ASD ISM — incremental change analysis

Release v2022.12.1 (2022-12-01) vs prior v2022.09.15 · 77 days · catalogue 850 controls · ALL-era (NC imputed)
ASD changes summary: not available online (pre-June-2024 or errata release)
16
Added
31
Substantive
66
Clarification
9
Editorial
24
Relocated
1
Scope changes
3
Removed

1 · Change typology

2 · Classification footprint

Ceiling (highest level reached) / Floor (lowest level reached) — material changes

Levelas ceilingas floor
TOP SECRET470
SECRET02
PROTECTED00
OFFICIAL: Sensitive00
Non-Classified045

3 · Level-specific material changes

FootprintFloorCeilingControls
S|TSSECRETTOP SECRETISM-0669 ISM-1776

4 · Change location by chapter

5 · Control call-outs by category

Added — new controls (16)

ControlFootprintLocationStatement (excerpt)
ISM-1803NC|OS|P|S|TSGuidelines for Cyber Security Incidents › Cyber security incident registerA cyber security incident register contains the following for each cyber security incident: * the date the cyber security incident occurred * the date…
ISM-1804NC|OS|P|S|TSGuidelines for Procurement and Outsourcing › Contractual security requirements with service providersBreak clauses associated with failure to meet security requirements are documented in contractual arrangements with service providers.
ISM-1805NC|OS|P|S|TSGuidelines for Communications Systems › Denial of service response planA denial of service response plan for video conferencing and IP telephony services contains the following: * how to identify signs of a denial-of-serv…
ISM-1806NC|OS|P|S|TSGuidelines for System Hardening › Hardening application configurationsDefault accounts or credentials for applications, including for any pre-configured accounts, are changed.
ISM-1807NC|OS|P|S|TSGuidelines for System Management › Scanning for missing patches or updatesAn automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activitie…
ISM-1808NC|OS|P|S|TSGuidelines for System Management › Scanning for missing patches or updatesA vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
ISM-1809NC|OS|P|S|TSGuidelines for System Management › Cessation of supportWhen applications, operating systems, network devices or other ICT equipment that are no longer supported by vendors cannot be immediately removed or …
ISM-1810NC|OS|P|S|TSGuidelines for System Management › Performing and retaining backupsBackups of important data, software and configuration settings are synchronised to enable restoration to a common point in time.
ISM-1811NC|OS|P|S|TSGuidelines for System Management › Performing and retaining backupsBackups of important data, software and configuration settings are retained in a secure and resilient manner.
ISM-1812NC|OS|P|S|TSGuidelines for System Management › Backup accessUnprivileged accounts cannot access backups belonging to other accounts.
ISM-1813NC|OS|P|S|TSGuidelines for System Management › Backup accessUnprivileged accounts cannot access their own backups.
ISM-1814NC|OS|P|S|TSGuidelines for System Management › Backup modification and deletionUnprivileged accounts are prevented from modifying and deleting backups.
ISM-1815NC|OS|P|S|TSGuidelines for System Monitoring › Centralised event logging facilityEvent logs stored within a centralised event logging facility are protected from unauthorised modification and deletion.
ISM-1816NC|OS|P|S|TSGuidelines for Software Development › Development, testing and production environmentsUnauthorised modification of the authoritative source for software is prevented.
ISM-1817NC|OS|P|S|TSGuidelines for Software Development › Web application programming interfacesClients are authenticated when calling web APIs that facilitate access to data not authorised for release into the public domain.
ISM-1818NC|OS|P|S|TSGuidelines for Software Development › Web application programming interfacesClients are authenticated when calling web APIs that facilitate modification of data.

Substantive amendments (31)

