ASD ISM — incremental change analysis
51
Added
9
Substantive
55
Clarification
16
Editorial
20
Relocated
0
Scope changes
1
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 59 | 0 |
| SECRET | 0 | 0 |
| PROTECTED | 1 | 0 |
| OFFICIAL: Sensitive | 0 | 1 |
| Non-Classified | 0 | 59 |
3 · Level-specific material changes
| Footprint | Floor | Ceiling | Controls |
|---|---|---|---|
OS|P | OFFICIAL: Sensitive | PROTECTED | ISM-0457 |
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (51)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-0009 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Protecting systems and their resources | System owners, in consultation with each system’s authorising officer, identify any supplementary controls required based upon the unique nature of ea… |
| ISM-1203 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Protecting systems and their resources | System owners, in consultation with each system’s authorising officer, conduct a threat and risk assessment for each system. |
| ISM-2020 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Overseeing cybersecurity personnel | The CISO ensures sufficient cybersecurity personnel, with the right skills and experience, are acquired to support cybersecurity activities within the… |
| ISM-2021 | NC|OS|P|S|TS | Guidelines for cybersecurity roles › Protecting systems and their resources | System owners implement and maintain data minimisation practices for each of their systems. |
| ISM-2022 | NC|OS|P|S|TS | Guidelines for personnel security › Providing cybersecurity awareness training | A cybersecurity awareness training register is developed, implemented and maintained. |
| ISM-2023 | NC|OS|P|S|TS | Guidelines for software development › Authoritative source for software | An authoritative source for software is established and maintained. |
| ISM-2024 | NC|OS|P|S|TS | Guidelines for software development › Authoritative source for software | The authoritative source for software is used for all software development activities. |
| ISM-2025 | NC|OS|P|S|TS | Guidelines for software development › Issue tracking | An issue tracking solution is used to link software development tasks to security issues and decisions, change or feature requests, programming issues… |
| ISM-2026 | NC|OS|P|S|TS | Guidelines for software development › Software artefacts | All software artefacts are scanned for malicious code before being imported into the authoritative source for software, including all compiled code, t… |
| ISM-2027 | NC|OS|P|S|TS | Guidelines for software development › Software artefacts | All software artefacts are verified by a digital signature, or a secure hash provided over a secure channel, before being imported into the authoritat… |
| ISM-2028 | NC|OS|P|S|TS | Guidelines for software development › Software artefacts | All imported or referenced third-party software artefacts are tested using static application security testing (SAST), dynamic application security te… |
| ISM-2029 | NC|OS|P|S|TS | Guidelines for software development › Software artefacts | The authoritative source for software restricts the use and import of third-party libraries and software components to trusted sources. |
| ISM-2030 | NC|OS|P|S|TS | Guidelines for software development › Software artefacts | Scanning is used during commits to identify plain text or encoded secrets and keys, which are then blocked from being stored in the authoritative sour… |
| ISM-2031 | NC|OS|P|S|TS | Guidelines for software development › Build solution | Compilers, interpreters and build tools (including pipelines) that provide security features to improve executable file security are implemented and s… |
| ISM-2032 | NC|OS|P|S|TS | Guidelines for software development › Build solution | The build solution ensures that all automated testing is completed without warnings, alerts or errors before building software artefacts. |
| ISM-2033 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | All software security requirements are documented, stored securely and maintained throughout the software development life cycle. |
| ISM-2034 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Security design decisions are documented and reviewed throughout the software development cycle. |
| ISM-2035 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Security roles, responsibilities and knowledge requirements required to support the software development life cycle are identified and documented. |
| ISM-2036 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Security responsibilities for software developers are identified and documented. |
| ISM-2037 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Software developers that lack sufficient cybersecurity knowledge and skills required for their projects or tasks undertake suitable training on secure… |
