ASD ISM — incremental change analysis
31
Added
9
Substantive
18
Clarification
21
Editorial
11
Relocated
0
Scope changes
4
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 31 | 4 |
| SECRET | 4 | 0 |
| PROTECTED | 2 | 0 |
| OFFICIAL: Sensitive | 0 | 0 |
| Non-Classified | 3 | 36 |
3 · Level-specific material changes
| Footprint | Floor | Ceiling | Controls |
|---|---|---|---|
NC | Non-Classified | Non-Classified | ISM-1973 ISM-1974 ISM-1975 |
TS | TOP SECRET | TOP SECRET | ISM-1967 ISM-1968 ISM-1971 ISM-1972 |
NC|OS|P | Non-Classified | PROTECTED | ISM-0421 ISM-1559 |
NC|OS|P|S | Non-Classified | SECRET | ISM-1112 ISM-1570 ISM-1636 ISM-1793 |
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (31)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1966 | NC|OS|P|S|TS | Guidelines for Cyber Security Roles › Overseeing the cyber security program | The CISO develops, implements, maintains and verifies on a regular basis a register of systems used by their organisation. |
| ISM-1967 | TS | Guidelines for Cyber Security Roles › Protecting systems and their resources | System owners ensure controls for each TOP SECRET system and its operating environment, including each sensitive compartmented information system and … |
| ISM-1968 | TS | Guidelines for Cyber Security Roles › Protecting systems and their resources | System owners obtain authorisation to operate each TOP SECRET system, including each sensitive compartmented information system, from Director-General… |
| ISM-1969 | NC|OS|P|S|TS | Guidelines for Cyber Security Incidents › Handling and containing malicious code infections | Malicious code, when stored or communicated, is treated beforehand to prevent accidental execution. |
| ISM-1970 | NC|OS|P|S|TS | Guidelines for Cyber Security Incidents › Handling and containing malicious code infections | Malicious code processed for cyber security incident response or research purposes is done so in a dedicated analysis environment that is segregated f… |
| ISM-1971 | TS | Guidelines for Procurement and Outsourcing › Assessment of managed service providers | Managed service providers and their TOP SECRET managed services, including sensitive compartmented information managed services, undergo a security as… |
| ISM-1972 | TS | Guidelines for Procurement and Outsourcing › Assessment of outsourced cloud service providers | Outsourced cloud service providers and their TOP SECRET cloud services, including sensitive compartmented information cloud services, undergo a securi… |
| ISM-1973 | NC | Guidelines for Physical Security › Physical access to systems | Non-classified systems are secured in suitably secure facilities. |
| ISM-1974 | NC | Guidelines for Physical Security › Physical access to servers, network devices and cryptographic equipment | Non-classified servers, network devices and cryptographic equipment are secured in suitably secure server rooms or communications rooms. |
| ISM-1975 | NC | Guidelines for Physical Security › Physical access to servers, network devices and cryptographic equipment | Non-classified servers, network devices and cryptographic equipment are secured in suitably secure security containers. |
| ISM-1976 | NC|OS|P|S|TS | Guidelines for System Hardening › Operating system event logging | Security-relevant events for Apple macOS operating systems are centrally logged. |
| ISM-1977 | NC|OS|P|S|TS | Guidelines for System Hardening › Operating system event logging | Security-relevant events for Linux operating systems are centrally logged. |
| ISM-1978 | NC|OS|P|S|TS | Guidelines for System Hardening › Server application event logging | Security-relevant events for server applications on internet-facing servers are centrally logged. |
| ISM-1979 | NC|OS|P|S|TS | Guidelines for System Hardening › Server application event logging | Security-relevant events for server applications on non-internet-facing servers are centrally logged. |
| ISM-1980 | NC|OS|P|S|TS | Guidelines for System Hardening › Protecting credentials | Credential hint functionality is not used for systems. |
| ISM-1981 | NC|OS|P|S|TS | Guidelines for System Management › Cessation of support | Non-internet-facing network devices that are no longer supported by vendors are replaced. |
