ASD ISM — incremental change analysis
19
Added
9
Substantive
12
Clarification
4
Editorial
42
Relocated
0
Scope changes
2
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 28 | 0 |
| SECRET | 0 | 1 |
| PROTECTED | 0 | 0 |
| OFFICIAL: Sensitive | 0 | 1 |
| Non-Classified | 0 | 26 |
3 · Level-specific material changes
| Footprint | Floor | Ceiling | Controls |
|---|---|---|---|
S|TS | SECRET | TOP SECRET | ISM-1802 |
OS|P|S|TS | OFFICIAL: Sensitive | TOP SECRET | ISM-1482 |
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (19)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1784 | NC|OS|P|S|TS | Guidelines for Cyber Security Incidents › Incident management policy | The incident management policy, including the associated incident response plan, is exercised at least annually. |
| ISM-1785 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Supplier relationship management | A supplier relationship management policy is developed and implemented. |
| ISM-1786 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Supplier relationship management | An approved supplier list is developed and implemented. |
| ISM-1787 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Purchasing of applications, ICT equipment and services | Applications, ICT equipment and services are purchased from approved suppliers. |
| ISM-1788 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Purchasing of applications, ICT equipment and services | Multiple potential suppliers are identified for the purchase of critical applications, ICT equipment and services. |
| ISM-1789 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Purchasing of applications, ICT equipment and services | Sufficient spares of critical ICT equipment is purchased and kept in reserve. |
| ISM-1790 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Delivery of applications, ICT equipment and services | Applications, ICT equipment and services are delivered in a manner that maintains their integrity. |
| ISM-1791 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Delivery of applications, ICT equipment and services | The integrity of applications, ICT equipment and services are assessed as part of acceptance of products and services. |
| ISM-1792 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Delivery of applications, ICT equipment and services | The authenticity of applications, ICT equipment and services are assessed as part of acceptance of products and services. |
| ISM-1793 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Assessment of managed service providers | Managed service providers and their managed services undergo a security assessment by an IRAP assessor at least every 24 months. |
| ISM-1794 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Contractual security requirements | Notification by service providers of significant changes to their own service provider arrangements is documented in contractual arrangements. |
| ISM-1795 | NC|OS|P|S|TS | Guidelines for System Hardening › Protecting credentials | Credentials for local administrator accounts and service accounts are a minimum of 30 characters. |
| ISM-1796 | NC|OS|P|S|TS | Guidelines for Software Development › Secure software design and development | Files containing executable content are digitally signed as part of application development. |
| ISM-1797 | NC|OS|P|S|TS | Guidelines for Software Development › Secure software design and development | Installers, patches and updates are digitally signed or provided with cryptographic checksums as part of application development. |
| ISM-1798 | NC|OS|P|S|TS | Guidelines for Software Development › Secure software design and development | Secure configuration guidance is produced as part of application development. |
| ISM-1799 | NC|OS|P|S|TS | Guidelines for Email › Domain-based Message Authentication, Reporting and Conformance | Incoming emails are rejected if they do not pass DMARC checks. |
| ISM-1800 | NC|OS|P|S|TS | Guidelines for Networking › Flashing network devices with trusted firmware before first use | Network devices are flashed with trusted firmware before they are used for the first time. |
| ISM-1801 | NC|OS|P|S|TS | Guidelines for Networking › Regularly restarting network devices | Network devices are restarted on at least a monthly basis. |
| ISM-1802 | S|TS | Guidelines for Cryptography › ASD-approved High Assurance Cryptographic Equipment | HACE does not process, store or communicate SECRET or TOP SECRET data until approved for use by ASD. |
