ASD ISM — incremental change analysis
20
Added
23
Substantive
44
Clarification
38
Editorial
149
Relocated
0
Scope changes
0
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 43 | 0 |
| SECRET | 0 | 0 |
| PROTECTED | 0 | 0 |
| OFFICIAL: Sensitive | 0 | 1 |
| Non-Classified | 0 | 42 |
3 · Level-specific material changes
| Footprint | Floor | Ceiling | Controls |
|---|---|---|---|
OS|P|S|TS | OFFICIAL: Sensitive | TOP SECRET | ISM-2112 |
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (20)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-2104 | NC|OS|P|S|TS | Guidelines for personnel security › Posting work-related information on online services | Personnel are advised not to post information about their security clearance and briefings on unauthorised online services, and to report cases where … |
| ISM-2105 | NC|OS|P|S|TS | Guidelines for personnel security › Posting work-related information on online services | Personnel are advised to limit posting information about their work-related duties on unauthorised online services, and to report cases where such inf… |
| ISM-2106 | NC|OS|P|S|TS | Guidelines for personnel security › Posting work-related information on online services | Personnel are advised to limit posting information about their work-related skills and experience on unauthorised online services, and to report cases… |
| ISM-2107 | NC|OS|P|S|TS | Guidelines for personnel security › Posting personal information on online services | Personnel are encouraged to use any available privacy settings to restrict who can view personal information they post on online services. |
| ISM-2108 | NC|OS|P|S|TS | Guidelines for enterprise mobility › Encrypted communications | Mobile applications encrypt all sensitive or classified data communicated over public network infrastructure using ASD-approved cryptography. |
| ISM-2109 | NC|OS|P|S|TS | Guidelines for media › Encrypting media | Pre-boot authentication using passwords, or managed network-based key release, is implemented for media containing encrypted system volumes. |
| ISM-2110 | NC|OS|P|S|TS | Guidelines for system hardening › Hardening user application configurations | User applications are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur. |
| ISM-2111 | NC|OS|P|S|TS | Guidelines for system hardening › Hardening user application configurations | All temporary installation files created during user application installation processes are removed after user applications have been installed. |
| ISM-2112 | OS|P|S|TS | Guidelines for system hardening › Artificial intelligence applications | AI applications that process classified data have their ability to directly access external public data sources disabled. |
| ISM-2113 | NC|OS|P|S|TS | Guidelines for system hardening › Artificial intelligence applications | AI applications are configured to flag organisationally defined risky actions for human approval prior to their execution. |
| ISM-2114 | NC|OS|P|S|TS | Guidelines for system hardening › Artificial intelligence applications | Baselines of expected behaviour and performance for AI applications are established and monitored for unexpected deviations. |
| ISM-2115 | NC|OS|P|S|TS | Guidelines for system hardening › Hardening server application configurations | Extensions for server applications are restricted to an organisation-approved set. |
| ISM-2116 | NC|OS|P|S|TS | Guidelines for security assurance › Event log monitoring | Cyber threat intelligence services are used to support the detection of cyber security events and the identification of cyber security incidents. |
| ISM-2117 | NC|OS|P|S|TS | Guidelines for security assurance › Event log monitoring | Suitable AI models are used to augment the detection of cyber security events and the identification of cyber security incidents. |
| ISM-2118 | NC|OS|P|S|TS | Guidelines for security assurance › Vulnerability assessments and penetration tests | Vulnerability assessments and penetration tests are conducted for systems prior to their deployment, including prior to the deployment of significant … |
| ISM-2119 | NC|OS|P|S|TS | Guidelines for security assurance › Vulnerability assessments and penetration tests | Suitable AI models are used to augment vulnerability assessments and penetration tests. |
| ISM-2120 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | A secure software development policy is developed, implemented and maintained. |
| ISM-2121 | NC|OS|P|S|TS | Guidelines for software development › Secure software development | Software developers that lack sufficient cyber security knowledge and skills required for their projects or tasks are not used. |
| ISM-2122 | NC|OS|P|S|TS | Guidelines for software development › Software security testing | Suitable AI models are used to augment software security testing. |
| ISM-2123 | NC|OS|P|S|TS | Guidelines for software development › Data collection, retention and use | All prompts and outputs associated with chat sessions are securely deleted when chat sessions are removed from AI applications. |
Substantive amendments (23)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1460 | 0.76 | Guidelines for system hardening › Functional separation between operating environments | When using a software-based isolation mechanism that consumes shared physical computing resources, the isolation mechanism is from a vendor that has d… |
| ISM-1848 | 0.72 | Guidelines for system hardening › Functional separation between operating environments | When using a software-based isolation mechanism that consumes shared physical computing resources, the isolation mechanism or underlying operating sys… |
| ISM-0043 | 0.57 | Guidelines for cyber security documentation › Cyber security incident response plan | Systems have a cyber security incident response plan that covers the following: - guidelines on what constitutes a cyber security incident - the types… |
| ISM-0306 | 0.49 | Guidelines for information technology equipment › On-site maintenance or repairs | If an appropriately cleared technician is not used to undertake maintenance or repairs to IT equipment, the technician is escorted by someone who: - h… |