| ISM-1982 | NC|OS|P|S|TS | Guidelines for System Management › Cessation of support | Networked IT equipment that is no longer supported by vendors is replaced. |
| ISM-1983 | NC|OS|P|S|TS | Guidelines for System Monitoring › Centralised event logging facility | Event logs sent to a centralised event logging facility are done so as soon as possible after they occur. |
| ISM-1984 | NC|OS|P|S|TS | Guidelines for System Monitoring › Centralised event logging facility | Event logs sent to a centralised event logging facility are encrypted in transit. |
| ISM-1985 | NC|OS|P|S|TS | Guidelines for System Monitoring › Centralised event logging facility | Event logs are protected from unauthorised access. |
| ISM-1986 | NC|OS|P|S|TS | Guidelines for System Monitoring › Event log monitoring | Event logs from critical servers are analysed in a timely manner to detect cyber security events. |
| ISM-1987 | NC|OS|P|S|TS | Guidelines for System Monitoring › Event log monitoring | Event logs from security products are analysed in a timely manner to detect cyber security events. |
| ISM-1988 | NC|OS|P|S|TS | Guidelines for System Monitoring › Event log retention | Event logs are retained in a searchable manner for at least 12 months. |
| ISM-1989 | NC|OS|P|S|TS | Guidelines for System Monitoring › Event log retention | Event logs are retained as per minimum retention requirements for various classes of records as set out by the National Archives of Australia’s Admini… |
| ISM-1990 | NC|OS|P|S|TS | Guidelines for Cryptography › Using post-quantum cryptographic algorithms | When using ML-DSA and ML-KEM, as per FIPS 204 and FIPS 203 respectively, adherence to pre-requisite FIPS publications is preferred. |
| ISM-1991 | NC|OS|P|S|TS | Guidelines for Cryptography › Using the Module-Lattice-Based Digital Signature Algorithm | When using ML-DSA for digital signatures, ML-DSA-65 or ML-DSA-87 is used, preferably ML-DSA-87. |
| ISM-1992 | NC|OS|P|S|TS | Guidelines for Cryptography › Using the Module-Lattice-Based Digital Signature Algorithm | When using ML-DSA for digital signatures, the hedged variant is used whenever possible. |
| ISM-1993 | NC|OS|P|S|TS | Guidelines for Cryptography › Using the Module-Lattice-Based Digital Signature Algorithm | Pre-hashed variants of ML-DSA-65 and ML-DSA-87 are only used when the performance of default variants is unacceptable. |
| ISM-1994 | NC|OS|P|S|TS | Guidelines for Cryptography › Using the Module-Lattice-Based Digital Signature Algorithm | When the pre-hashed variants of ML-DSA-65 and ML-DSA-87 are used, at least SHA-384 and SHA-512 respectively are used for pre-hashing. |
| ISM-1995 | NC|OS|P|S|TS | Guidelines for Cryptography › Using the Module-Lattice-Based Key Encapsulation Mechanism | When using ML-KEM for encapsulating encryption session keys (and similar keys), ML-KEM-768 or ML-KEM-1024 is used, preferably ML-KEM-1024. |
| ISM-1996 | NC|OS|P|S|TS | Guidelines for Cryptography › Post-quantum traditional hybrid schemes | When a post-quantum traditional hybrid scheme is used, either the post-quantum cryptographic algorithm, the traditional cryptographic algorithm or bot… |
Substantive amendments (9)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-0582 | 0.76 | Guidelines for System Hardening › Operating system event logging | Security-relevant events for Microsoft Windows operating systems are centrally logged. |
| ISM-1793 | 0.63 | Guidelines for Procurement and Outsourcing › Assessment of managed service providers | Managed service providers and their non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET managed services undergo an Infosec Registered Assessor … |
| ISM-1917 | 0.60 | Guidelines for Cryptography › Transitioning to post-quantum cryptography | The development and procurement of new cryptographic equipment and software ensures support for the use of ML-DSA-87, ML-KEM-1024, SHA-384, SHA-512 an… |
| ISM-1570 | 0.60 | Guidelines for Procurement and Outsourcing › Assessment of outsourced cloud service providers | Outsourced cloud service providers and their non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET cloud services undergo an IRAP assessment, usin… |
