ASD ISM — incremental change analysis
21
Added
3
Substantive
15
Clarification
59
Editorial
16
Relocated
0
Scope changes
6
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 24 | 0 |
| SECRET | 0 | 0 |
| PROTECTED | 0 | 0 |
| OFFICIAL: Sensitive | 0 | 0 |
| Non-Classified | 0 | 24 |
3 · Level-specific material changes
No level-specific material changes — every added/substantive control applies at all classifications (NC|OS|P|S|TS).
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (21)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-2074 | NC|OS|P|S|TS | Guidelines for personnel security › General-purpose artificial intelligence usage policy | A general-purpose artificial intelligence usage policy is developed, implemented and maintained. |
| ISM-2075 | NC|OS|P|S|TS | Guidelines for communications systems › Sending and receiving fax messages | Fax machines, and online fax services, are not used for sending or receiving fax messages. |
| ISM-2076 | NC|OS|P|S|TS | Guidelines for system hardening › Insecure authentication methods | Security questions are not used for authentication purposes. |
| ISM-2077 | NC|OS|P|S|TS | Guidelines for system hardening › Insecure authentication methods | Email is not used for out-of-band authentication purposes. |
| ISM-2078 | NC|OS|P|S|TS | Guidelines for system hardening › Password strength | Passwords appearing in lists of commonly used passwords or lists of compromised passwords are not used. |
| ISM-2079 | NC|OS|P|S|TS | Guidelines for system hardening › Password strength | Maximum length limits for passwords are not less than 64 characters. |
| ISM-2080 | NC|OS|P|S|TS | Guidelines for system hardening › Password strength | Password complexity requirements are not imposed for passwords. |
| ISM-2081 | NC|OS|P|S|TS | Guidelines for system hardening › Password strength | All ASCII printable characters are supported for passwords. |
| ISM-2082 | NC|OS|P|S|TS | Guidelines for software development › Cryptographic bill of materials | If a cryptographic bill of materials is available for imported third-party software components, it is used during software development to ensure such … |
| ISM-2083 | NC|OS|P|S|TS | Guidelines for software development › Cryptographic bill of materials | A cryptographic bill of materials is produced and made available to consumers of software. |
| ISM-2084 | NC|OS|P|S|TS | Guidelines for software development › Secure artificial intelligence application development | Artificial intelligence-specific documentation, including model and system cards (or equivalent artefacts), is used to document model characteristics,… |
| ISM-2085 | NC|OS|P|S|TS | Guidelines for software development › Secure artificial intelligence application development | The exposure of exact artificial intelligence model confidence scores in API responses or user interfaces is prevented. |
| ISM-2086 | NC|OS|P|S|TS | Guidelines for software development › Artificial intelligence model poisoning | The source and integrity of artificial intelligence models, structures and weights are verified. |
| ISM-2087 | NC|OS|P|S|TS | Guidelines for software development › Artificial intelligence model poisoning | The source and integrity of training data for artificial intelligence models is verified. |
| ISM-2088 | NC|OS|P|S|TS | Guidelines for software development › Artificial intelligence model poisoning | Data validation and verification techniques are used to ensure the reliability and accuracy of training data used by artificial intelligence models. |
| ISM-2089 | NC|OS|P|S|TS | Guidelines for software development › Unbounded consumption | Artificial intelligence model performance metrics are monitored and anomalies are investigated. |
| ISM-2090 | NC|OS|P|S|TS | Guidelines for software development › Unbounded consumption | Rate limiting is applied to inference queries for artificial intelligence models. |
| ISM-2091 | NC|OS|P|S|TS | Guidelines for software development › Unbounded consumption | Resource limits are enforced for artificial intelligence models. |
| ISM-2092 | NC|OS|P|S|TS | Guidelines for software development › Excessive agency | Access control policies are implemented to enforce fine-grained permissions for artificial intelligence applications. |
| ISM-2093 | NC|OS|P|S|TS | Guidelines for software development › Excessive agency | Role-based access controls are implemented for artificial intelligence applications to restrict access to sensitive data. |
