ASD ISM — incremental change analysis
12
Added
7
Substantive
22
Clarification
3
Editorial
13
Relocated
0
Scope changes
6
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 19 | 0 |
| SECRET | 0 | 0 |
| PROTECTED | 0 | 0 |
| OFFICIAL: Sensitive | 0 | 0 |
| Non-Classified | 0 | 19 |
3 · Level-specific material changes
No level-specific material changes — every added/substantive control applies at all classifications (NC|OS|P|S|TS).
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (12)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1852 | NC|OS|P|S|TS | Guidelines for Personnel Security › Unprivileged access to systems | Unprivileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their dutie… |
| ISM-1853 | NC|OS|P|S|TS | Guidelines for Personnel Security › Privileged access to systems | Privileged access to data repositories is limited to only what is required for users and services to undertake their duties. |
| ISM-1854 | NC|OS|P|S|TS | Guidelines for Communications Systems › Authenticating to multifunction devices | Users authenticate to MFDs before they can print, scan or copy documents. |
| ISM-1855 | NC|OS|P|S|TS | Guidelines for Communications Systems › Auditing multifunction device use | Use of MFDs for printing, scanning and copying purposes, including the capture of shadow copies of documents, are logged. |
| ISM-1856 | NC|OS|P|S|TS | Guidelines for Communications Systems › Auditing multifunction device use | MFD event logs are stored centrally. |
| ISM-1857 | NC|OS|P|S|TS | Guidelines for ICT Equipment › ICT equipment selection | ICT equipment is chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe prog… |
| ISM-1858 | NC|OS|P|S|TS | Guidelines for ICT Equipment › Hardening ICT equipment configurations | ACSC and vendor hardening guidance for ICT equipment is implemented. |
| ISM-1859 | NC|OS|P|S|TS | Guidelines for System Hardening › Hardening user application configurations | ACSC or vendor hardening guidance for office productivity suites is implemented. |
| ISM-1860 | NC|OS|P|S|TS | Guidelines for System Hardening › Hardening user application configurations | ACSC or vendor hardening guidance for PDF software is implemented. |
| ISM-1861 | NC|OS|P|S|TS | Guidelines for System Hardening › Protecting credentials | Protective Process Light for LSASS is enabled with a UEFI lock. |
| ISM-1862 | NC|OS|P|S|TS | Guidelines for Software Development › Web application firewalls | If using a WAF, disclosing the IP addresses of web servers under an organisation’s control (referred to as origin servers) is avoided and access to th… |
| ISM-1863 | NC|OS|P|S|TS | Guidelines for Networking › Networked management interfaces | Networked management interfaces for ICT equipment are not directly exposed to the internet. |
Substantive amendments (7)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-0590 | 0.76 | Guidelines for Communications Systems › Authenticating to multifunction devices | Authentication measures for MFDs are the same strength as those used for workstations on networks they are connected to. |
| ISM-1431 | 0.63 | Guidelines for Networking › Denial-of-service attack mitigation strategies | Denial-of-service attack mitigation strategies are discussed with cloud service providers, specifically: * their capacity to withstand denial-of-servi… |
| ISM-1693 | 0.54 | Guidelines for System Management › When to patch security vulnerabilities | Patches, updates or vendor mitigations for security vulnerabilities in applications other than office productivity suites, web browsers and their exte… |
| ISM-1409 | 0.44 | Guidelines for System Hardening › Hardening operating system configurations | ACSC and vendor hardening guidance for operating systems is implemented. |
| ISM-1700 | 0.38 | Guidelines for System Management › Scanning for missing patches or updates | A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in applications other than of… |
| ISM-0140 | 0.35 | Guidelines for Cyber Security Incidents › Reporting cyber security incidents to the ACSC | Cyber security incidents are reported to the ACSC as soon as possible after they occur or are discovered. |
| ISM-1163 | 0.25 | Guidelines for Security Documentation › Continuous monitoring plan | Systems have a continuous monitoring plan that includes: * conducting vulnerability scans for systems at least fortnightly * conducting vulnerability … |
Clarifications (22)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1579 | 0.23 | Guidelines for Networking › Capacity and availability planning and monitoring for online services |
| ISM-0289 | 0.23 | Guidelines for Evaluated Products › Using evaluated products |
| ISM-0589 | 0.23 | Guidelines for Communications Systems › Scanning and copying documents on multifunction devices |
| ISM-0290 | 0.22 | Guidelines for Evaluated Products › Using evaluated products |
| ISM-1412 | 0.21 | Guidelines for System Hardening › Hardening user application configurations |
| ISM-1403 | 0.20 | Guidelines for System Hardening › Account lockouts |
| ISM-1572 | 0.19 | Guidelines for Procurement and Outsourcing › Contractual security requirements with service providers |
| ISM-1752 | 0.16 | Guidelines for System Management › Scanning for missing patches or updates |
| ISM-1436 | 0.15 | Guidelines for Networking › Denial-of-service attack mitigation strategies |
| ISM-1751 | 0.14 | Guidelines for System Management › When to patch security vulnerabilities |
| ISM-1026 | 0.12 | Guidelines for Email › DomainKeys Identified Mail |
| ISM-1385 | 0.11 | Guidelines for System Management › Administrative infrastructure |
| ISM-1795 | 0.10 | Guidelines for System Hardening › Setting credentials for break glass accounts, local administrator accounts and service accounts |
| ISM-1685 | 0.09 | Guidelines for System Hardening › Setting credentials for break glass accounts, local administrator accounts and service accounts |
| ISM-1590 | 0.08 | Guidelines for System Hardening › Changing credentials |
| ISM-0574 | 0.08 | Guidelines for Email › Sender Policy Framework |
| ISM-1581 | 0.07 | Guidelines for Networking › Capacity and availability planning and monitoring for online services |
| ISM-1183 | 0.07 | Guidelines for Email › Sender Policy Framework |
| ISM-1540 | 0.07 | Guidelines for Email › Domain-based Message Authentication, Reporting and Conformance |
| ISM-1681 | 0.06 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-0665 | 0.05 | Guidelines for Data Transfers › Authorising export of data |
| ISM-0123 | 0.05 | Guidelines for Cyber Security Incidents › Reporting cyber security incidents |
Editorial / grammatical (3)
Cosmetic edits (normalised edit distance < 0.05). ISM-0142, ISM-1246, ISM-1432
Relocated (13)
0 cross-chapter moves (listed) · 13 intra-chapter section/topic reshuffles (count only).
Scope / applicability changes (0)
No control changed its classification reach this release.
Removed (6)
| Control | Footprint | Former location | Statement (excerpt) |
|---|---|---|---|
| ISM-0292 | S|TS | Guidelines for Evaluated Products | High assurance ICT equipment is always operated in an evaluated configuration. |
| ISM-1435 | NC|OS|P|S|TS | Guidelines for Networking | Availability monitoring with real-time alerting is implemented for online services to detect denial-of-service attacks and measure their impact. |
| ISM-1441 | NC|OS|P|S|TS | Guidelines for Networking | Where a requirement for high availability exists for online services, a denial of service mitigation service is used. |
| ISM-1458 | NC|OS|P|S|TS | Guidelines for Networking | The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-s… |
| ISM-1518 | NC|OS|P|S|TS | Guidelines for Networking | A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service … |
| ISM-1578 | NC|OS|P|S|TS | Guidelines for Networking | An organisation is notified by cloud service providers of any change to configured regions or availability zones for online services. |
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (1 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026