ASD ISM — incremental change analysis
33
Added
26
Substantive
33
Clarification
12
Editorial
11
Relocated
1
Scope changes
27
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 58 | 0 |
| SECRET | 0 | 2 |
| PROTECTED | 1 | 0 |
| OFFICIAL: Sensitive | 0 | 4 |
| Non-Classified | 0 | 53 |
3 · Level-specific material changes
| Footprint | Floor | Ceiling | Controls |
|---|---|---|---|
OS|P | OFFICIAL: Sensitive | PROTECTED | ISM-0248 |
S|TS | SECRET | TOP SECRET | ISM-0249 ISM-1137 |
OS|P|S|TS | OFFICIAL: Sensitive | TOP SECRET | ISM-1884 ISM-1885 ISM-0246 |
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (33)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1880 | NC|OS|P|S|TS | Guidelines for Cyber Security Incidents › Reporting cyber security incidents to customers and the public | Cyber security incidents that involve customer data are reported to customers and the public in a timely manner after they occur or are discovered. |
| ISM-1881 | NC|OS|P|S|TS | Guidelines for Cyber Security Incidents › Reporting cyber security incidents to customers and the public | Cyber security incidents that do not involve customer data are reported to customers and the public in a timely manner after they occur or are discove… |
| ISM-1882 | NC|OS|P|S|TS | Guidelines for Procurement and Outsourcing › Cyber supply chain risk management activities | Applications, ICT equipment and services are chosen from suppliers that have demonstrated a commitment to transparency for their products and services… |
| ISM-1883 | NC|OS|P|S|TS | Guidelines for Personnel Security › Privileged access to systems | Privileged accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake … |
| ISM-1884 | OS|P|S|TS | Guidelines for Communications Infrastructure › Emanation security doctrine | Emanation security doctrine produced by ASD for the management of emanation security matters is complied with. |
| ISM-1885 | OS|P|S|TS | Guidelines for Communications Infrastructure › Emanation security threat assessments | Recommended actions contained within TEMPEST requirements statements issued for systems are implemented by system owners. |
| ISM-1886 | NC|OS|P|S|TS | Guidelines for Enterprise Mobility › Maintaining mobile device security | Mobile devices are configured to operate in a supervised (or equivalent) mode. |
| ISM-1887 | NC|OS|P|S|TS | Guidelines for Enterprise Mobility › Maintaining mobile device security | Mobile devices are configured with remote locate and wipe functionality. |
| ISM-1888 | NC|OS|P|S|TS | Guidelines for Enterprise Mobility › Maintaining mobile device security | Mobile devices are configured with secure lock screens. |
| ISM-1889 | NC|OS|P|S|TS | Guidelines for System Hardening › Command Shell | Command line process creation events are centrally logged. |
| ISM-1890 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Office macros | Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations. |
| ISM-1891 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Office macros | Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be enabled via the Message Bar or Backstage View. |
| ISM-1892 | NC|OS|P|S|TS | Guidelines for System Hardening › Multi-factor authentication | Multi-factor authentication is used to authenticate users to their organisation’s online customer services that process, store or communicate their or… |
| ISM-1893 | NC|OS|P|S|TS | Guidelines for System Hardening › Multi-factor authentication | Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisatio… |
| ISM-1894 | NC|OS|P|S|TS | Guidelines for System Hardening › Multi-factor authentication | Multi-factor authentication used for authenticating users of data repositories is phishing-resistant. |
| ISM-1895 | NC|OS|P|S|TS | Guidelines for System Hardening › Single-factor authentication | Successful and unsuccessful single-factor authentication events are centrally logged. |
| ISM-1896 | NC|OS|P|S|TS | Guidelines for System Hardening › Protecting credentials | Memory integrity functionality is enabled. |
| ISM-1897 | NC|OS|P|S|TS | Guidelines for System Hardening › Protecting credentials | Remote Credential Guard functionality is enabled. |
| ISM-1898 | NC|OS|P|S|TS | Guidelines for System Management › Separate privileged operating environments | Secure Admin Workstations are used in the performance of administrative activities. |
| ISM-1899 | NC|OS|P|S|TS | Guidelines for System Management › Administrative infrastructure | Network devices that do not belong to administrative infrastructure cannot initiate connections with administrative infrastructure. |
| ISM-1900 | NC|OS|P|S|TS | Guidelines for System Management › Scanning for missing patches or updates | A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware. |
| ISM-1901 | NC|OS|P|S|TS | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF … |
