ASD ISM — incremental change analysis
24
Added
13
Substantive
33
Clarification
41
Editorial
49
Relocated
1
Scope changes
1
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 36 | 1 |
| SECRET | 1 | 3 |
| PROTECTED | 0 | 0 |
| OFFICIAL: Sensitive | 0 | 0 |
| Non-Classified | 0 | 33 |
3 · Level-specific material changes
| Footprint | Floor | Ceiling | Controls |
|---|---|---|---|
TS | TOP SECRET | TOP SECRET | ISM-2019 |
S|TS | SECRET | TOP SECRET | ISM-2007 ISM-2008 ISM-2009 |
NC|OS|P|S | Non-Classified | SECRET | ISM-0100 |
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (24)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-0912 | NC|OS|P|S|TS | Guidelines for cybersecurity documentation › Change and configuration management plan | Systems have a change and configuration management plan that includes: - what constitutes routine and urgent changes to the configuration of systems -… |
| ISM-1997 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Embedding cybersecurity | The board of directors or executive committee defines clear roles and responsibilities for cybersecurity both within the board of directors or executi… |
| ISM-1998 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Embedding cybersecurity | The board of directors or executive committee ensures that cybersecurity is integrated throughout all business functions within their organisation. |
| ISM-1999 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Embedding cybersecurity | The board of directors or executive committee ensures the cybersecurity strategy for their organisation is aligned with the overarching strategic dire… |
| ISM-2000 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Embedding cybersecurity | The board of directors or executive committee seeks regular briefings or reporting on the cybersecurity posture of their organisation, as well as the … |
| ISM-2001 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Championing a positive cybersecurity culture | The board of directors or executive committee champions a positive cybersecurity culture within their organisation, including through leading by examp… |
| ISM-2002 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Building cybersecurity expertise | The board of directors or executive committee maintains a sufficient level of cybersecurity literacy to fulfil both their fiduciary duties and any leg… |
| ISM-2003 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Building cybersecurity expertise | The board of directors or executive committee maintains awareness of key cybersecurity recruitment activities, retention rates for cybersecurity perso… |
| ISM-2004 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Building cybersecurity expertise | The board of directors or executive committee supports the development of cybersecurity skills and experience for all personnel via internal and exter… |
| ISM-2005 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Identifying critical business assets | The board of directors or executive committee understands the business criticality of their organisation’s systems, applications and data, including a… |
| ISM-2006 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Planning for major cybersecurity incidents | The board of directors or executive committee plans for major cybersecurity incidents, including by participating in exercises, and understand their d… |
| ISM-2007 | S|TS | Guidelines for physical security › Bringing medical devices into facilities | An authorised medical device register for SECRET and TOP SECRET areas is developed, implemented, maintained and verified on a regular basis. |
| ISM-2008 | S|TS | Guidelines for physical security › Bringing medical devices into facilities | Medical devices that are authorised to be brought into SECRET and TOP SECRET areas meet, at a minimum, the following criteria: - are listed on the Aus… |
| ISM-2009 | S|TS | Guidelines for physical security › Bringing medical devices into facilities | Unauthorised medical devices are not brought into SECRET and TOP SECRET areas. |
| ISM-2010 | NC|OS|P|S|TS | Guidelines for system hardening › Microsoft Active Directory Domain Services account hardening | Service accounts configured with an SPN use the Advanced Encryption Standard for encryption. |
| ISM-2011 | NC|OS|P|S|TS | Guidelines for system hardening › Multi-factor authentication | When phishing-resistant multi-factor authentication is used by user accounts, other non-phishing-resistant multi-factor authentication options are dis… |
| ISM-2012 | NC|OS|P|S|TS | Guidelines for system hardening › Screen locking | Systems are configured with a screen lock that: - activates after a maximum of 15 minutes of user inactivity, or when manually activated by users - co… |