| ISM-2038 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | A software developer cybersecurity knowledge and skills register is implemented and maintained. |
| ISM-2039 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | The software threat model is reviewed throughout the software development life cycle to ensure it reflects the as-built software and any changes to th… |
| ISM-2040 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Secure programming practices for the chosen programming language are used for software development. |
| ISM-2041 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Memory-safe programming languages, or less preferably memory-safe programming practices, are used for software development. |
| ISM-2042 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Secure by Default principles and practices are followed throughout the software development life cycle, including by ensuring that all built-in securi… |
| ISM-2043 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Software is architected and structured to support readability and maintainability. |
| ISM-2044 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Software has no default credentials; however, if credentials are required, they are created on first install by the installing organisation. |
| ISM-2045 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Application backwards compatibility does not compromise any security measures or features. |
| ISM-2046 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Where software allows user impersonation, sensitive data is not logged and appropriate permissions are set. |
| ISM-2047 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Where software allows an authentication factor to be reset, the user is notified of the reset through a secondary channel. |
| ISM-2048 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Where software supports multiple user roles, non-administrative users are prevented from altering their profile permissions or privileges. |
| ISM-2049 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | When user permissions or credentials are changed, software forces all impacted users to re-authenticate. |
| ISM-2050 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | When digital signatures are processed by software, they are validated against a certificate trust chain and checked for revocation using a Certificate… |
| ISM-2051 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Software generates sufficient event logs to support the detection of cybersecurity events. |
| ISM-2052 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Event logs produced by software ensure that any sensitive data is protected. |
| ISM-2053 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | End of life procedures for software, covering how to remove the software and how to archive or destroy any user accounts and data, are produced and ma… |
| ISM-2054 | NC|OS|P|S|TS | Guidelines for software development › Software bill of materials | If a software bill of materials is available for imported third-party software components, it is used during software development to ensure such softw… |
| ISM-2055 | NC|OS|P|S|TS | Guidelines for software development › Software build provenance | If a software build provenance is available for imported third-party software components, it is used during software development to ensure such softwa… |
| ISM-2056 | NC|OS|P|S|TS | Guidelines for software development › Software build provenance | A software build provenance is produced and made available to consumers of software. |
| ISM-2057 | NC|OS|P|S|TS | Guidelines for software development › Software input handling | All input validation rules are documented, matched in code and tested with both positive and negative unit testing or integration testing. |
| ISM-2058 | NC|OS|P|S|TS | Guidelines for software development › Software input handling | Data sources and serialised data inputs are validated before being deserialised. |
| ISM-2059 | NC|OS|P|S|TS | Guidelines for software development › Software input handling | File uploads or input are restricted to specific file types, with malicious content scanning occurring prior to file access, file execution or file st… |
| ISM-2060 | NC|OS|P|S|TS | Guidelines for software development › Software security testing | Code reviews are utilised to ensure software meets Secure by Design principles and practices as well as secure programming practices. |
| ISM-2061 | NC|OS|P|S|TS | Guidelines for software development › Software security testing | Software developer-supported security-focused peer reviews are conducted on all critical and security-focused software components. |
| ISM-2062 | NC|OS|P|S|TS | Guidelines for software development › Software security testing | Unit testing and integration testing, covering both positive and negative use cases, are used to ensure code quality and security. |