ControlEdit distLocationStatement (excerpt)
ISM-01250.76Guidelines for Cyber Security Incidents › Cyber security incident registerA cyber security incident register is developed, implemented and maintained.
ISM-17760.74Guidelines for Gateways › Cross Domain Solution event loggingCDS event logs are stored centrally.
ISM-17750.71Guidelines for Gateways › Gateway event logging and alertingGateway event logs are stored centrally.
ISM-17580.70Guidelines for Database Systems › Database event loggingDatabase event logs are stored centrally.
ISM-17770.70Guidelines for Gateways › Web proxy event loggingWeb proxy event logs are stored centrally.
ISM-16650.69Guidelines for System Hardening › PowerShellPowerShell event logs are stored centrally.
ISM-17150.69Guidelines for Personnel Security › Emergency access to systemsBreak glass event logs are stored centrally.
ISM-17570.66Guidelines for Software Development › Web application event loggingWeb application event logs are stored centrally.
ISM-17470.66Guidelines for System Hardening › Operating system event loggingOperating system event logs are stored centrally.
ISM-16510.65Guidelines for Personnel Security › Privileged access to systemsPrivileged access event logs are stored centrally.
ISM-16630.64Guidelines for System Hardening › Application controlApplication control event logs are stored centrally.
ISM-17140.64Guidelines for Personnel Security › Unprivileged access to systemsUnprivileged access event logs are stored centrally.
ISM-05180.63Guidelines for Networking › Network documentationNetwork documentation is developed, implemented, maintained.
ISM-16780.63Guidelines for System Hardening › Microsoft Office macrosMicrosoft Office macro event logs are stored centrally.
ISM-16840.60Guidelines for System Hardening › Multi-factor authenticationMulti-factor authentication event logs are stored centrally.
ISM-16520.59Guidelines for Personnel Security › Privileged access to systemsPrivileged account and group management event logs are stored centrally.
ISM-10190.58Guidelines for Communications Systems › Denial of service response planA denial of service response plan for video conferencing and IP telephony services is developed, implemented and maintained.
ISM-13040.51Guidelines for Networking › Default accounts and credentials for network devicesDefault accounts or credentials for network devices including for any pre-configured accounts, are changed.
ISM-04180.49Guidelines for System Hardening › Protecting credentialsCredentials are kept separate from systems they are used to authenticate to, except for when performing authentication activities.
ISM-15960.44Guidelines for System Hardening › Setting credentials for user accountsCredentials, in the form of memorised secrets, are not reused by users across different systems.
ISM-17080.39Guidelines for System Management › Backup modification and deletionPrivileged accounts (including backup administrator accounts) are prevented from modifying and deleting backups during their retention period.
ISM-17820.39Guidelines for Networking › Protective Domain Name System ServicesA protective DNS service is used to block access to known malicious domain names.
ISM-13000.36Guidelines for Enterprise Mobility › After travelling overseas with mobile devicesUpon returning from travelling overseas with mobile devices, personnel take the following actions: * sanitise and reset mobile devices, including all …
ISM-05760.35Guidelines for Cyber Security Incidents › Incident management policyAn incident management policy, and associated incident response plan, is developed, implemented and maintained.
ISM-14080.35Guidelines for System Hardening › Operating system releases and versionsWhere supported, 64-bit versions of operating systems are used.
ISM-15150.33Guidelines for System Management › Testing restoration of backupsRestoration of important data, software and configuration settings from backups to a common point of time is tested as part of disaster recovery exerc…
ISM-03830.29Guidelines for System Hardening › Hardening operating system configurationsDefault accounts or credentials for operating systems, including for any pre-configured accounts, are changed.
ISM-06690.29Guidelines for Data Transfers › Manual export of dataWhen manually exporting data from SECRET and TOP SECRET systems, digital signatures are validated and keyword checks are performed within all textual …
ISM-17050.29Guidelines for System Management › Backup accessPrivileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts.
ISM-16500.28Guidelines for Personnel Security › Privileged access to systemsPrivileged account and group management events are logged.
ISM-15090.27Guidelines for Personnel Security › Privileged access to systemsPrivileged access events are logged.

Clarifications (66)