| ISM-2013 | NC|OS|P|S|TS | Guidelines for software development › Network application programming interfaces | Authentication and authorisation of clients is performed when clients call network APIs that facilitate modification of data but are not accessible ov… |
| ISM-2014 | NC|OS|P|S|TS | Guidelines for software development › Network application programming interfaces | Authentication and authorisation of clients is performed when clients call network APIs that facilitate access to data not authorised for release into… |
| ISM-2015 | NC|OS|P|S|TS | Guidelines for software development › Network application programming interfaces | Network API calls that facilitate modification of data, or access to data not authorised for release into the public domain, but are not accessible ov… |
| ISM-2016 | NC|OS|P|S|TS | Guidelines for software development › Software input handling | Validation or sanitisation is performed on all input received over a local network by software. |
| ISM-2017 | NC|OS|P|S|TS | Guidelines for networking › Encrypted Domain Name System Services | DNS traffic is encrypted by clients and servers wherever supported. |
| ISM-2018 | NC|OS|P|S|TS | Guidelines for gateways › Border Gateway Protocol routing security | Routes for RPKI-registered IP addresses that are advertised from invalid Autonomous Systems, or that are longer than allowed, are rejected or depriori… |
| ISM-2019 | TS | Guidelines for gateways › Assessment of gateways | TOP SECRET gateways undergo a security assessment by ASD assessors (or their delegates), using the latest release of the ISM available prior to the be… |
Substantive amendments (13)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-0938 | 0.95 | Guidelines for system hardening › User application selection | Vendors that have demonstrated a commitment to Secure by Design and Secure by Default principles and practices, including secure programming practices… |
| ISM-1743 | 0.95 | Guidelines for system hardening › Operating system selection | Vendors that have demonstrated a commitment to Secure by Design and Secure by Default principles and practices, including secure programming practices… |
| ISM-1826 | 0.93 | Guidelines for system hardening › Server application selection | Vendors that have demonstrated a commitment to Secure by Design and Secure by Default principles and practices, including secure programming practices… |
| ISM-1633 | 0.87 | Guidelines for cybersecurity roles › Protecting systems and their resources | System owners, in consultation with each system’s authorising officer, determine the system boundary, business criticality and security objectives for… |
| ISM-0401 | 0.87 | Guidelines for software development › Secure software development | Secure by Design and Secure by Default principles and practices, including secure programming practices and either memory-safe programming languages o… |
| ISM-0100 | 0.65 | Guidelines for gateways › Assessment of gateways | Non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET gateways undergo an IRAP assessment, using the latest release of the ISM available prior to … |
| ISM-0428 | 0.63 | Guidelines for system hardening › Session locking | Services are configured with a session lock that: - activates after a maximum of 15 minutes of user inactivity, a maximum of 12 hours of overall sessi… |
| ISM-1273 | 0.56 | Guidelines for database systems › Segregation of development, testing, staging and production database servers | Database servers for development, testing, staging and production environments are segregated. |
| ISM-1211 | 0.55 | Guidelines for system management › System administration processes and procedures | System administrators perform system administration activities in accordance with the system’s change and configuration management plan. |
| ISM-1460 | 0.52 | Guidelines for system hardening › Functional separation between computing environments | When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that has demonstrated … |
| ISM-1796 | 0.29 | Guidelines for software development › Secure software development | Files containing executable content are digitally signed by a certificate with a verifiable chain of trust as part of software development. |
| ISM-1240 | 0.28 | Guidelines for software development › Software input handling | Validation or sanitisation is performed on all input received over the internet by software. |
| ISM-1424 | 0.26 | Guidelines for software development › Web security policy response headers | Content-Security-Policy, HSTS and X-Frame-Options are specified by web server software via security policy in response headers. |
Clarifications (33)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1636 | 0.24 | Guidelines for cybersecurity roles › Protecting systems and their resources |
| ISM-1271 | 0.23 | Guidelines for database systems › Network environment |
| ISM-1634 | 0.22 | Guidelines for cybersecurity roles › Protecting systems and their resources |
| ISM-0725 | 0.22 | Guidelines for cybersecurity roles › Coordinating cybersecurity |