| ISM-2063 | NC|OS|P|S|TS | Guidelines for software development › Secure web application design and development | If supported, web application session cookies set the HttpOnly flag, Secure flag and the SameSite flag by default. |
| ISM-2064 | NC|OS|P|S|TS | Guidelines for software development › Secure web application design and development | Web application session cookies contain only digitally signed opaque bearer tokens. |
| ISM-2065 | NC|OS|P|S|TS | Guidelines for software development › Secure web application design and development | Web application session cookies using opaque bearer tokens that are not digitally signed use non-sequential random identifiers with a minimum of 128 b… |
| ISM-2066 | NC|OS|P|S|TS | Guidelines for software development › Secure web application design and development | Web application sessions are centrally managed server side. |
| ISM-2067 | NC|OS|P|S|TS | Guidelines for software development › Secure web application design and development | Web applications that support Single Sign On equally support Single Logout. |
| ISM-2068 | NC|OS|P|S|TS | Guidelines for networking › Functional separation between networked devices and the internet | Internet connectivity for networked devices is strictly limited to those that require access. |
Substantive amendments (9)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-0402 | 0.68 | Guidelines for software development › Software security testing | Software is comprehensively tested for vulnerabilities, using SAST, DAST and SCA prior to its initial release, any subsequent releases and periodicall… |
| ISM-2005 | 0.61 | Guidelines for cybersecurity roles › Identifying critical business assets | The board of directors or executive committee understands the business criticality of their organisation’s systems, including at least a basic underst… |
| ISM-0401 | 0.58 | Guidelines for software development › Secure software development | Secure by Design principles and practices are followed throughout the software development life cycle. |
| ISM-1908 | 0.49 | Guidelines for software development › Reporting and resolving vulnerabilities | Vulnerabilities identified in software are publicly disclosed in a responsible and timely manner, including with Common Weakness Enumeration and Commo… |
| ISM-0457 | 0.45 | Guidelines for cryptography › Encrypting data at rest | Cryptographic equipment or applications that have completed a Common Criteria evaluation against a Protection Profile are used when encrypting media t… |
| ISM-1901 | 0.45 | Guidelines for system management › Mitigating known vulnerabilities | Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF … |
| ISM-0917 | 0.37 | Guidelines for cybersecurity incidents › Handling and containing malicious code infections | When malicious code is detected, the following steps are taken to handle the infection: - the infected systems are isolated - all previously connected… |
| ISM-1798 | 0.37 | Guidelines for software development › Secure software development | Secure configuration guidance, in the form of a hardening guide or loosening guide, is produced and made available to consumers as part of software de… |
| ISM-0407 | 0.25 | Guidelines for personnel security › Recording authorisation for personnel to access systems | A secure record is maintained for the life of systems and their resources that covers the following for each user: - their user identification - their… |
Clarifications (55)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1909 | 0.24 | Guidelines for software development › Reporting and resolving vulnerabilities |
| ISM-1865 | 0.24 | Guidelines for personnel security › System access requirements |
| ISM-1649 | 0.20 | Guidelines for personnel security › Privileged access to systems |
| ISM-1693 | 0.19 | Guidelines for system management › Mitigating known vulnerabilities |
| ISM-1670 | 0.17 | Guidelines for system hardening › Hardening user application configurations |
| ISM-1647 | 0.17 | Guidelines for personnel security › Suspension of access to systems |
| ISM-0343 | 0.16 | Guidelines for system hardening › Device access control |
| ISM-1418 | 0.15 | Guidelines for system hardening › Device access control |
| ISM-1648 | 0.15 | Guidelines for personnel security › Suspension of access to systems |
| ISM-1404 | 0.14 | Guidelines for personnel security › Suspension of access to systems |
| ISM-1507 | 0.14 | Guidelines for personnel security › Privileged access to systems |
| ISM-1824 | 0.14 | Guidelines for system hardening › Hardening user application configurations |
| ISM-0405 | 0.14 | Guidelines for personnel security › Unprivileged access to systems |
| ISM-1754 | 0.14 | Guidelines for software development › Reporting and resolving vulnerabilities |
| ISM-0280 | 0.14 | Guidelines for evaluated products › Evaluated product selection |