| ISM-1902 | NC|OS|P|S|TS | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-fa… |
| ISM-1903 | NC|OS|P|S|TS | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed … |
| ISM-1904 | NC|OS|P|S|TS | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed… |
| ISM-1905 | NC|OS|P|S|TS | Guidelines for System Management › Cessation of support | Online services that are no longer supported by vendors are removed. |
| ISM-1906 | NC|OS|P|S|TS | Guidelines for System Monitoring › Event log monitoring | Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events. |
| ISM-1907 | NC|OS|P|S|TS | Guidelines for System Monitoring › Event log monitoring | Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events. |
| ISM-1908 | NC|OS|P|S|TS | Guidelines for Software Development › Reporting and resolving vulnerabilities | Vulnerabilities identified in applications are publicly disclosed (where appropriate to do so) by software developers in a timely manner. |
| ISM-1909 | NC|OS|P|S|TS | Guidelines for Software Development › Reporting and resolving vulnerabilities | In resolving vulnerabilities, software developers perform root cause analysis and, to the greatest extent possible, seek to remediate entire vulnerabi… |
| ISM-1910 | NC|OS|P|S|TS | Guidelines for Software Development › Web application programming interfaces | Web API calls that facilitate modification of data, or access to data not authorised for release into the public domain, are centrally logged. |
| ISM-1911 | NC|OS|P|S|TS | Guidelines for Software Development › Web application event logging | Web application crashes and error messages are centrally logged. |
| ISM-1912 | NC|OS|P|S|TS | Guidelines for Networking › Network documentation | Network documentation includes device settings for all critical servers, high-value servers, network devices and network security appliances. |
Substantive amendments (26)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1702 | 0.74 | Guidelines for System Management › Scanning for missing patches or updates | A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, … |
| ISM-1536 | 0.66 | Guidelines for Software Development › Web application interaction with databases | All queries to databases from web applications that are initiated by users, and any resulting crash or error messages, are centrally logged. |
| ISM-1861 | 0.57 | Guidelines for System Hardening › Protecting credentials | Local Security Authority protection functionality is enabled. |
| ISM-0304 | 0.53 | Guidelines for System Management › Cessation of support | Applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security p… |
| ISM-1686 | 0.52 | Guidelines for System Hardening › Protecting credentials | Credential Guard functionality is enabled. |
| ISM-1697 | 0.51 | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed … |
| ISM-0249 | 0.41 | Guidelines for Communications Infrastructure › Emanation security threat assessments | System owners deploying SECRET or TOP SECRET systems in mobile platforms, or as a deployable capability, contact ASD for an emanation security threat … |
| ISM-1860 | 0.37 | Guidelines for System Hardening › Hardening user application configurations | PDF software is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur. |
| ISM-0248 | 0.36 | Guidelines for Communications Infrastructure › Emanation security threat assessments | System owners deploying OFFICIAL: Sensitive or PROTECTED systems with radio frequency transmitters (including any wireless capabilities) that will be … |
| ISM-1412 | 0.36 | Guidelines for System Hardening › Hardening user application configurations | Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur. |
| ISM-1858 | 0.36 | Guidelines for ICT Equipment › Hardening ICT equipment configurations | ICT equipment is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur. |
| ISM-1409 | 0.35 | Guidelines for System Hardening › Hardening operating system configurations | Operating systems are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur. |
| ISM-1246 | 0.34 | Guidelines for System Hardening › Hardening server application configurations | Server applications are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur. |
| ISM-0246 | 0.34 | Guidelines for Communications Infrastructure › Emanation security threat assessments | When an emanation security threat assessment is required, it is sought as early as possible in a system’s life cycle. |
| ISM-1660 | 0.33 | Guidelines for System Hardening › Application control | Allowed and blocked application control events are centrally logged. |
| ISM-1555 | 0.33 | Guidelines for Enterprise Mobility › Before travelling overseas with mobile devices | Before travelling overseas with mobile devices, personnel take the following actions: - record all details of the mobile devices being taken, such as … |
