ASD ISM — incremental change analysis
16
Added
19
Substantive
36
Clarification
33
Editorial
38
Relocated
2
Scope changes
1
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 32 | 0 |
| SECRET | 0 | 3 |
| PROTECTED | 3 | 0 |
| OFFICIAL: Sensitive | 0 | 5 |
| Non-Classified | 0 | 27 |
3 · Level-specific material changes
| Footprint | Floor | Ceiling | Controls |
|---|---|---|---|
OS|P | OFFICIAL: Sensitive | PROTECTED | ISM-1866 ISM-1867 ISM-1400 |
S|TS | SECRET | TOP SECRET | ISM-1868 ISM-0687 ISM-1802 |
OS|P|S|TS | OFFICIAL: Sensitive | TOP SECRET | ISM-0249 ISM-1482 |
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (16)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1864 | NC|OS|P|S|TS | Guidelines for Personnel Security › System usage policy | A system usage policy is developed, implemented and maintained. |
| ISM-1865 | NC|OS|P|S|TS | Guidelines for Personnel Security › System access requirements | Personnel agree to abide by usage policies associated with a system and its resources before being granted access to the system and its resources. |
| ISM-1866 | OS|P | Guidelines for Enterprise Mobility › Privately-owned mobile devices and desktop computers | Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers are prevented from stor… |
| ISM-1867 | OS|P | Guidelines for Enterprise Mobility › Approved mobile platforms | Mobile devices that access OFFICIAL: Sensitive or PROTECTED systems or data use mobile platforms that have completed a Common Criteria evaluation agai… |
| ISM-1868 | S|TS | Guidelines for Enterprise Mobility › Data storage | SECRET and TOP SECRET mobile devices do not use removable media unless approved beforehand by ASD. |
| ISM-1869 | NC|OS|P|S|TS | Guidelines for ICT Equipment › ICT equipment registers | A non-networked ICT equipment register is developed, implemented, maintained and verified on a regular basis. |
| ISM-1870 | NC|OS|P|S|TS | Guidelines for System Hardening › Application control | Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients. |
| ISM-1871 | NC|OS|P|S|TS | Guidelines for System Hardening › Application control | Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clien… |
| ISM-1872 | NC|OS|P|S|TS | Guidelines for System Hardening › Multi-factor authentication | Multi-factor authentication used for online services is phishing-resistant. |
| ISM-1873 | NC|OS|P|S|TS | Guidelines for System Hardening › Multi-factor authentication | Multi-factor authentication provided for online customer services offers a phishing-resistant option. |
| ISM-1874 | NC|OS|P|S|TS | Guidelines for System Hardening › Multi-factor authentication | Multi-factor authentication provided for online customer services is phishing-resistant. |
| ISM-1875 | NC|OS|P|S|TS | Guidelines for System Hardening › Protecting credentials | Networks are scanned at least monthly to identify any credentials that are being stored in the clear. |
| ISM-1876 | NC|OS|P|S|TS | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are as… |
| ISM-1877 | NC|OS|P|S|TS | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices a… |
| ISM-1878 | NC|OS|P|S|TS | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network de… |
| ISM-1879 | NC|OS|P|S|TS | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in drivers and firmware are applied within 48 hours of release when vulnerabilities a… |
Substantive amendments (19)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1299 | 0.89 | Guidelines for Enterprise Mobility › Personnel awareness | Personnel are advised to take the following precautions when using mobile devices: - never leave mobile devices or removable media unattended, includi… |
| ISM-0687 | 0.73 | Guidelines for Enterprise Mobility › Approved mobile platforms | Mobile devices that access SECRET or TOP SECRET systems or data use mobile platforms that have been issued an Approval for Use by ASD and are operated… |
| ISM-1802 | 0.73 | Guidelines for Cryptography › Approved High Assurance Cryptographic Equipment | HACE are issued an Approval for Use by ASD and operated in accordance with the latest version of their associated Australian Communications Security I… |
| ISM-1859 | 0.62 | Guidelines for System Hardening › Hardening user application configurations | Office productivity suites are hardened using ASD and vendor hardening guidance. |
| ISM-0407 | 0.58 | Guidelines for Personnel Security › Recording authorisation for personnel to access systems | A secure record is maintained for the life of each system covering the following for each user: - their user identification - their signed agreement t… |
| ISM-1482 | 0.57 | Guidelines for Enterprise Mobility › Organisation-owned mobile devices and desktop computers | Personnel accessing systems or data using an organisation-owned mobile device or desktop computer are either prohibited from using it for personal pur… |
| ISM-1246 | 0.55 | Guidelines for System Hardening › Hardening server application configurations | Server applications are hardened using ASD and vendor hardening guidance. |
| ISM-1412 | 0.55 | Guidelines for System Hardening › Hardening user application configurations | Web browsers are hardened using ASD and vendor hardening guidance. |
| ISM-1195 | 0.54 | Guidelines for Enterprise Mobility › Mobile device management policy | Mobile Device Management solutions that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Management, versi… |
| ISM-1860 | 0.54 | Guidelines for System Hardening › Hardening user application configurations | PDF software is hardened using ASD and vendor hardening guidance. |
| ISM-1681 | 0.54 | Guidelines for System Hardening › Multi-factor authentication | Multi-factor authentication is used by default to authenticate users to online customer services that process, store or communicate sensitive data, ho… |
