ASD ISM — incremental change analysis
7
Added
3
Substantive
15
Clarification
55
Editorial
82
Relocated
0
Scope changes
0
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 10 | 0 |
| SECRET | 0 | 1 |
| PROTECTED | 0 | 0 |
| OFFICIAL: Sensitive | 0 | 0 |
| Non-Classified | 0 | 9 |
3 · Level-specific material changes
| Footprint | Floor | Ceiling | Controls |
|---|---|---|---|
S|TS | SECRET | TOP SECRET | ISM-1535 |
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (7)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1918 | NC|OS|P|S|TS | Guidelines for Cyber Security Roles › Reporting on cyber security | The CISO regularly reports directly to their organisation’s audit, risk and compliance committee (or equivalent) on cyber security matters. |
| ISM-1919 | NC|OS|P|S|TS | Guidelines for System Hardening › Multi-factor authentication | When multi-factor authentication is used to authenticate users or customers to online services or online customer services, all other authentication p… |
| ISM-1920 | NC|OS|P|S|TS | Guidelines for System Hardening › Multi-factor authentication | When multi-factor authentication is used to authenticate users to online services, online customer services, systems or data repositories – that proce… |
| ISM-1921 | NC|OS|P|S|TS | Guidelines for System Management › Scanning for unmitigated vulnerabilities | The likelihood of system compromise is frequently assessed when working exploits exist for unmitigated vulnerabilities. |
| ISM-1922 | NC|OS|P|S|TS | Guidelines for Software Development › Secure software design and development | The Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applica… |
| ISM-1923 | NC|OS|P|S|TS | Guidelines for Software Development › Secure software design and development | The OWASP Top 10 for Large Language Model Applications are mitigated in the development of large language model applications. |
| ISM-1924 | NC|OS|P|S|TS | Guidelines for Software Development › Secure software design and development | Large language model applications evaluate the sentence perplexity of user prompts to detect and mitigate adversarial suffixes designed to assist in t… |
Substantive amendments (3)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-0041 | 0.62 | Guidelines for Security Documentation › System security plan | Systems have a system security plan that includes an overview of the system (covering the system’s purpose, the system boundary and how the system is … |
| ISM-1327 | 0.37 | Guidelines for Networking › Generating and issuing certificates for authentication | Certificates are protected by logical and physical access controls, encryption, and user authentication. |
| ISM-1535 | 0.33 | Guidelines for Data Transfers › Data transfer processes and procedures | Processes, and supporting procedures, are developed, implemented and maintained to prevent AUSTEO, AGAO and REL data in textual and non-textual format… |
Clarifications (15)
| Control | Edit dist | Location |
|---|---|---|
| ISM-0714 | 0.25 | Guidelines for Cyber Security Roles › Providing cyber security leadership and guidance |
| ISM-1625 | 0.19 | Guidelines for Cyber Security Incidents › Insider threat mitigation program |
| ISM-0718 | 0.18 | Guidelines for Cyber Security Roles › Reporting on cyber security |
| ISM-1626 | 0.13 | Guidelines for Cyber Security Incidents › Insider threat mitigation program |
| ISM-0286 | 0.11 | Guidelines for Evaluated Products › Delivery of evaluated products |
| ISM-1789 | 0.11 | Guidelines for Procurement and Outsourcing › Sourcing applications, IT equipment, OT equipment and services |
| ISM-1787 | 0.09 | Guidelines for Procurement and Outsourcing › Sourcing applications, IT equipment, OT equipment and services |
| ISM-1631 | 0.08 | Guidelines for Procurement and Outsourcing › Cyber supply chain risk management activities |
| ISM-0332 | 0.07 | Guidelines for Media › Labelling media |
| ISM-1790 | 0.07 | Guidelines for Procurement and Outsourcing › Delivery of applications, IT equipment, OT equipment and services |
| ISM-0585 | 0.07 | Guidelines for System Monitoring › Event log details |
| ISM-1788 | 0.07 | Guidelines for Procurement and Outsourcing › Sourcing applications, IT equipment, OT equipment and services |
| ISM-1791 | 0.06 | Guidelines for Procurement and Outsourcing › Delivery of applications, IT equipment, OT equipment and services |
| ISM-1792 | 0.06 | Guidelines for Procurement and Outsourcing › Delivery of applications, IT equipment, OT equipment and services |
| ISM-1589 | 0.06 | Guidelines for Email › Email server transport encryption |
Editorial / grammatical (55)
Cosmetic edits (normalised edit distance < 0.05). ISM-0161, ISM-0218, ISM-0229, ISM-0250, ISM-0290, ISM-0293, ISM-0294, ISM-0296, ISM-0300, ISM-0305, ISM-0306, ISM-0307, ISM-0310, ISM-0311, ISM-0312, ISM-0313, ISM-0315, ISM-0316, ISM-0321, ISM-0336, ISM-0402, ISM-0462, ISM-0520, ISM-0622, ISM-1073, ISM-1079, ISM-1123, ISM-1216, ISM-1217, ISM-1218, ISM-1323, ISM-1452, ISM-1471, ISM-1479, ISM-1493, ISM-1550, ISM-1551, ISM-1568, ISM-1576, ISM-1598, ISM-1599, ISM-1632, ISM-1741, ISM-1742, ISM-1751, ISM-1752, ISM-1753, ISM-1809, ISM-1857, ISM-1858, ISM-1863, ISM-1869, ISM-1878, ISM-1882, ISM-1913
Relocated (82)
38 cross-chapter moves (listed) · 44 intra-chapter section/topic reshuffles (count only).
| From chapter | To chapter | Controls |
|---|---|---|
| Guidelines for ICT Equipment | Guidelines for Information Technology Equipment | ISM-0293 ISM-0294 ISM-0296 ISM-0305 ISM-0306 ISM-0307 ISM-0310 ISM-0311 ISM-0312 ISM-0313 ISM-0315 ISM-0316 ISM-0317 ISM-0318 ISM-0321 ISM-0336 ISM-1076 ISM-1079 ISM-1217 ISM-1218 ISM-1219 ISM-1220 ISM-1221 ISM-1222 ISM-1223 ISM-1225 ISM-1226 ISM-1534 ISM-1550 ISM-1551 ISM-1598 ISM-1599 ISM-1741 ISM-1742 ISM-1857 ISM-1858 ISM-1869 ISM-1913 |
Scope / applicability changes (0)
No control changed its classification reach this release.
Removed (0)
None.
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (2 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026