Australian Government Architecture
Search

Information security manual (ISM)

Direct link: cyber.gov.au/resources-business-and-government/essential-cyber-security/ism 
Responsible agency: Australian Cyber Security Centre
Last updated: December 2024

The Information security manual (ISM) is a cyber security framework that an organisation can apply, using their risk management framework, to protect their information technology and operational technology systems, applications and data from cyber threats. The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cyber security professionals and information technology managers.

The ISM is delivered as a series of cyber security principles and guidelines.

Applicability 

The ISM represents the considered advice of the Australian Signals Directorate (ASD). This advice is provided in accordance with ASD’s designated functions under the Intelligence Services Act 2001 (ISA).

The ISM is recommended for non-corporate Commonwealth entities.

Access the manual 

The cyber.gov.au website hosts the Information security manual (full text).

Cyber security principles

The purpose of the cyber security principles is to provide strategic guidance on how an organisation can protect their information technology and operational technology systems, applications and data from cyber threats. These cyber security principles are grouped into five functions:

  • GOVERN: Develop a strong cyber security culture.
  • IDENTIFY: Identify assets and associated security risks.
  • PROTECT: Implement controls to manage security risks.
  • DETECT: Detect and analyse cyber security events to identify cyber security incidents.
  • RESPOND: Respond to and recover from cyber security incidents.

Cyber security guidelines

The purpose of the cyber security guidelines is to provide practical guidance on how an organisation can protect their information technology and operational technology systems, applications and data from cyber threats.

Capabilities

This standard supports digital solutions in the following capability.
CAP10

Information asset security

Policies

This standard assists in meeting the requirements of the following policies.
POL39

Information asset security policy

Designs

The following designs show how to achieve the intent of this standard.
The Australian Signals Directorate has developed a number of Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are known as the Essential Eight. While no set of mitigation…
Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.