| ISM-1112 | 0.44 | Guidelines for Communications Infrastructure › Cable inspectability | Cables in non-TOP SECRET areas are inspectable every five metres or less. |
| ISM-1405 | 0.43 | Guidelines for System Monitoring › Centralised event logging facility | A centralised event logging facility is implemented. |
| ISM-1559 | 0.38 | Guidelines for System Hardening › Multi-factor authentication | Memorised secrets used for multi-factor authentication on non-classified, OFFICIAL: Sensitive and PROTECTED systems are a minimum of 6 characters. |
| ISM-1636 | 0.30 | Guidelines for Cyber Security Roles › Protecting systems and their resources | System owners ensure controls for each system and its operating environment undergo a security assessment by their organisation’s own assessors or Inf… |
| ISM-0421 | 0.30 | Guidelines for System Hardening › Single-factor authentication | Passphrases used for single-factor authentication on non-classified, OFFICIAL: Sensitive and PROTECTED systems are at least 4 random words with a tota… |
Clarifications (18)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1753 | 0.23 | Guidelines for System Management › Cessation of support |
| ISM-1482 | 0.21 | Guidelines for Enterprise Mobility › Organisation-owned mobile devices and desktop computers |
| ISM-1607 | 0.20 | Guidelines for System Hardening › Functional separation between computing environments |
| ISM-0027 | 0.15 | Guidelines for Cyber Security Roles › Protecting systems and their resources |
| ISM-0813 | 0.11 | Guidelines for Physical Security › Physical access to servers, network devices and cryptographic equipment |
| ISM-0477 | 0.09 | Guidelines for Cryptography › Using Rivest-Shamir-Adleman |
| ISM-0926 | 0.09 | Guidelines for Communications Infrastructure › Cable colours |
| ISM-1074 | 0.08 | Guidelines for Physical Security › Physical access to servers, network devices and cryptographic equipment |
| ISM-1107 | 0.08 | Guidelines for Communications Infrastructure › Wall outlet box colours |
| ISM-1530 | 0.07 | Guidelines for Physical Security › Physical access to servers, network devices and cryptographic equipment |
| ISM-0476 | 0.06 | Guidelines for Cryptography › Using Rivest-Shamir-Adleman |
| ISM-1765 | 0.06 | Guidelines for Cryptography › Using Rivest-Shamir-Adleman |
| ISM-1199 | 0.06 | Guidelines for Enterprise Mobility › Using Bluetooth functionality |
| ISM-1766 | 0.06 | Guidelines for Cryptography › Using Secure Hashing Algorithms |
| ISM-1767 | 0.06 | Guidelines for Cryptography › Using Secure Hashing Algorithms |
| ISM-1768 | 0.06 | Guidelines for Cryptography › Using Secure Hashing Algorithms |
| ISM-0810 | 0.05 | Guidelines for Physical Security › Physical access to systems |
| ISM-1196 | 0.05 | Guidelines for Enterprise Mobility › Using Bluetooth functionality |
Editorial / grammatical (21)
Cosmetic edits (normalised edit distance < 0.05). ISM-0380, ISM-0383, ISM-0418, ISM-0520, ISM-1053, ISM-1146, ISM-1198, ISM-1200, ISM-1247, ISM-1249, ISM-1250, ISM-1260, ISM-1304, ISM-1400, ISM-1403, ISM-1493, ISM-1554, ISM-1555, ISM-1556, ISM-1806, ISM-1809
Relocated (11)
0 cross-chapter moves (listed) · 11 intra-chapter section/topic reshuffles (count only).
Scope / applicability changes (0)
No control changed its classification reach this release.
Removed (4)
| Control | Footprint | Former location | Statement (excerpt) |
|---|---|---|---|
| ISM-0248 | OS|P | Guidelines for Communications Infrastructure | System owners deploying OFFICIAL: Sensitive or PROTECTED systems with radio frequency transmitters (including any wireless capabilities) that will be … |
| ISM-0859 | NC|OS|P|S|TS | Guidelines for System Monitoring | Event logs, excluding those for Domain Name System services and web proxies, are retained for at least seven years. |
| ISM-0991 | NC|OS|P|S|TS | Guidelines for System Monitoring | Event logs for Domain Name System services and web proxies are retained for at least 18 months. |
| ISM-1677 | NC|OS|P|S|TS | Guidelines for System Hardening | Allowed and blocked Microsoft Office macro execution events are centrally logged. |
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (0 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026