| ISM-2094 | NC|OS|P|S|TS | Guidelines for software development › Sensitive data exposure and improper output | Content filtering is implemented by artificial intelligence applications to detect and block sensitive data exposure and improper output. |
Substantive amendments (3)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1558 | 0.96 | Guidelines for system hardening › Password strength | Passwords using a sequence of words for single-factor authentication are not constructed using: - a list of categorised words - a real sentence in a n… |
| ISM-0245 | 0.70 | Guidelines for communications systems › Connecting multifunction devices to digital telephone systems | MFDs are not connected to digital telephone systems. |
| ISM-1911 | 0.28 | Guidelines for software development › Software event logging | Security-relevant usage, error messages and crashes for software are centrally logged. |
Clarifications (15)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1596 | 0.22 | Guidelines for system hardening › Setting credentials for user accounts |
| ISM-0725 | 0.22 | Guidelines for cyber security roles › Coordinating cyber security |
| ISM-1557 | 0.21 | Guidelines for system hardening › Password strength |
| ISM-0422 | 0.20 | Guidelines for system hardening › Password strength |
| ISM-0421 | 0.15 | Guidelines for system hardening › Password strength |
| ISM-1803 | 0.14 | Guidelines for cyber security incidents › Cyber security incident register |
| ISM-1036 | 0.13 | Guidelines for communications systems › Observing multifunction device use |
| ISM-1956 | 0.12 | Guidelines for system hardening › Changing credentials |
| ISM-0588 | 0.11 | Guidelines for communications systems › Multifunction device usage policy |
| ISM-1560 | 0.09 | Guidelines for system hardening › Password strength |
| ISM-1561 | 0.09 | Guidelines for system hardening › Password strength |
| ISM-1590 | 0.08 | Guidelines for system hardening › Changing credentials |
| ISM-2072 | 0.07 | Guidelines for software development › Secure artificial intelligence application development |
| ISM-1559 | 0.06 | Guidelines for system hardening › Password strength |
| ISM-1449 | 0.06 | Guidelines for cryptography › Authentication mechanisms |
Editorial / grammatical (59)
Cosmetic edits (normalised edit distance < 0.05). ISM-0039, ISM-0043, ISM-0047, ISM-0109, ISM-0120, ISM-0123, ISM-0125, ISM-0140, ISM-0141, ISM-0252, ISM-0417, ISM-0487, ISM-0488, ISM-0576, ISM-0585, ISM-0714, ISM-0717, ISM-0718, ISM-0720, ISM-0724, ISM-0726, ISM-0732, ISM-0733, ISM-0735, ISM-0888, ISM-1228, ISM-1478, ISM-1526, ISM-1602, ISM-1617, ISM-1618, ISM-1784, ISM-1819, ISM-1847, ISM-1880, ISM-1881, ISM-1906, ISM-1907, ISM-1918, ISM-1955, ISM-1960, ISM-1961, ISM-1970, ISM-1986, ISM-1987, ISM-1997, ISM-1998, ISM-1999, ISM-2000, ISM-2001, ISM-2002, ISM-2003, ISM-2004, ISM-2006, ISM-2020, ISM-2022, ISM-2037, ISM-2038, ISM-2051
Relocated (16)
1 cross-chapter moves (listed) · 15 intra-chapter section/topic reshuffles (count only).
| From chapter | To chapter | Controls |
|---|---|---|
| Guidelines for gateways | Guidelines for personnel security | ISM-0258 |
Scope / applicability changes (0)
No control changed its classification reach this release.
Removed (6)
| Control | Footprint | Former location | Statement (excerpt) |
|---|---|---|---|
| ISM-0241 | NC|OS|P|S|TS | Guidelines for communications systems | When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure. |
| ISM-1075 | NC|OS|P|S|TS | Guidelines for communications systems | The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is sent and for the receiver t… |
| ISM-1092 | NC|OS|P|S|TS | Guidelines for communications systems | Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages. |
| ISM-1225 | NC|OS|P|S|TS | Guidelines for information technology equipment | The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-instal… |
| ISM-1226 | NC|OS|P|S|TS | Guidelines for information technology equipment | Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam. |
| ISM-1923 | NC|OS|P|S|TS | Guidelines for software development | The OWASP Top 10 for Large Language Model Applications are mitigated in the development of large language model applications. |
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (0 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026