ASD ISM — incremental change analysis
9
Added
4
Substantive
9
Clarification
4
Editorial
6
Relocated
0
Scope changes
1
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 10 | 0 |
| SECRET | 0 | 0 |
| PROTECTED | 3 | 0 |
| OFFICIAL: Sensitive | 0 | 3 |
| Non-Classified | 0 | 10 |
3 · Level-specific material changes
| Footprint | Floor | Ceiling | Controls |
|---|---|---|---|
OS|P | OFFICIAL: Sensitive | PROTECTED | ISM-2095 ISM-1400 ISM-1866 |
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (9)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-2095 | OS|P | Guidelines for enterprise mobility › Privately-owned mobile devices and desktop computers | Personnel using privately-owned mobile devices or desktop computers to access OFFICIAL: Sensitive or PROTECTED systems or data are disallowed from gra… |
| ISM-2096 | NC|OS|P|S|TS | Guidelines for enterprise mobility › Maintaining mobile device security | Mobile devices are configured to enforce separation between organisational and personal mobile applications and data. |
| ISM-2097 | NC|OS|P|S|TS | Guidelines for enterprise mobility › Maintaining mobile device security | Mobile devices are configured with always on VPN functionality. |
| ISM-2098 | NC|OS|P|S|TS | Guidelines for enterprise mobility › Maintaining mobile device security | Mobile devices are configured to prevent data transfers over Universal Serial Bus connections. |
| ISM-2099 | NC|OS|P|S|TS | Guidelines for enterprise mobility › Connecting mobile devices to connected vehicles | Mobile devices are not connected to the infotainment systems of connected vehicles. |
| ISM-2100 | NC|OS|P|S|TS | Guidelines for enterprise mobility › Using mobile devices within or near connected vehicles | Sensitive or classified data is not viewed on mobile devices within or near connected vehicles. |
| ISM-2101 | NC|OS|P|S|TS | Guidelines for enterprise mobility › Using mobile devices within or near connected vehicles | Sensitive or classified phone calls and conversations are not conducted within or near connected vehicles. |
| ISM-2102 | NC|OS|P|S|TS | Guidelines for software development › Software artefacts | Existing software artefacts in the authoritative source for software are periodically tested to detect known weaknesses using SAST, DAST or SCA, depen… |
| ISM-2103 | NC|OS|P|S|TS | Guidelines for software development › Secure artificial intelligence application development | Organisational data generated, collected or processed by artificial intelligence applications is not used for training, fine-tuning or improving artif… |
Substantive amendments (4)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1866 | 0.49 | Guidelines for enterprise mobility › Privately-owned mobile devices and desktop computers | Personnel using privately-owned mobile devices or desktop computers to access OFFICIAL: Sensitive or PROTECTED systems or data are prevented from stor… |
| ISM-2028 | 0.36 | Guidelines for software development › Software artefacts | All software artefacts are tested to detect known weaknesses using static application security testing (SAST), dynamic application security testing (D… |
| ISM-1400 | 0.33 | Guidelines for enterprise mobility › Privately-owned mobile devices and desktop computers | Personnel using privately-owned mobile devices or desktop computers to access OFFICIAL: Sensitive or PROTECTED systems or data have enforced separatio… |
| ISM-2026 | 0.26 | Guidelines for software development › Software artefacts | All software artefacts are scanned for malicious content before being imported into the authoritative source for software. |
Clarifications (9)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1526 | 0.23 | Guidelines for cyber security roles › Protecting systems and their resources |
| ISM-1482 | 0.23 | Guidelines for enterprise mobility › Organisation-owned mobile devices and desktop computers |
| ISM-0027 | 0.22 | Guidelines for cyber security roles › Protecting systems and their resources |
| ISM-1968 | 0.20 | Guidelines for cyber security roles › Protecting systems and their resources |
| ISM-1885 | 0.19 | Guidelines for communications infrastructure › Emanation security risk assessments |
| ISM-1888 | 0.12 | Guidelines for enterprise mobility › Maintaining mobile device security |
| ISM-1633 | 0.11 | Guidelines for cyber security roles › Protecting systems and their resources |
| ISM-0874 | 0.06 | Guidelines for enterprise mobility › Mobile devices and desktop computers accessing the internet |
| ISM-1990 | 0.05 | Guidelines for cryptography › Using post-quantum cryptographic algorithms |
Editorial / grammatical (4)
Cosmetic edits (normalised edit distance < 0.05). ISM-0246, ISM-0249, ISM-1137, ISM-1634
Relocated (6)
0 cross-chapter moves (listed) · 6 intra-chapter section/topic reshuffles (count only).
Scope / applicability changes (0)
No control changed its classification reach this release.
Removed (1)
| Control | Footprint | Former location | Statement (excerpt) |
|---|---|---|---|
| ISM-1837 | NC|OS|P|S|TS | Guidelines for system hardening | User accounts are not configured with password never expires or password not required. |
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (0 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026