| ISM-1859 | 0.32 | Guidelines for System Hardening › Hardening user application configurations | Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts o… |
| ISM-1511 | 0.32 | Guidelines for System Management › Performing and retaining backups | Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements. |
| ISM-1175 | 0.29 | Guidelines for Personnel Security › Privileged access to systems | Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web service… |
| ISM-1137 | 0.28 | Guidelines for Communications Infrastructure › Emanation security threat assessments | System owners deploying SECRET or TOP SECRET systems within fixed facilities contact ASD for an emanation security threat assessment. |
| ISM-1659 | 0.28 | Guidelines for System Hardening › Application control | Microsoft’s vulnerable driver blocklist is implemented. |
| ISM-1815 | 0.27 | Guidelines for System Monitoring › Centralised event logging facility | Event logs are protected from unauthorised modification and deletion. |
| ISM-1690 | 0.27 | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are a… |
| ISM-1751 | 0.27 | Guidelines for System Management › When to patch vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network de… |
| ISM-1504 | 0.27 | Guidelines for System Hardening › Multi-factor authentication | Multi-factor authentication is used to authenticate users to their organisation’s online services that process, store or communicate their organisatio… |
| ISM-1623 | 0.25 | Guidelines for System Hardening › PowerShell | PowerShell module logging, script block logging and transcription events are centrally logged. |
Clarifications (33)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1544 | 0.23 | Guidelines for System Hardening › Application control |
| ISM-1694 | 0.19 | Guidelines for System Management › When to patch vulnerabilities |
| ISM-1873 | 0.19 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1811 | 0.19 | Guidelines for System Management › Performing and retaining backups |
| ISM-1647 | 0.19 | Guidelines for Personnel Security › Suspension of access to systems |
| ISM-1681 | 0.19 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1874 | 0.18 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1810 | 0.16 | Guidelines for System Management › Performing and retaining backups |
| ISM-1682 | 0.15 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1515 | 0.14 | Guidelines for System Management › Testing restoration of backups |
| ISM-1710 | 0.14 | Guidelines for Networking › Default settings |
| ISM-1872 | 0.14 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1708 | 0.13 | Guidelines for System Management › Backup modification and deletion |
| ISM-1507 | 0.13 | Guidelines for Personnel Security › Privileged access to systems |
| ISM-1509 | 0.12 | Guidelines for Personnel Security › Privileged access to systems |
| ISM-1566 | 0.12 | Guidelines for Personnel Security › Unprivileged access to systems |
| ISM-1613 | 0.12 | Guidelines for Personnel Security › Emergency access to systems |
| ISM-0109 | 0.11 | Guidelines for System Monitoring › Event log monitoring |
| ISM-1703 | 0.10 | Guidelines for System Management › Scanning for missing patches or updates |
| ISM-1508 | 0.10 | Guidelines for Personnel Security › Privileged access to systems |
| ISM-1716 | 0.09 | Guidelines for Personnel Security › Suspension of access to systems |
| ISM-1830 | 0.08 | Guidelines for System Hardening › Microsoft Active Directory Domain Services domain controllers |
| ISM-0863 | 0.08 | Guidelines for Enterprise Mobility › Maintaining mobile device security |
| ISM-0670 | 0.08 | Guidelines for Gateways › Cross Domain Solution event logging |
| ISM-1650 | 0.08 | Guidelines for Personnel Security › Privileged access to systems |
| ISM-1276 | 0.08 | Guidelines for Software Development › Web application interaction with databases |
| ISM-1819 | 0.08 | Guidelines for Cyber Security Incidents › Enacting cyber security incident response plans |
| ISM-1648 | 0.08 | Guidelines for Personnel Security › Suspension of access to systems |
| ISM-1404 | 0.07 | Guidelines for Personnel Security › Suspension of access to systems |
| ISM-0629 | 0.07 | Guidelines for Gateways › System administration of gateways |
| ISM-1677 | 0.07 | Guidelines for System Hardening › Microsoft Office macros |
| ISM-1683 | 0.06 | Guidelines for System Hardening › Multi-factor authentication |
| ISM-1505 | 0.06 | Guidelines for System Hardening › Multi-factor authentication |
Editorial / grammatical (12)
Cosmetic edits (normalised edit distance < 0.05). ISM-0261, ISM-0518, ISM-0582, ISM-0634, ISM-1487, ISM-1537, ISM-1632, ISM-1695, ISM-1704, ISM-1752, ISM-1855, ISM-1879
Relocated (11)
3 cross-chapter moves (listed) · 8 intra-chapter section/topic reshuffles (count only).