| ISM-1911 | 0.14 | Guidelines for software development › Software event logging |
| ISM-0430 | 0.13 | Guidelines for personnel security › Suspension of access to systems |
| ISM-1632 | 0.12 | Guidelines for procurement and outsourcing › Cyber supply chain risk management activities |
| ISM-1592 | 0.12 | Guidelines for system hardening › Application management |
| ISM-1591 | 0.11 | Guidelines for personnel security › Suspension of access to systems |
| ISM-1238 | 0.11 | Guidelines for software development › Secure software development |
| ISM-1508 | 0.11 | Guidelines for personnel security › Privileged access to systems |
| ISM-1787 | 0.11 | Guidelines for procurement and outsourcing › Sourcing operating systems, applications, IT equipment, OT equipment and services |
| ISM-1852 | 0.10 | Guidelines for personnel security › Unprivileged access to systems |
| ISM-0382 | 0.10 | Guidelines for system hardening › Application management |
| ISM-1268 | 0.09 | Guidelines for database systems › Protecting database contents |
| ISM-1790 | 0.09 | Guidelines for procurement and outsourcing › Delivery of operating systems, applications, IT equipment, OT equipment and services |
| ISM-0481 | 0.09 | Guidelines for cryptography › Using ASD-Approved Cryptographic Protocols |
| ISM-0471 | 0.09 | Guidelines for cryptography › Using ASD-Approved Cryptographic Algorithms |
| ISM-1631 | 0.08 | Guidelines for procurement and outsourcing › Cyber supply chain risk management activities |
| ISM-0432 | 0.08 | Guidelines for personnel security › System access requirements |
| ISM-1788 | 0.07 | Guidelines for procurement and outsourcing › Sourcing operating systems, applications, IT equipment, OT equipment and services |
| ISM-1304 | 0.07 | Guidelines for networking › Default user accounts and credentials for network devices |
| ISM-0383 | 0.07 | Guidelines for system hardening › Hardening operating system configurations |
| ISM-1806 | 0.07 | Guidelines for system hardening › Hardening user application configurations |
| ISM-1576 | 0.07 | Guidelines for procurement and outsourcing › Access to systems by service providers |
| ISM-1260 | 0.07 | Guidelines for system hardening › Hardening server application configurations |
| ISM-1791 | 0.07 | Guidelines for procurement and outsourcing › Delivery of operating systems, applications, IT equipment, OT equipment and services |
| ISM-1860 | 0.07 | Guidelines for system hardening › Hardening user application configurations |
| ISM-1792 | 0.07 | Guidelines for procurement and outsourcing › Delivery of operating systems, applications, IT equipment, OT equipment and services |
| ISM-0441 | 0.06 | Guidelines for personnel security › Temporary access to systems |
| ISM-1027 | 0.06 | Guidelines for email › DomainKeys Identified Mail |
| ISM-1467 | 0.06 | Guidelines for system hardening › User application releases |
| ISM-1568 | 0.06 | Guidelines for procurement and outsourcing › Cyber supply chain risk management activities |
| ISM-1073 | 0.06 | Guidelines for procurement and outsourcing › Access to systems by service providers |
| ISM-1882 | 0.06 | Guidelines for procurement and outsourcing › Cyber supply chain risk management activities |
| ISM-0912 | 0.06 | Guidelines for cybersecurity documentation › Change and configuration management plan |
| ISM-0414 | 0.06 | Guidelines for personnel security › User identification |
| ISM-1240 | 0.05 | Guidelines for software development › Software input handling |
| ISM-1470 | 0.05 | Guidelines for system hardening › Hardening user application configurations |
| ISM-1272 | 0.05 | Guidelines for database systems › Network environment |
| ISM-2016 | 0.05 | Guidelines for software development › Software input handling |
| ISM-1610 | 0.05 | Guidelines for personnel security › Emergency access to systems |
| ISM-0455 | 0.05 | Guidelines for cryptography › Data recovery |
| ISM-1235 | 0.05 | Guidelines for system hardening › Hardening user application configurations |
Editorial / grammatical (16)
Cosmetic edits (normalised edit distance < 0.05). ISM-0304, ISM-0420, ISM-0434, ISM-0435, ISM-0465, ISM-0489, ISM-0499, ISM-1417, ISM-1452, ISM-1598, ISM-1691, ISM-1692, ISM-1699, ISM-1700, ISM-1704, ISM-1917
Relocated (20)
1 cross-chapter moves (listed) · 19 intra-chapter section/topic reshuffles (count only).
| From chapter | To chapter | Controls |
|---|---|---|
| Guidelines for software development | Guidelines for gateways | ISM-1862 |
Scope / applicability changes (0)
No control changed its classification reach this release.
Removed (1)
| Control | Footprint | Former location | Statement (excerpt) |
|---|---|---|---|
| ISM-1716 | NC|OS|P|S|TS | Guidelines for personnel security | Access to data repositories is disabled after 45 days of inactivity. |
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (0 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026