ASD ISM — incremental change analysis
33
Added
21
Substantive
18
Clarification
4
Editorial
50
Relocated
10
Scope changes
6
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 53 | 3 |
| SECRET | 1 | 3 |
| PROTECTED | 0 | 0 |
| OFFICIAL: Sensitive | 0 | 0 |
| Non-Classified | 0 | 48 |
3 · Level-specific material changes
| Footprint | Floor | Ceiling | Controls |
|---|---|---|---|
S | SECRET | SECRET | ISM-0187 |
TS | TOP SECRET | TOP SECRET | ISM-1821 ISM-0216 ISM-1116 |
S|TS | SECRET | TOP SECRET | ISM-0213 ISM-1105 |
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (33)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1819 | NC|OS|P|S|TS | Guidelines for Cyber Security Incidents › Enacting incident response plans | Following the identification of a cyber security incident, an organisation’s incident response plan is enacted. |
| ISM-1820 | NC|OS|P|S|TS | Guidelines for Communications Infrastructure › Cable colours | Cables for individual systems use a consistent colour. |
| ISM-1821 | TS | Guidelines for Communications Infrastructure › Common cable bundles and conduits | TOP SECRET cables, when bundled together or run in conduit, are run exclusively in their own individual cable bundle or conduit. |
| ISM-1822 | NC|OS|P|S|TS | Guidelines for Communications Infrastructure › Wall outlet box colours | Wall outlet boxes for individual systems use a consistent colour. |
| ISM-1823 | NC|OS|P|S|TS | Guidelines for System Hardening › Hardening user application configurations | Office productivity suite security settings cannot be changed by users. |
| ISM-1824 | NC|OS|P|S|TS | Guidelines for System Hardening › Hardening user application configurations | PDF software security settings cannot be changed by users. |
| ISM-1825 | NC|OS|P|S|TS | Guidelines for System Hardening › Hardening user application configurations | Security product security settings cannot be changed by users. |
| ISM-1826 | NC|OS|P|S|TS | Guidelines for System Hardening › Server application selection | Server applications are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-sa… |
| ISM-1827 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services domain controllers | Microsoft AD DS domain controllers are administered using dedicated domain administrator user accounts that are not used to administer other systems. |
| ISM-1828 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services domain controllers | The Print Spooler service is disabled on Microsoft AD DS domain controllers. |
| ISM-1829 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services domain controllers | Passwords and cpasswords are not used in Group Policy Preferences. |
| ISM-1830 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services domain controllers | Security-related events for Microsoft AD DS are logged. |
| ISM-1831 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services domain controllers | Microsoft AD DS event logs are stored centrally. |
| ISM-1832 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | Only service accounts and computer accounts are configured with Service Principal Names (SPNs). |
| ISM-1833 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | Service accounts are provisioned with the minimum privileges required and are not members of the domain administrators group or similar highly privile… |
| ISM-1834 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | Duplicate SPNs do not exist within the domain. |
| ISM-1835 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | Privileged user accounts are configured as sensitive and cannot be delegated. |
| ISM-1836 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | User accounts require Kerberos pre-authentication. |
| ISM-1837 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | User accounts are not configured with password never expires or password not required. |
| ISM-1838 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | The UserPassword attribute for user accounts is not used. |
| ISM-1839 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | Account properties accessible by unprivileged users are not used to store passwords. |
| ISM-1840 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | User account passwords do not use reversible encryption. |
| ISM-1841 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | Unprivileged user accounts cannot add machines to the domain. |
| ISM-1842 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | Dedicated service accounts are used to add machines to the domain. |
| ISM-1843 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | User accounts with unconstrained delegation are reviewed at least annually, and those without an associated Kerberos SPN or demonstrated business requ… |
| ISM-1844 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | Computer accounts that are not Microsoft AD SD domain controllers are not trusted for delegation to services. |
