Microsoft Office macros running from within a sandboxed environment, a Trusted Locati
ISM-1675Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via t
ISM-1676Microsoft Office's list of trusted publishers is validated on an annual or more frequent b
ISM-1679Multi-factor authentication is used to authenticate users to third-party online services t
ISM-1680Multi-factor authentication (where available) is used to authenticate users to third-party
ISM-1681Multi-factor authentication is used to authenticate customers to online customer services
ISM-1682Multi-factor authentication used for authenticating users of systems is phishing-resistant
ISM-1683Successful and unsuccessful multi-factor authentication events are centrally logged.
ISM-1685Credentials for break glass accounts, local administrator accounts and service accounts ar
ISM-1686Credential Guard functionality is enabled.
ISM-1743Vendors that have demonstrated a commitment to Secure by Design and Secure by Default prin
ISM-1745Early Launch Antimalware, Secure Boot, Trusted Boot and Measured Boot functionality is ena
ISM-1746When implementing application control using path rules, only approved users can change fil
ISM-1748Email client security settings cannot be changed by users.
ISM-1749Cached credentials are limited to one previous logon.
ISM-1795Credentials for built-in Administrator accounts, break glass accounts, local administrator
ISM-1806Default user accounts or credentials for user applications, including for any pre-configur
ISM-1823Office productivity suite security settings cannot be changed by users.
ISM-1824PDF application security settings cannot be changed by users.
ISM-1825Security product security settings cannot be changed by users.
ISM-1826Vendors that have demonstrated a commitment to Secure by Design and Secure by Default prin
ISM-1827Microsoft AD DS domain controllers are administered using dedicated domain administrator u
ISM-1828The Print Spooler service is disabled on Microsoft AD DS domain controllers.
ISM-1829Passwords are not stored in Group Policy Preferences.
ISM-1830Security-relevant events for Microsoft AD DS domain controllers, Microsoft AD CS CA server
ISM-1832Only service accounts and computer accounts are configured with Service Principal Names (S
ISM-1833User accounts are provisioned with the minimum privileges required.
ISM-1834Duplicate SPNs do not exist within the domain.
ISM-1835Privileged user accounts are configured as sensitive and cannot be delegated.
ISM-1836User accounts require Kerberos pre-authentication.
ISM-1838The UserPassword attribute for user accounts is not used.
ISM-1839Account properties accessible by unprivileged users are not used to store passwords.
ISM-1840User account passwords do not use reversible encryption.
ISM-1841Unprivileged user accounts cannot add machines to the domain.
ISM-1842Dedicated privileged service accounts are used to add machines to the domain.
ISM-1843User accounts with unconstrained delegation are reviewed at least annually, and those with
ISM-1844Computer accounts that are not Microsoft AD DS domain controllers are not trusted for dele
ISM-1845When a user account is disabled, it is removed from all security group memberships.
ISM-1846The Pre-Windows 2000 Compatible Access security group does not contain user accounts.
ISM-1847Credentials for the Kerberos Key Distribution Center's service account (KRBTGT) are change
ISM-1848When using a software-based isolation mechanism to share a physical server's hardware, the
ISM-1859Office productivity suites are hardened using ASD and vendor hardening guidance, with the
ISM-1860PDF applications are hardened using ASD and vendor hardening guidance, with the most restr
ISM-1861Local Security Authority protection functionality is enabled.
ISM-1870Application control is applied to user profiles and temporary folders used by operating sy
ISM-1871Application control is applied to all locations other than user profiles and temporary fol
ISM-1872Multi-factor authentication used for authenticating users of online services is phishing-r
ISM-1873Multi-factor authentication used for authenticating customers of online customer services
ISM-1874Multi-factor authentication used for authenticating customers of online customer services
ISM-1875Networks are scanned at least monthly to identify any credentials that are being stored in
ISM-1889Command line process creation events are centrally logged.
ISM-1890Microsoft Office macros are checked to ensure they are free of malicious code before being
ISM-1891Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be
ISM-1892Multi-factor authentication is used to authenticate users to their organisation's online c
ISM-1893Multi-factor authentication is used to authenticate users to third-party online customer s