| From chapter | To chapter | Controls |
|---|---|---|
| Guidelines for Database Systems | Guidelines for Software Development | ISM-1275 ISM-1276 ISM-1278 |
Scope / applicability changes (1)
| Control | Direction | Footprint before → after | Location |
|---|---|---|---|
| ISM-0249 | narrowed | OS|P|S|TS → S|TS | Emanation security threat assessments |
Removed (27)
| Control | Footprint | Former location | Statement (excerpt) |
|---|---|---|---|
| ISM-0247 | S|TS | Guidelines for Communications Infrastructure | System owners deploying SECRET or TOP SECRET systems with Radio Frequency transmitters inside or co-located with their facility contact ASD for an ema… |
| ISM-1381 | NC|OS|P|S|TS | Guidelines for System Management | Only privileged operating environments can communicate with jump servers. |
| ISM-1388 | NC|OS|P|S|TS | Guidelines for System Management | Only jump servers can communicate with assets requiring administrative activities to be performed. |
| ISM-1651 | NC|OS|P|S|TS | Guidelines for Personnel Security | Privileged access event logs are stored centrally. |
| ISM-1652 | NC|OS|P|S|TS | Guidelines for Personnel Security | Privileged account and group management event logs are stored centrally. |
| ISM-1653 | NC|OS|P|S|TS | Guidelines for Personnel Security | Privileged service accounts are prevented from accessing the internet, email and web services. |
| ISM-1661 | NC|OS|P|S|TS | Guidelines for System Hardening | Allowed and blocked execution events on internet-facing servers are logged. |
| ISM-1662 | NC|OS|P|S|TS | Guidelines for System Hardening | Allowed and blocked execution events on non-internet-facing servers are logged. |
| ISM-1663 | NC|OS|P|S|TS | Guidelines for System Hardening | Application control event logs are stored centrally. |
| ISM-1664 | NC|OS|P|S|TS | Guidelines for System Hardening | Blocked PowerShell script execution events are logged. |
| ISM-1665 | NC|OS|P|S|TS | Guidelines for System Hardening | PowerShell event logs are stored centrally. |
| ISM-1666 | NC|OS|P|S|TS | Guidelines for System Hardening | Internet Explorer 11 does not process content from the internet. |
| ISM-1678 | NC|OS|P|S|TS | Guidelines for System Hardening | Microsoft Office macro event logs are stored centrally. |
| ISM-1684 | NC|OS|P|S|TS | Guidelines for System Hardening | Multi-factor authentication event logs are stored centrally. |
| ISM-1714 | NC|OS|P|S|TS | Guidelines for Personnel Security | Unprivileged access event logs are stored centrally. |
| ISM-1715 | NC|OS|P|S|TS | Guidelines for Personnel Security | Break glass event logs are stored centrally. |
| ISM-1733 | NC|OS|P|S|TS | Guidelines for Personnel Security | Requests for privileged access to data repositories are validated when first requested. |
| ISM-1734 | NC|OS|P|S|TS | Guidelines for Personnel Security | Privileged access to data repositories is automatically disabled after 12 months unless revalidated. |
| ISM-1747 | NC|OS|P|S|TS | Guidelines for System Hardening | Operating system event logs are stored centrally. |
| ISM-1757 | NC|OS|P|S|TS | Guidelines for Software Development | Web application event logs are stored centrally. |
| ISM-1758 | NC|OS|P|S|TS | Guidelines for Database Systems | Database event logs are stored centrally. |
| ISM-1775 | NC|OS|P|S|TS | Guidelines for Gateways | Gateway event logs are stored centrally. |
| ISM-1776 | S|TS | Guidelines for Gateways | CDS event logs are stored centrally. |
| ISM-1777 | NC|OS|P|S|TS | Guidelines for Gateways | Web proxy event logs are stored centrally. |
| ISM-1831 | NC|OS|P|S|TS | Guidelines for System Hardening | Microsoft AD DS event logs are stored centrally. |
| ISM-1853 | NC|OS|P|S|TS | Guidelines for Personnel Security | Privileged access to data repositories is limited to only what is required for users and services to undertake their duties. |
| ISM-1856 | NC|OS|P|S|TS | Guidelines for Communications Systems | MFD event logs are stored centrally. |
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (0 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026