| ISM-1845 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services security group memberships | When a user account is disabled, it is removed from all security group memberships. |
| ISM-1846 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services security group memberships | The Pre-Windows 2000 Compatible Access security group does not contain user accounts. |
| ISM-1847 | NC|OS|P|S|TS | Guidelines for System Hardening › Changing credentials | Credentials for the Kerberos Key Distribution Center’s service account (KRBTGT) are changed twice, allowing for replication to all Microsoft Active Di… |
| ISM-1848 | NC|OS|P|S|TS | Guidelines for System Hardening › Functional separation between computing environments | When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism or underlying operating system is repla… |
| ISM-1849 | NC|OS|P|S|TS | Guidelines for Software Development › Open Web Application Security Projects | The OWASP Top Ten Proactive Controls are used in the development of web applications. |
| ISM-1850 | NC|OS|P|S|TS | Guidelines for Software Development › Open Web Application Security Projects | The OWASP Top 10 are mitigated in the development of web applications. |
| ISM-1851 | NC|OS|P|S|TS | Guidelines for Software Development › Web application programming interfaces | The OWASP API Security Top 10 are mitigated in the development of web APIs. |
Substantive amendments (21)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-0402 | 0.89 | Guidelines for Software Development › Application security testing | Applications are comprehensively tested for security vulnerabilities, using both static application security testing and dynamic application security … |
| ISM-0859 | 0.74 | Guidelines for System Monitoring › Event log retention | Event logs, excluding those for Domain Name System services and web proxies, are retained for at least seven years. |
| ISM-1105 | 0.73 | Guidelines for Communications Infrastructure › Wall outlet boxes | SECRET and TOP SECRET wall outlet boxes contain exclusively SECRET or TOP SECRET cables. |
| ISM-1246 | 0.68 | Guidelines for System Hardening › Hardening server application configurations | ACSC or vendor hardening guidance for server applications is implemented. |
| ISM-1260 | 0.62 | Guidelines for System Hardening › Hardening server application configurations | Default accounts or credentials for server applications, including for any pre-configured accounts, are changed. |
| ISM-1263 | 0.55 | Guidelines for Personnel Security › Privileged access to systems | Unique privileged accounts are used for administering individual server applications. |
| ISM-0187 | 0.50 | Guidelines for Communications Infrastructure › Common cable bundles and conduits | SECRET cables, when bundled together or run in conduit, are run exclusively in their own individual cable bundle or conduit. |
| ISM-0138 | 0.47 | Guidelines for Cyber Security Incidents › Maintaining the integrity of evidence | The integrity of evidence gathered during an investigation is maintained by investigators: * recording all of their actions * maintaining a proper cha… |
| ISM-0213 | 0.43 | Guidelines for Communications Infrastructure › Terminating cables on patch panels | SECRET and TOP SECRET cables are terminated on their own individual patch panels. |
| ISM-0216 | 0.43 | Guidelines for Communications Infrastructure › Physical separation of cabinets and patch panels | TOP SECRET patch panels are installed in individual TOP SECRET cabinets. |
| ISM-1483 | 0.39 | Guidelines for System Hardening › Server application releases | The latest release of internet-facing server applications are used. |
| ISM-0938 | 0.36 | Guidelines for System Hardening › User application selection | User applications are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe… |
| ISM-1245 | 0.35 | Guidelines for System Hardening › Hardening server application configurations | All temporary installation files and logs created during server application installation processes are removed after server applications have been ins… |
| ISM-1116 | 0.35 | Guidelines for Communications Infrastructure › Physical separation of cabinets and patch panels | A visible gap exists between TOP SECRET cabinets and non-TOP SECRET cabinets. |
| ISM-1743 | 0.34 | Guidelines for System Hardening › Operating system selection | Operating systems are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe… |
| ISM-1818 | 0.33 | Guidelines for Software Development › Web application programming interfaces | Authentication and authorisation of clients is performed when clients call web APIs that facilitate modification of data. |
| ISM-1250 | 0.31 | Guidelines for System Hardening › Restricting privileges for server applications | The accounts under which server applications run have limited access to their underlying server’s file system. |
| ISM-1748 | 0.30 | Guidelines for System Hardening › Hardening user application configurations | Email client security settings cannot be changed by users. |