ISM-1894Multi-factor authentication used for authenticating users of data repositories is phishing
ISM-1895Successful and unsuccessful single-factor authentication events are centrally logged.
ISM-1896Memory integrity functionality is enabled.
ISM-1897Remote Credential Guard functionality is enabled.
ISM-1914Approved configurations for operating systems are developed, implemented and maintained.
ISM-1915Approved configurations for user applications are developed, implemented and maintained.
ISM-1916Approved configurations for server applications are developed, implemented and maintained.
ISM-1919When multi-factor authentication is used to authenticate users or customers to online serv
ISM-1920When multi-factor authentication is used to authenticate users to online services, online
ISM-1926Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers an
ISM-1927Access to Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS
ISM-1928Backups of Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS
ISM-1929Lightweight Directory Access Protocol signing is enabled on Microsoft AD DS domain control
ISM-1930Passwords are prevented from being stored in Group Policy Preferences.
ISM-1931SID Filtering is enabled for domain and forest trusts.
ISM-1932The number of service accounts configured with an SPN is minimised.
ISM-1933Service accounts configured with an SPN do not have DCSync permissions.
ISM-1934User accounts with DCSync permissions are reviewed at least annually, and those without an
ISM-1935Computer accounts are not configured for unconstrained delegation.
ISM-1936The sIDHistory attribute for user accounts is not used.
ISM-1937User accounts are checked at least weekly for the presence of the sIDHistory attribute.
ISM-1938The Domain Computers security group does not have write or modify permissions to any Micro
ISM-1939The number of user accounts that are members of the Domain Admins, Enterprise Admins or ot
ISM-1940Service accounts are not members of the Domain Admins, Enterprise Admins or other highly-p
ISM-1941Computer accounts are not members of the Domain Admins, Enterprise Admins or other highly-
ISM-1942The Domain Computers security group is not a member of any privileged or highly-privileged
ISM-1943Strong mapping between certificates and users is enforced.
ISM-1944The EDITF_ATTRIBUTESUBJECTALTNAME2 flag is removed from Microsoft AD CS CA configurations.
ISM-1945The CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is removed from certificate templates.
ISM-1946Unprivileged user accounts do not have write access to certificate templates.
ISM-1947Extended Key Usages that enable user authentication are removed.
ISM-1948CA Certificate Manager approval is required for certificate templates that allow a Subject
ISM-1949Microsoft AD FS servers are administered using a dedicated service account that is not use
ISM-1950Soft matching between Microsoft AD DS and Microsoft Entra ID is disabled following initial
ISM-1951Hard match takeover is disabled for Microsoft Entra Connect servers.
ISM-1952Privileged user accounts are not synchronised between Microsoft AD DS and Microsoft Entra
ISM-1953Credentials for the built-in Administrator account in each domain are long, unique, unpred
ISM-1954Credentials for built-in Administrator accounts, break glass accounts, local administrator
ISM-1955Credentials for computer accounts are changed if they are compromised, they are suspected
ISM-1956Microsoft AD FS token-signing and encryption certificates are changed twice in quick succe
ISM-1957Private keys for Microsoft AD CS CA servers are protected by a hardware security module.
ISM-1976Security-relevant events for Apple macOS operating systems are centrally logged.
ISM-1977Security-relevant events for Linux operating systems are centrally logged.
ISM-1978Security-relevant events for server applications on internet-facing servers are centrally
ISM-1979Security-relevant events for server applications on non-internet-facing servers are centra
ISM-1980Credential hint functionality is not used for systems.
ISM-2010Service accounts configured with an SPN use the Advanced Encryption Standard for encryptio
ISM-2011When phishing-resistant multi-factor authentication is used by user accounts, other non-ph
ISM-2012Systems are configured with a screen lock that: - activates after a maximum of 15 minutes
ISM-2076Security questions are not used for authentication purposes.
ISM-2077Email is not used for out-of-band authentication purposes.
ISM-2078Passwords appearing in lists of commonly used passwords or lists of compromised passwords
ISM-2079Maximum length limits for passwords are not less than 64 characters.
ISM-2080Password complexity requirements are not imposed for passwords.
ISM-2081All ASCII printable characters are supported for passwords.

