Australian Government Information Security Manual (ISM): What It Is and How to Align

The Australian Government Information Security Manual is the foundational cybersecurity framework for protecting Australian government systems, applications, and data. The Australian Signals Directorate (ASD) publishes and maintains the ISM. It sets the information security standard across the Commonwealth. Increasingly, it also defines the compliance baseline for private sector organisations seeking to work with government. If your organisation is preparing for an IRAP assessment, bidding for a government contract, or aligning with best-practice Australian cybersecurity guidance, understanding the ISM is an essential starting point.

What Is the Australian Government Information Security Manual (ISM)?

The Australian Government Information Security Manual, or ISM, is a cybersecurity framework produced by the Australian Signals Directorate. Organisations apply the ISM through their risk management framework to protect IT and operational technology (OT) systems, applications, and data from cyber threats. ASD produces and maintains the ISM under its designated functions in the Intelligence Services Act 2001.

The ISM is a living document. ASD updates it regularly. The most recent release was published in December 2024. Organisations using the ISM for compliance must reference the current version when conducting assessments or preparing documentation. The December 2024 release introduced new controls for OT security, AI application development, and expanded internal reporting requirements for CISOs.

The ISM targets chief information security officers (CISOs), chief information officers (CIOs), cybersecurity professionals, and IT managers. In practice, its reach extends further. Any organisation that processes, stores, or transmits Australian government data must understand the ISM. This includes cloud service providers, managed service providers, and private sector contractors in regulated industries.

Who the ISM Applies To

ASD recommends the ISM for all non-corporate Commonwealth entities. It becomes mandatory where legislation, a ministerial direction, or another lawful authority compels compliance. The ISM does not override obligations imposed by other legislation. Where conflict exists, the law prevails.

For private sector organisations, the position is more nuanced. The ISM is not a statutory obligation unless government work requires it. However, organisations providing cloud services, managed services, or ICT solutions to Australian government customers must typically demonstrate ISM alignment during procurement. An IRAP assessment is the primary mechanism for verifying that alignment.

The ISM also intersects with the Protective Security Policy Framework (PSPF). The PSPF governs broader protective security obligations across the Commonwealth, covering personnel security, physical security, and information security at a policy level. The ISM provides the operational and technical cybersecurity guidance organisations use to implement those obligations. Government contractors must understand both frameworks to navigate compliance requirements effectively.

How the Framework Is Structured

The ISM organises its guidance into two core components: cybersecurity principles and cybersecurity guidelines.

The 23 cybersecurity principles provide strategic direction. ASD groups them into four key activities: Govern, Protect, Detect, and Respond. Organisations must demonstrate that they adhere to these principles within their environment.

The 22 cybersecurity guidelines provide practical, operational guidance for implementing those principles. The guidelines cover governance, physical security, personnel security, system hardening, communications infrastructure, enterprise mobility, cryptography, networking, email, data transfers, and software development. As of December 2024, the ISM contains 26 guideline chapters in total, with ongoing additions reflecting emerging risk areas such as OT security and AI.

The ISM draws its risk management approach from NIST Special Publication 800-37, Revision 2. This alignment gives the framework international credibility and compatibility with standards such as ISO 31000:2018.

The ISM’s Six-Step Risk Management Framework

The ISM centres on a six-step risk management framework. Organisations apply this framework to every system they operate. It provides a consistent, repeatable structure for identifying and treating security risk.

Step 1: Define the system. The organisation determines the system’s type, value, and security objectives. It assesses the potential impact of a compromise. This step shapes all decisions that follow.

Step 2: Select security controls. The organisation selects controls appropriate to the system’s classification level and operating environment.

Step 3: Implement security controls. The organisation implements the selected controls and documents how it applied them.

Step 4: Assess security controls. The organisation assesses whether controls are implemented correctly and operating as intended.

Step 5: Authorise the system. An authorising officer reviews the assessment. The officer grants authorisation to operate and accepts the residual security risk.

Step 6: Monitor the system. The organisation monitors the system on an ongoing basis. It reports security status to the authorising officer at least annually.

This six-step cycle is not a one-time exercise. It is a continuous process that reflects the evolving nature of cyber threats.

ISM vs Essential Eight: Understanding the Difference

Compliance teams frequently ask about the relationship between the ISM and the Essential Eight. The two are related but distinct.

The ISM is the comprehensive overarching framework. It covers cybersecurity governance, physical security, personnel security, and the full range of ICT security domains. The Essential Eight is a prioritised set of eight mitigation strategies. ASD identifies these as the most effective baseline controls for protecting internet-connected IT networks. ASD derived the Essential Eight from the ISM’s broader Strategies to Mitigate Cyber Security Incidents. It recommends the Essential Eight as a minimum baseline for all Australian organisations, not only government entities.

Achieving Essential Eight maturity does not mean an organisation meets full ISM compliance. The Essential Eight addresses a targeted subset of controls. The ISM covers a far broader governance and technical landscape. For organisations subject to IRAP assessment requirements, ISM compliance is the relevant standard. The Essential Eight forms part of that framework, not the whole of it. CyberPulse’s Essential Eight compliance services and compliance audit and advisory services address both dimensions. They help organisations understand where they stand before pursuing formal assessment.

Classification Levels Explained

The ISM applies different control requirements based on the sensitivity of the information a system handles. There are five classification levels.

Non-classified (NC) systems handle general information with no formal protective marking. OFFICIAL: Sensitive (OS) is a non-mandatory marking that is not formally classified, though it triggers specific handling requirements. PROTECTED (P) applies to information whose compromise could damage national interests, organisations, or individuals. SECRET (S) and TOP SECRET (TS) apply to highly sensitive national security information.