| ISM-1276 | 0.30 | Guidelines for Database Systems › Web application interaction with databases | Parameterised queries or stored procedures, instead of dynamically generated queries, are used for database interactions. |
| ISM-0401 | 0.28 | Guidelines for Software Development › Secure software design and development | Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used … |
| ISM-0233 | 0.28 | Guidelines for Communications Systems › Cordless telephone systems | Cordless telephone handsets and headsets are not used for sensitive or classified conversations unless all communications are encrypted. |
Clarifications (18)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1460 | 0.25 | Guidelines for System Hardening › Functional separation between computing environments |
| ISM-1585 | 0.23 | Guidelines for System Hardening › Hardening user application configurations |
| ISM-1817 | 0.23 | Guidelines for Software Development › Web application programming interfaces |
| ISM-1682 | 0.23 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1392 | 0.23 | Guidelines for System Hardening › Application control |
| ISM-1098 | 0.22 | Guidelines for Communications Infrastructure › Terminating cables in cabinets |
| ISM-0991 | 0.20 | Guidelines for System Monitoring › Event log retention |
| ISM-1114 | 0.16 | Guidelines for Communications Infrastructure › Common cable reticulation systems |
| ISM-1163 | 0.15 | Guidelines for Security Documentation › Continuous monitoring plan |
| ISM-1247 | 0.14 | Guidelines for System Hardening › Hardening server application configurations |
| ISM-1249 | 0.14 | Guidelines for System Hardening › Restricting privileges for server applications |
| ISM-0280 | 0.12 | Guidelines for Evaluated Products › Evaluated product selection |
| ISM-0971 | 0.11 | Guidelines for Software Development › Open Web Application Security Projects |
| ISM-1719 | 0.10 | Guidelines for Communications Infrastructure › Cable colours |
| ISM-0217 | 0.10 | Guidelines for Communications Infrastructure › Physical separation of cabinets and patch panels |
| ISM-1718 | 0.09 | Guidelines for Communications Infrastructure › Cable colours |
| ISM-0677 | 0.06 | Guidelines for Gateways › Validating file integrity |
| ISM-1278 | 0.06 | Guidelines for Database Systems › Web application interaction with databases |
Editorial / grammatical (4)
Cosmetic edits (normalised edit distance < 0.05). ISM-1568, ISM-1620, ISM-1746, ISM-1806
Relocated (50)
7 cross-chapter moves (listed) · 43 intra-chapter section/topic reshuffles (count only).
| From chapter | To chapter | Controls |
|---|---|---|
| Guidelines for Database Systems | Guidelines for System Hardening | ISM-1245 ISM-1246 ISM-1247 ISM-1249 ISM-1250 ISM-1260 |
| Guidelines for Database Systems | Guidelines for Personnel Security | ISM-1263 |
Scope / applicability changes (10)
| Control | Direction | Footprint before → after | Location |
|---|---|---|---|
| ISM-0187 | narrowed | S|TS → S | Common cable bundles and conduits |
| ISM-0213 | narrowed | NC|OS|P|S|TS → S|TS | Terminating cables on patch panels |
| ISM-0216 | narrowed | OS|P|S|TS → TS | Physical separation of cabinets and patch panels |
| ISM-0217 | narrowed | OS|P|S|TS → TS | Physical separation of cabinets and patch panels |
| ISM-1098 | narrowed | NC|OS|P|S|TS → S | Terminating cables in cabinets |
| ISM-1101 | widened | OS|P|S|TS → NC|OS|P|S|TS | Connecting cable reticulation systems to cabinets |
| ISM-1103 | widened | OS|P|S|TS → NC|OS|P|S|TS | Connecting cable reticulation systems to cabinets |
| ISM-1105 | narrowed | NC|OS|P|S|TS → S|TS | Wall outlet boxes |
| ISM-1116 | narrowed | OS|P|S|TS → TS | Physical separation of cabinets and patch panels |
| ISM-1119 | widened | OS|P|S|TS → NC|OS|P|S|TS | Cable inspectability |
Removed (6)
| Control | Footprint | Former location | Statement (excerpt) |
|---|---|---|---|
| ISM-0189 | NC|OS|P|S|TS | Guidelines for Communications Infrastructure | Cables only carry a single cable group, unless each cable group belongs to a different subunit. |
| ISM-1104 | NC|OS|P|S|TS | Guidelines for Communications Infrastructure | Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different systems. |
| ISM-1251 | NC|OS|P|S|TS | Guidelines for Database Systems | The ability of DBMS software to read local files from its database server is disabled. |
| ISM-1261 | NC|OS|P|S|TS | Guidelines for Database Systems | Database administrator accounts are not shared across different databases. |
| ISM-1262 | NC|OS|P|S|TS | Guidelines for Database Systems | Database administrators have unique and identifiable accounts. |
| ISM-1264 | NC|OS|P|S|TS | Guidelines for Database Systems | Database administrator access is restricted to defined roles rather than accounts with default administrative permissions or all permissions. |
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (2 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026