ASD ISM: Australia's comprehensive cybersecurity standard
The Information Security Manual is the Australian government's authoritative cybersecurity standard. Hundreds of controls across governance, personnel, physical, systems, communications, and data security. Mandatory for government, essential for defence industry, and the gold standard for any Australian organisation serious about cybersecurity. BlackSheep tracks every guideline area.
$249/month · All frameworks included · No credit card to start
21
Controls tracked
6
Guideline categories
4x
Updates per year
2025
Latest release (March)
ISM guideline areas
Comprehensive coverage from governance through to data protection.
Governance & Risk Management
4 controls
- CISO appointment and cybersecurity roles
- Security strategy, policies, and documentation
- Procurement and outsourcing security
- Incident management and reporting to ACSC
Personnel Security
3 controls
- Cybersecurity awareness training for all personnel
- Access based on clearance, briefings, and need-to-know
- Privileged access management with separate accounts
Physical & Equipment Security
3 controls
- Facility physical security and access control
- ICT equipment lifecycle management
- Media handling, encryption, and destruction
System Hardening & Management
4 controls
- OS and application hardening (ASD/CIS guides)
- Application control (allowlisting)
- MFA and authentication controls
- Vulnerability management, patching, and monitoring
Communications & Network Security
4 controls
- Network segmentation and gateway security
- ASD Approved Cryptographic Algorithms
- Email authentication (SPF/DKIM/DMARC) and web filtering
- Enterprise mobility and remote access controls
Data Protection & Transfers
3 controls
- Information classification and handling procedures
- Backup and recovery (Essential Eight aligned)
- Cross-domain transfers and content filtering
Common questions about the ISM
Do we need both the ISM and Essential Eight?
They work together. The Essential Eight is the prioritised starting point — the eight strategies with the greatest impact. The ISM is the comprehensive standard that covers everything else: governance, personnel security, physical security, cryptography, and more. Most organisations implement the Essential Eight first, then expand to broader ISM coverage.
How do the ISM classification levels work?
ISM controls are tagged with applicability markings: NC (non-classified), OS (OFFICIAL: Sensitive), P (PROTECTED), S (SECRET), and TS (TOP SECRET). Not all controls apply to every organisation — you implement the controls appropriate to your highest classification level. Most private sector organisations focus on NC and OS controls.
Is the ISM relevant outside of government?
Yes. Defence industry participants (DISP) are required to align with the ISM. Critical infrastructure organisations are strongly encouraged. And any organisation handling Australian government data must meet ISM requirements specified in their contracts. Beyond compliance, the ISM represents best practice that any organisation can benefit from.
How do we handle quarterly updates?
Each quarterly release includes a change log identifying new, modified, and retired controls. Review the change log against your current implementation, update your documentation, and address any new requirements. BlackSheep tracks ISM controls and will be updated with each quarterly release.
Australia's most comprehensive cybersecurity standard. One platform.
BlackSheep tracks the ISM alongside the Essential Eight, giving you both the prioritised starting point and the comprehensive standard in one dashboard.
$249/month. 30-day money-back guarantee.