ControlEdit distLocation
ISM-14070.23Guidelines for System Hardening › Operating system releases and versions
ISM-17060.22Guidelines for System Management › Backup access
ISM-00720.21Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers
ISM-12340.20Guidelines for Email › Email content filtering
ISM-15430.20Guidelines for Physical Security › Bringing Radio Frequency and infrared devices into facilities
ISM-14930.19Guidelines for System Management › Software register
ISM-02580.19Guidelines for Gateways › Web usage policy
ISM-14050.18Guidelines for System Monitoring › Centralised event logging facility
ISM-17070.18Guidelines for System Management › Backup modification and deletion
ISM-02640.18Guidelines for Email › Email usage policy
ISM-17940.17Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers
ISM-05800.17Guidelines for System Monitoring › Event logging policy
ISM-00390.16Guidelines for Security Documentation › Cyber security strategy
ISM-15490.16Guidelines for Media › Media management policy
ISM-16250.16Guidelines for Cyber Security Incidents › Trusted insider program
ISM-17860.16Guidelines for Procurement and Outsourcing › Supplier relationship management
ISM-02110.16Guidelines for Communications Infrastructure › Cable register
ISM-16310.16Guidelines for Procurement and Outsourcing › Cyber supply chain risk management activities
ISM-10820.16Guidelines for Enterprise Mobility › Mobile device usage policy
ISM-12430.15Guidelines for Database Systems › Database register
ISM-15100.15Guidelines for System Management › Digital preservation policy
ISM-16450.15Guidelines for Communications Infrastructure › Floor plan diagrams
ISM-13590.15Guidelines for Media › Removable media usage policy
ISM-10780.15Guidelines for Communications Systems › Telephone system usage policy
ISM-15330.14Guidelines for Enterprise Mobility › Mobile device management policy
ISM-17550.14Guidelines for Software Development › Vulnerability disclosure program
ISM-03360.14Guidelines for ICT Equipment › ICT equipment register
ISM-05880.14Guidelines for Communications Systems › Fax machine and multifunction device usage policy
ISM-15510.14Guidelines for ICT Equipment › ICT equipment management policy
ISM-17130.14Guidelines for Media › Removable media register
ISM-17360.14Guidelines for Procurement and Outsourcing › Managed services
ISM-14510.13Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers
ISM-17850.13Guidelines for Procurement and Outsourcing › Supplier relationship management
ISM-16370.13Guidelines for Procurement and Outsourcing › Outsourced cloud services
ISM-13110.12Guidelines for Networking › Use of Simple Network Management Protocol
ISM-13950.12Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers
ISM-07350.12Guidelines for Cyber Security Roles › Overseeing cyber security awareness raising
ISM-09630.11Guidelines for Gateways › Using web content filters
ISM-15110.11Guidelines for System Management › Performing and retaining backups
ISM-15710.10Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers
ISM-15470.10Guidelines for System Management › Data backup and restoration processes and procedures
ISM-15350.10Guidelines for Data Transfers › Data transfer processes and procedures
ISM-06630.10Guidelines for Data Transfers › Data transfer processes and procedures
ISM-03740.10Guidelines for Media › Media disposal processes and procedures
ISM-15730.10Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers
ISM-02060.09Guidelines for Communications Infrastructure › Cable labelling processes and procedures
ISM-11430.09Guidelines for System Management › Patch management processes and procedures
ISM-15480.09Guidelines for System Management › Data backup and restoration processes and procedures
ISM-03630.09Guidelines for Media › Media destruction processes and procedures
ISM-03480.09Guidelines for Media › Media sanitisation processes and procedures
ISM-00420.08Guidelines for System Management › System administration processes and procedures
ISM-15500.08Guidelines for ICT Equipment › ICT equipment disposal processes and procedures
ISM-15720.08Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers
ISM-17560.08Guidelines for Software Development › Vulnerability disclosure program
ISM-17410.08Guidelines for ICT Equipment › ICT equipment destruction processes and procedures
ISM-03130.08Guidelines for ICT Equipment › ICT equipment sanitisation processes and procedures
ISM-17880.08Guidelines for Procurement and Outsourcing › Sourcing applications, ICT equipment and services
ISM-05070.08Guidelines for Cryptography › Cryptographic key management processes and procedures
ISM-15750.08Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers
ISM-17380.08Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers
ISM-17890.07Guidelines for Procurement and Outsourcing › Sourcing applications, ICT equipment and services
ISM-07010.07Guidelines for Enterprise Mobility › Mobile device emergency sanitisation processes and procedures
ISM-15740.06Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers
ISM-07200.06Guidelines for Cyber Security Roles › Developing a cyber security communications strategy
ISM-16640.06Guidelines for System Hardening › PowerShell
ISM-01410.05Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers

Editorial / grammatical (9)

Cosmetic edits (normalised edit distance < 0.05). ISM-0428, ISM-1556, ISM-1660, ISM-1661, ISM-1662, ISM-1677, ISM-1683, ISM-1685, ISM-1787

Relocated (24)

0 cross-chapter moves (listed) · 24 intra-chapter section/topic reshuffles (count only).

Scope / applicability changes (1)

ControlDirectionFootprint before → afterLocation
ISM-1776narrowedNC|OS|P|S|TSS|TSCross Domain Solution event logging

Removed (3)

ControlFootprintFormer locationStatement (excerpt)
ISM-0658S|TSGuidelines for Data TransfersWhen manually importing data to SECRET and TOP SECRET systems, the data undergoes data formatting checks.
ISM-1709NC|OS|P|S|TSGuidelines for NetworkingDefault accounts and credentials of wireless access points are changed.
ISM-1744NC|OS|P|S|TSGuidelines for System HardeningThe latest release, or the previous release, of operating systems are used for other ICT equipment.
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native revision/updated stamp to move (0 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.
Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026