Substantive amendments (9)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1452 | 0.62 | Guidelines for Procurement and Outsourcing › Cyber supply chain risk management activities | A supply chain risk assessment is performed for suppliers of applications, ICT equipment and services in order to assess the impact to a system’s secu… |
| ISM-1482 | 0.52 | Guidelines for Enterprise Mobility › Organisation-owned mobile devices | Personnel accessing systems or data using an organisation-owned mobile device use an ASD-approved platform, a security configuration in accordance wit… |
| ISM-1568 | 0.44 | Guidelines for Procurement and Outsourcing › Cyber supply chain risk management activities | Applications, ICT equipment and services are chosen from suppliers that have made a commitment to the security of their products and services. |
| ISM-1567 | 0.40 | Guidelines for Procurement and Outsourcing › Cyber supply chain risk management activities | Suppliers identified as high risk by a cyber supply chain risk assessment are not used. |
| ISM-0141 | 0.38 | Guidelines for Procurement and Outsourcing › Contractual security requirements | The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are … |
| ISM-1183 | 0.36 | Guidelines for Email › Sender Policy Framework | A hard fail SPF record is used when specifying authorised email servers (or lack thereof) for all domains (including subdomains). |
| ISM-1631 | 0.32 | Guidelines for Procurement and Outsourcing › Cyber supply chain risk management activities | Applications, ICT equipment and services associated with systems are identified and understood. |
| ISM-1737 | 0.30 | Guidelines for Procurement and Outsourcing › Managed services | A managed service register contains the following for each managed service: * managed service provider’s name * managed service’s name * purpose for u… |
| ISM-0576 | 0.28 | Guidelines for Cyber Security Incidents › Incident management policy | An incident management policy is developed and implemented. |
Clarifications (12)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1540 | 0.20 | Guidelines for Email › Domain-based Message Authentication, Reporting and Conformance |
| ISM-1632 | 0.20 | Guidelines for Procurement and Outsourcing › Cyber supply chain risk management activities |
| ISM-0072 | 0.20 | Guidelines for Procurement and Outsourcing › Contractual security requirements |
| ISM-1638 | 0.15 | Guidelines for Procurement and Outsourcing › Outsourced cloud services |
| ISM-0853 | 0.15 | Guidelines for System Hardening › Session termination |
| ISM-1589 | 0.13 | Guidelines for Email › Email server transport encryption |
| ISM-0861 | 0.13 | Guidelines for Email › DomainKeys Identified Mail |
| ISM-0567 | 0.13 | Guidelines for Email › Open relay email servers |
| ISM-0574 | 0.12 | Guidelines for Email › Sender Policy Framework |
| ISM-1502 | 0.09 | Guidelines for Email › Blocking suspicious emails |
| ISM-0460 | 0.08 | Guidelines for Cryptography › Encrypting data at rest |
| ISM-1569 | 0.05 | Guidelines for Procurement and Outsourcing › Cyber supply chain risk management activities |
Editorial / grammatical (4)
Cosmetic edits (normalised edit distance < 0.05). ISM-0467, ISM-0499, ISM-0687, ISM-1400
Relocated (42)
24 cross-chapter moves (listed) · 18 intra-chapter section/topic reshuffles (count only).
| From chapter | To chapter | Controls |
|---|---|---|
| Guidelines for Outsourcing | Guidelines for Procurement and Outsourcing | ISM-0072 ISM-1073 ISM-1395 ISM-1451 ISM-1452 ISM-1529 ISM-1567 ISM-1568 ISM-1569 ISM-1570 ISM-1571 ISM-1572 ISM-1573 ISM-1574 ISM-1575 ISM-1576 ISM-1631 ISM-1632 ISM-1637 ISM-1638 ISM-1736 ISM-1737 ISM-1738 |
| Guidelines for Cyber Security Incidents | Guidelines for Procurement and Outsourcing | ISM-0141 |
Scope / applicability changes (0)
No control changed its classification reach this release.
Removed (2)
| Control | Footprint | Former location | Statement (excerpt) |
|---|---|---|---|
| ISM-1152 | NC|OS|P|S|TS | Guidelines for Email | Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients. |
| ISM-1433 | NC|OS|P|S|TS | Guidelines for Cyber Security Incidents | Service providers and their customers maintain 24/7 contact details for each other, including additional out-of-band contact details for when normal c… |
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (1 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026