| ISM-1409 | 0.54 | Guidelines for System Hardening › Hardening operating system configurations | Operating systems are hardened using ASD and vendor hardening guidance. |
| ISM-0249 | 0.53 | Guidelines for Communications Infrastructure › Emanation security threat assessments outside Australia | System owners deploying systems or military platforms overseas contact ASD for an emanation security threat assessment and implement any additional in… |
| ISM-1858 | 0.51 | Guidelines for ICT Equipment › Hardening ICT equipment configurations | ICT equipment is hardened using ASD and vendor hardening guidance. |
| ISM-1696 | 0.47 | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-fa… |
| ISM-1695 | 0.35 | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-fa… |
| ISM-0720 | 0.32 | Guidelines for Cyber Security Roles › Communicating a cyber security vision and strategy | The CISO oversees the development, implementation and maintenance of a cyber security communications strategy to assist in communicating the cyber sec… |
| ISM-1400 | 0.28 | Guidelines for Enterprise Mobility › Privately-owned mobile devices and desktop computers | Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers have enforced separatio… |
| ISM-0408 | 0.28 | Guidelines for System Hardening › Logon banner | Systems have a logon banner that reminds users of their security responsibilities when accessing the system and its resources. |
Clarifications (36)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1504 | 0.24 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1690 | 0.24 | Guidelines for System Management › When to patch vulnerabilities |
| ISM-1694 | 0.24 | Guidelines for System Management › When to patch vulnerabilities |
| ISM-0499 | 0.23 | Guidelines for Cryptography › Communications security doctrine |
| ISM-0370 | 0.20 | Guidelines for Media › Supervision of destruction |
| ISM-1692 | 0.19 | Guidelines for System Management › When to patch vulnerabilities |
| ISM-0372 | 0.19 | Guidelines for Media › Supervision of accountable material destruction |
| ISM-1697 | 0.19 | Guidelines for System Management › When to patch vulnerabilities |
| ISM-1702 | 0.18 | Guidelines for System Management › Scanning for missing patches or updates |
| ISM-1627 | 0.18 | Guidelines for Networking › Blocking anonymity network traffic |
| ISM-1861 | 0.16 | Guidelines for System Hardening › Protecting credentials |
| ISM-1679 | 0.15 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1682 | 0.15 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1680 | 0.14 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1751 | 0.13 | Guidelines for System Management › When to patch vulnerabilities |
| ISM-1701 | 0.12 | Guidelines for System Management › Scanning for missing patches or updates |
| ISM-0576 | 0.12 | Guidelines for Cyber Security Incidents › Cyber security incident management policy |
| ISM-1784 | 0.12 | Guidelines for Cyber Security Incidents › Cyber security incident management policy |
| ISM-0694 | 0.12 | Guidelines for Enterprise Mobility › Privately-owned mobile devices and desktop computers |
| ISM-1297 | 0.10 | Guidelines for Enterprise Mobility › Privately-owned mobile devices and desktop computers |
| ISM-0520 | 0.10 | Guidelines for Networking › Network access controls |
| ISM-1698 | 0.09 | Guidelines for System Management › Scanning for missing patches or updates |
| ISM-0460 | 0.08 | Guidelines for Cryptography › Encrypting data at rest |
| ISM-0926 | 0.07 | Guidelines for Communications Infrastructure › Cable colours |
| ISM-0300 | 0.07 | Guidelines for System Management › When to patch vulnerabilities |
| ISM-0874 | 0.07 | Guidelines for Enterprise Mobility › Connecting mobile devices and desktop computers to the internet |
| ISM-0306 | 0.07 | Guidelines for ICT Equipment › On-site maintenance and repairs |
| ISM-1819 | 0.06 | Guidelines for Cyber Security Incidents › Enacting cyber security incident response plans |
| ISM-1107 | 0.06 | Guidelines for Communications Infrastructure › Wall outlet box colours |
| ISM-0810 | 0.06 | Guidelines for Physical Security › Physical access to systems |
| ISM-1213 | 0.06 | Guidelines for Cyber Security Incidents › Handling and containing intrusions |
| ISM-1505 | 0.06 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1182 | 0.06 | Guidelines for Networking › Network access controls |
| ISM-0307 | 0.06 | Guidelines for ICT Equipment › On-site maintenance and repairs |
| ISM-1754 | 0.05 | Guidelines for Software Development › Resolving vulnerabilities |
| ISM-1704 | 0.05 | Guidelines for System Management › Cessation of support |
Editorial / grammatical (33)
Cosmetic edits (normalised edit distance < 0.05). ISM-0043, ISM-0140, ISM-0247, ISM-0248, ISM-0286, ISM-0290, ISM-0296, ISM-0321, ISM-0336, ISM-0402, ISM-0445, ISM-0467, ISM-0597, ISM-0734, ISM-1053, ISM-1079, ISM-1088, ISM-1137, ISM-1163, ISM-1196, ISM-1198, ISM-1199, ISM-1200, ISM-1520, ISM-1530, ISM-1606, ISM-1691, ISM-1693, ISM-1699, ISM-1700, ISM-1703, ISM-1717, ISM-1752
Relocated (38)
0 cross-chapter moves (listed) · 38 intra-chapter section/topic reshuffles (count only).
Scope / applicability changes (2)
| Control | Direction | Footprint before → after | Location |
|---|---|---|---|
| ISM-0372 | widened | OS|P|S|TS → NC|OS|P|S|TS | Supervision of accountable material destruction |
| ISM-0373 | widened | OS|P|S|TS → NC|OS|P|S|TS | Supervision of accountable material destruction |
Removed (1)
| Control | Footprint | Former location | Statement (excerpt) |
|---|---|---|---|
| ISM-0979 | NC|OS|P|S|TS | Guidelines for System Hardening | Legal advice is sought on the exact wording of logon banners. |
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (1 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026