Guidelines for system management

68 controls
Controls in the Guidelines for system management domain of Australian Information Security Manual68 controls
CodeTitle
ISM-0042System administration processes, and supporting system administration procedures, are deve
ISM-0298A centralised and managed approach that maintains the integrity of patches or updates, and
ISM-0300Patches, updates or other vendor mitigations for vulnerabilities in high assurance IT equi
ISM-0304Applications other than office productivity suites, web browsers and their extensions, ema
ISM-1143Patch management processes, and supporting patch management procedures, are developed, imp
ISM-1211System administrators perform system administration activities in accordance with the syst
ISM-1380Privileged users use separate privileged and unprivileged operating environments.
ISM-1385Administrative infrastructure is segregated from the wider network and the internet.
ISM-1386Network management traffic can only originate from administrative infrastructure.
ISM-1387Administrative activities are conducted through jump servers.
ISM-1493Software registers for workstations, servers, network devices and networked IT equipment a
ISM-1501Operating systems that are no longer supported by vendors are replaced.
ISM-1510A digital preservation policy is developed, implemented and maintained.
ISM-1511Backups of data, applications and settings are performed and retained in accordance with b
ISM-1515Restoration of data, applications and settings from backups to a common point in time is t
ISM-1547Data backup processes, and supporting data backup procedures, are developed, implemented a
ISM-1548Data restoration processes, and supporting data restoration procedures, are developed, imp
ISM-1643Software registers contain versions and patch histories of applications, drivers, operatin
ISM-1687Privileged operating environments are not virtualised within unprivileged operating enviro
ISM-1688Unprivileged user accounts cannot logon to privileged operating environments.
ISM-1689Privileged user accounts (excluding local administrator accounts) cannot logon to unprivil
ISM-1690Patches, updates or other vendor mitigations for vulnerabilities in online services are ap
ISM-1691Patches, updates or other vendor mitigations for vulnerabilities in office productivity su
ISM-1692Patches, updates or other vendor mitigations for vulnerabilities in office productivity su
ISM-1693Patches, updates or other vendor mitigations for vulnerabilities in applications other tha
ISM-1694Patches, updates or other vendor mitigations for vulnerabilities in operating systems of i
ISM-1695Patches, updates or other vendor mitigations for vulnerabilities in operating systems of w
ISM-1696Patches, updates or other vendor mitigations for vulnerabilities in operating systems of w
ISM-1697Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied wi
ISM-1698A vulnerability scanner is used at least daily to identify missing patches or updates for
ISM-1699A vulnerability scanner is used at least weekly to identify missing patches or updates for
ISM-1700A vulnerability scanner is used at least fortnightly to identify missing patches or update
ISM-1701A vulnerability scanner is used at least daily to identify missing patches or updates for
ISM-1702A vulnerability scanner is used at least fortnightly to identify missing patches or update
ISM-1703A vulnerability scanner is used at least fortnightly to identify missing patches or update
ISM-1704Office productivity suites, web browsers and their extensions, email clients, PDF applicat
ISM-1705Privileged user accounts (excluding backup administrator accounts) cannot access backups b
ISM-1706Privileged user accounts (excluding backup administrator accounts) cannot access their own
ISM-1707Privileged user accounts (excluding backup administrator accounts) are prevented from modi
ISM-1708Backup administrator accounts are prevented from modifying and deleting backups during the
ISM-1750Administrative infrastructure for critical servers, high-value servers and regular servers
ISM-1751Patches, updates or other vendor mitigations for vulnerabilities in operating systems of I
ISM-1752A vulnerability scanner is used at least fortnightly to identify missing patches or update
ISM-1753Internet-facing network devices that are no longer supported by vendors are replaced.
ISM-1807An automated method of asset discovery is used at least fortnightly to support the detecti
ISM-1808A vulnerability scanner with an up-to-date vulnerability database is used for vulnerabilit
ISM-1809When applications, operating systems, network devices or networked IT equipment that are n
ISM-1810Backups of data, applications and settings are synchronised to enable restoration to a com
ISM-1811Backups of data, applications and settings are retained in a secure and resilient manner.
ISM-1812Unprivileged user accounts cannot access backups belonging to other user accounts.
ISM-1813Unprivileged user accounts cannot access their own backups.
ISM-1814Unprivileged user accounts are prevented from modifying and deleting backups.
ISM-1876Patches, updates or other vendor mitigations for vulnerabilities in online services are ap
ISM-1877Patches, updates or other vendor mitigations for vulnerabilities in operating systems of i
ISM-1878Patches, updates or other vendor mitigations for vulnerabilities in operating systems of I
ISM-1879Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied wi
ISM-1898Secure Admin Workstations are used in the performance of administrative activities.
ISM-1899Network devices that do not belong to administrative infrastructure cannot initiate connec
ISM-1900A vulnerability scanner is used at least fortnightly to identify missing patches or update
ISM-1901Patches, updates or other vendor mitigations for vulnerabilities in office productivity su
ISM-1902Patches, updates or other vendor mitigations for vulnerabilities in operating systems of w
ISM-1903Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied w
ISM-1904Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied w
ISM-1905Online services that are no longer supported by vendors are removed.
ISM-1921The likelihood of system compromise is frequently assessed when working exploits exist for
ISM-1958User accounts with DCSync permissions cannot logon to unprivileged operating environments.
ISM-1981Non-internet-facing network devices that are no longer supported by vendors are replaced.
ISM-1982Networked IT equipment that is no longer supported by vendors is replaced.