| ISM-1967 | 0.20 | Guidelines for cybersecurity roles › Protecting systems and their resources |
| ISM-0718 | 0.18 | Guidelines for cybersecurity roles › Reporting on cybersecurity |
| ISM-1341 | 0.17 | Guidelines for system hardening › Host-based intrusion detection and response |
| ISM-1911 | 0.17 | Guidelines for software development › Software event logging |
| ISM-0047 | 0.17 | Guidelines for cybersecurity documentation › Approval of cybersecurity documentation |
| ISM-1818 | 0.16 | Guidelines for software development › Network application programming interfaces |
| ISM-1420 | 0.16 | Guidelines for software development › Development, testing, staging and production environments |
| ISM-1780 | 0.15 | Guidelines for software development › Secure software development |
| ISM-1803 | 0.14 | Guidelines for cybersecurity incidents › Cybersecurity incident register |
| ISM-1910 | 0.14 | Guidelines for software development › Network application programming interfaces |
| ISM-1238 | 0.14 | Guidelines for software development › Secure software development |
| ISM-1274 | 0.14 | Guidelines for database systems › Segregation of development, testing, staging and production databases |
| ISM-1817 | 0.12 | Guidelines for software development › Network application programming interfaces |
| ISM-1798 | 0.11 | Guidelines for software development › Secure software development |
| ISM-1034 | 0.11 | Guidelines for system hardening › Host-based intrusion detection and response |
| ISM-1275 | 0.10 | Guidelines for software development › Software interaction with databases |
| ISM-1754 | 0.09 | Guidelines for software development › Reporting and resolving vulnerabilities |
| ISM-1278 | 0.09 | Guidelines for software development › Software interaction with databases |
| ISM-1304 | 0.08 | Guidelines for networking › Default user accounts and credentials for network devices |
| ISM-0383 | 0.08 | Guidelines for system hardening › Hardening operating system configurations |
| ISM-1806 | 0.08 | Guidelines for system hardening › Hardening user application configurations |
| ISM-1260 | 0.08 | Guidelines for system hardening › Hardening server application configurations |
| ISM-1536 | 0.07 | Guidelines for software development › Software interaction with databases |
| ISM-1276 | 0.07 | Guidelines for software development › Software interaction with databases |
| ISM-1797 | 0.07 | Guidelines for software development › Secure software development |
| ISM-1908 | 0.07 | Guidelines for software development › Reporting and resolving vulnerabilities |
| ISM-0400 | 0.07 | Guidelines for software development › Development, testing, staging and production environments |
| ISM-0866 | 0.06 | Guidelines for enterprise mobility › Using mobile devices in public spaces |
| ISM-1644 | 0.06 | Guidelines for enterprise mobility › Using mobile devices in public spaces |
Editorial / grammatical (41)
Cosmetic edits (normalised edit distance < 0.05). ISM-0039, ISM-0043, ISM-0109, ISM-0120, ISM-0123, ISM-0125, ISM-0140, ISM-0141, ISM-0252, ISM-0402, ISM-0576, ISM-0714, ISM-0717, ISM-0720, ISM-0724, ISM-0726, ISM-0732, ISM-0733, ISM-0735, ISM-0888, ISM-1228, ISM-1478, ISM-1526, ISM-1568, ISM-1602, ISM-1617, ISM-1618, ISM-1632, ISM-1784, ISM-1819, ISM-1880, ISM-1881, ISM-1882, ISM-1906, ISM-1907, ISM-1918, ISM-1960, ISM-1961, ISM-1970, ISM-1986, ISM-1987
Relocated (49)
49 cross-chapter moves (listed) · 0 intra-chapter section/topic reshuffles (count only).
| From chapter | To chapter | Controls |
|---|---|---|
| Guidelines for Security Documentation | Guidelines for cybersecurity documentation | ISM-0039 ISM-0041 ISM-0043 ISM-0047 ISM-0888 ISM-1163 ISM-1563 ISM-1564 ISM-1602 ISM-1739 |
| Guidelines for Software Development | Guidelines for software development | ISM-0400 ISM-0401 ISM-0402 ISM-1238 ISM-1240 ISM-1275 ISM-1276 ISM-1278 ISM-1419 ISM-1420 ISM-1422 ISM-1424 ISM-1536 ISM-1616 ISM-1717 ISM-1730 ISM-1754 ISM-1755 ISM-1756 ISM-1780 ISM-1796 ISM-1797 ISM-1798 ISM-1816 ISM-1817 ISM-1818 ISM-1908 ISM-1909 ISM-1910 ISM-1911 ISM-1922 ISM-1923 ISM-1924 |
| Guidelines for System Hardening | Guidelines for system hardening | ISM-0428 ISM-1034 ISM-1341 |
| Guidelines for Database Systems | Guidelines for database systems | ISM-1273 ISM-1274 |
| Guidelines for Gateways | Guidelines for gateways | ISM-1783 |
Scope / applicability changes (1)
| Control | Direction | Footprint before → after | Location |
|---|---|---|---|
| ISM-0100 | narrowed | NC|OS|P|S|TS → NC|OS|P|S | Assessment of gateways |
Removed (1)
| Control | Footprint | Former location | Statement (excerpt) |
|---|---|---|---|
| ISM-1857 | NC|OS|P|S|TS | Guidelines for Information Technology Equipment | IT equipment is chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe progr… |
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (2 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026