Classification determines which ISM controls apply to a system. It also determines what level of IRAP assessment is required and what authorisation process the system must complete before operating. For most private sector organisations working with Commonwealth agencies, the PROTECTED classification level is the relevant threshold. Achieving ISM PROTECTED compliance is the standard benchmark for cloud service providers and managed service providers seeking to host or process government data.

ISM Compliance and the IRAP Assessment Process

The Infosec Registered Assessors Program (IRAP) is the formal mechanism organisations use to demonstrate ISM compliance to government customers. ASD endorses IRAP assessors to conduct independent security assessments of ICT systems against ISM controls and guidelines. The IRAP assessment process runs in two stages. First, the assessor conducts a documentation review covering policies, procedures, and system architecture. Second, the assessor carries out a technical investigation of the ICT environment.

The ISM requires managed service providers and cloud service providers to complete an IRAP assessment at least every 24 months. System owners must also ensure their systems undergo security assessments and obtain formal authorisation to operate from their authorising officer.

Private sector organisations seeking to provide services to government should engage a specialist in IRAP assessment services early in the process. A qualified advisory partner conducts a pre-assessment gap analysis, prepares the required documentation, and coordinates the formal IRAP engagement. CyberPulse also provides managed compliance services to support ongoing ISM alignment between assessment cycles.

Key ISM Updates: December 2024

The December 2024 ISM release introduced several significant changes. Compliance teams should review these updates carefully.

ASD now explicitly recommends that CISOs extend their cybersecurity leadership to OT environments, not only traditional IT systems. This reflects the growing convergence of IT and OT across critical infrastructure sectors. New controls also address OT supply chain security. Organisations must now assess the cybersecurity integrity of third-party OT equipment and services.

The December 2024 release also strengthens internal reporting requirements. CISOs must now report on both IT and OT cybersecurity matters to their organisation’s audit, risk, and compliance committee. This is in addition to existing executive reporting obligations.

Finally, the update introduces controls for AI application development. These controls specifically reference the OWASP Top 10 critical security risks for large language model (LLM) applications. Organisations developing or deploying AI-enabled services should review these controls as part of their broader ISM compliance programme.

How to Prepare for ISM Compliance

Preparing for ISM compliance is a structured process. It begins well before any formal assessment. The most effective starting point is a gap analysis. The organisation reviews its current policies, procedures, technical configurations, and security controls against the ISM requirements for its relevant classification level. This analysis identifies deficiencies and produces a realistic remediation roadmap.

After the gap analysis, organisations update their security documentation to reflect ISM requirements. This typically includes an information security policy, a system security plan, a security risk assessment, and supporting procedures for access control, incident response, and change management. Mapping documentation to the ISM’s guideline structure simplifies the assessment process. It also demonstrates risk-aware governance to the IRAP assessor.

Training and awareness are equally important. The ISM treats personnel security and awareness as foundational controls. Assessors will scrutinise whether staff understand their obligations and whether training programmes are documented and current. Organisations should also establish continuous monitoring processes. These include event logging, vulnerability management, and regular security reviews. Continuous monitoring demonstrates an ongoing security posture rather than a point-in-time effort.

CyberPulse’s compliance audit and advisory services and IRAP assessment services support organisations through every stage of this process. Organisations with existing ISO 27001 programmes will find meaningful overlap with ISM requirements. Aligning these frameworks early reduces duplication and strengthens the overall compliance posture.

Frequently Asked Questions

Is the Australian Government Information Security Manual Legally Mandatory?

The ISM is mandatory for non-corporate Commonwealth entities. It is also mandatory where legislation or a lawful direction compels compliance. For private sector organisations, it is not a statutory requirement unless government contracting obligations make it so. In practice, any organisation providing IT services to Australian government agencies must meet ISM requirements.

How Often Does ASD Update the ISM?

ASD updates the ISM multiple times per year. The most recent release at the time of writing is December 2024. Organisations undergoing IRAP assessments should use the ISM version current at the time their assessment commences, or any subsequent version released during the engagement.

What Is the Difference Between the ISM and the Essential Eight?

The ISM is the comprehensive cybersecurity framework covering governance, physical, personnel, and technical security domains. The Essential Eight is a targeted set of eight prioritised mitigation strategies derived from the ISM. ASD recommends the Essential Eight as a minimum baseline for all organisations. Essential Eight compliance does not meet the full ISM compliance standard.

How Does IRAP Relate to the ISM?

IRAP is the formal assessment program organisations use to demonstrate ISM compliance to Australian government customers. ASD endorses IRAP assessors to independently assess ICT systems against ISM controls. The ISM requires managed service providers and cloud service providers to complete an IRAP assessment at least every 24 months.

Useful Links

• How to perform an Essential 8 Maturity Assessment
• ASD Essential 8 Guide
• Australian Privacy Principles: What to know

Related Services

• ASD Essential 8 Services
• IRAP Assessments
• Managed Compliance Services

ISM and Related Resources

• Australian Signals Directorate (2024). Information Security Manual, December 2024.
• Australian Signals Directorate (2024). Information Security Manual. Cyber.gov.au.
• Australian Government Architecture (n.d.). Information Security Manual (ISM). architecture.digital.gov.au.
• National Institute of Standards and Technology (2018). Risk Management Framework for Information Systems and Organizations: NIST SP 800-37 Rev. 2.