Guidelines for system monitoring

19 controls
Controls in the Guidelines for system monitoring domain of Australian Information Security Manual19 controls
CodeTitle
ISM-0109Event logs from workstations are analysed in a timely manner to detect cyber security even
ISM-0580An event logging policy is developed, implemented and maintained.
ISM-0585For each event logged, the date and time of the event, the relevant user or process, the r
ISM-0988An accurate and consistent time source is used for event logging.
ISM-1228Cyber security events are analysed in a timely manner to identify cyber security incidents
ISM-1405A centralised event logging facility is implemented.
ISM-1815Event logs are protected from unauthorised modification and deletion.
ISM-1906Event logs from internet-facing servers are analysed in a timely manner to detect cyber se
ISM-1907Event logs from non-internet-facing servers are analysed in a timely manner to detect cybe
ISM-1959To the extent possible, event logs are captured and stored in a consistent and structured
ISM-1960Event logs from internet-facing network devices are analysed in a timely manner to detect
ISM-1961Event logs from non-internet-facing network devices are analysed in a timely manner to det
ISM-1983Event logs sent to a centralised event logging facility are done so as soon as possible af
ISM-1984Event logs sent to a centralised event logging facility are encrypted in transit.
ISM-1985Event logs are protected from unauthorised access.
ISM-1986Event logs from critical servers are analysed in a timely manner to detect cyber security
ISM-1987Event logs from security products are analysed in a timely manner to detect cyber security
ISM-1988Event logs are retained in a searchable manner for at least 12 months.
ISM-1989Event logs are retained as per minimum retention requirements for various classes of recor

Maps to 2 other frameworks

1081 total controls
ACSC Essential Eight
57 source controls mapped|15 target controls covered
5%
Australia IRAP - Information Security Registered Assessors Program
5 source controls mapped|5 target controls covered
0%
Compare Australian Information Security Manual with ACSC Essential Eight

Frequently Asked Questions

What is Australian Information Security Manual?

Australian Information Security Manual is a compliance framework from Australia with 22 domains and 1081 controls. ACSC Information Security Manual. Australian Government cybersecurity controls baseline. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Australian Information Security Manual have?

Australian Information Security Manual has 1081 controls organised across 22 domains. The largest domains are Guidelines for system hardening (215 controls), Guidelines for software development (104 controls), Guidelines for cryptography (73 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Australian Information Security Manual map to?

Australian Information Security Manual maps to 2 other compliance frameworks. The top mapping partners are ACSC Essential Eight (5% coverage), Australia IRAP - Information Security Registered Assessors Program (0% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with Australian Information Security Manual compliance?

Start your Australian Information Security Manual compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Australian Information Security Manual requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 1081 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required