| ISM-0120 | 0.49 | Guidelines for security assurance › Event log monitoring | Cyber security personnel have access to sufficient tools to facilitate the detection of cyber security events and the identification of cyber security… |
| ISM-0853 | 0.48 | Guidelines for system hardening › Session termination | User sessions are terminated and workstations are restarted at least daily. |
| ISM-1403 | 0.45 | Guidelines for system hardening › User account lockouts | User accounts, except for break glass accounts, are protected by fixed or risk-based lockout mechanisms aligned to a maximum of five failed logon atte… |
| ISM-0469 | 0.41 | Guidelines for cryptography › Using cryptographic protocols | An AACP or high assurance cryptographic protocol is used when encrypting data in transit. |
| ISM-1235 | 0.39 | Guidelines for system hardening › Hardening user application configurations | Extensions for user applications are restricted to an organisation-approved set. |
| ISM-0725 | 0.38 | Guidelines for cyber security roles › Coordinating cyber security | The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising key cyber securit… |
| ISM-1467 | 0.38 | Guidelines for system hardening › User application releases | The latest release of email clients, office productivity suites, PDF applications, security products and web browsers, including their extensions, are… |
| ISM-1163 | 0.37 | Guidelines for cyber security documentation › Continuous monitoring plan | Systems have a continuous monitoring plan that includes: - conducting security assessment activities to identify vulnerabilities - analysing identifie… |
| ISM-1606 | 0.34 | Guidelines for system hardening › Functional separation between operating environments | When using a software-based isolation mechanism that consumes shared physical computing resources, patches, updates or vendor mitigations for vulnerab… |
| ISM-0385 | 0.34 | Guidelines for networking › Functional separation between servers | Servers maintain effective functional separation from each other. |
| ISM-1470 | 0.33 | Guidelines for system hardening › Hardening user application configurations | Unneeded user accounts, components, services and functionality of user applications are disabled or removed. |
| ISM-0821 | 0.33 | Guidelines for personnel security › Posting personal information on online services | Personnel are advised of security risks associated with posting personal information on online services. |
| ISM-1607 | 0.32 | Guidelines for system hardening › Functional separation between operating environments | When using a software-based isolation mechanism that consumes shared physical resources, integrity monitoring and centralised event logging is perform… |
| ISM-1059 | 0.30 | Guidelines for media › Encrypting media | All data stored on media is encrypted using ASD-approved cryptography. |
| ISM-1277 | 0.29 | Guidelines for database systems › Communications between database servers and web servers | Data communicated between database servers and web servers is encrypted using Australian Signals Directorate-approved cryptography. |
| ISM-1984 | 0.29 | Guidelines for security assurance › Centralised event logging facility | Event logs sent to a centralised event logging facility are encrypted in transit using Australian Signals Directorate (ASD)-approved cryptography. |
| ISM-2061 | 0.27 | Guidelines for software development › Software security testing | Peer reviews are conducted on all critical and security-related software components. |
| ISM-1080 | 0.26 | Guidelines for cryptography › Using cryptographic algorithms | An AACA or high assurance cryptographic algorithm is used when encrypting data at rest. |
| ISM-2017 | 0.25 | Guidelines for networking › Encrypted Domain Name System Services | DNS traffic is encrypted by clients and servers using ASD-approved cryptography. |
Clarifications (44)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1582 | 0.24 | Guidelines for system hardening › Application control |
| ISM-1146 | 0.21 | Guidelines for personnel security › Posting personal information on online services |
| ISM-1781 | 0.20 | Guidelines for networking › Network encryption |
| ISM-1676 | 0.20 | Guidelines for system hardening › Office productivity suites |
| ISM-0869 | 0.19 | Guidelines for enterprise mobility › Encrypted storage |
| ISM-0211 | 0.18 | Guidelines for communications infrastructure › Cable register |
| ISM-2085 | 0.17 | Guidelines for software development › Secure artificial intelligence application development |
| ISM-0580 | 0.17 | Guidelines for security assurance › Security monitoring policy |
| ISM-2053 | 0.17 | Guidelines for software development › Secure software development |
| ISM-1243 | 0.17 | Guidelines for database systems › Database register |
| ISM-1645 | 0.17 | Guidelines for communications infrastructure › Floor plan diagrams |
| ISM-1605 | 0.16 | Guidelines for system hardening › Functional separation between operating environments |
| ISM-1461 | 0.16 | Guidelines for system hardening › Functional separation between operating environments |
| ISM-1713 | 0.16 | Guidelines for media › Removable media register |
| ISM-1736 | 0.16 | Guidelines for procurement and outsourcing › Managed services |
| ISM-0336 | 0.15 | Guidelines for information technology equipment › IT equipment registers |
| ISM-1637 | 0.14 | Guidelines for procurement and outsourcing › Outsourced cloud services |
| ISM-1869 | 0.14 | Guidelines for information technology equipment › IT equipment registers |
| ISM-1738 | 0.13 | Guidelines for procurement and outsourcing › Contractual security requirements with service providers |
| ISM-1085 | 0.13 | Guidelines for enterprise mobility › Encrypted communications |
| ISM-2062 | 0.13 | Guidelines for software development › Software security testing |
| ISM-1966 | 0.12 | Guidelines for cyber security roles › Overseeing the cyber security program |
| ISM-1604 | 0.11 | Guidelines for system hardening › Functional separation between operating environments |
| ISM-1598 | 0.11 | Guidelines for information technology equipment › Inspection of IT equipment following maintenance or repairs |
| ISM-2057 | 0.11 | Guidelines for software development › Software input handling |
| ISM-2007 | 0.11 | Guidelines for physical security › Bringing medical devices into facilities |
| ISM-0459 | 0.11 | Guidelines for media › Encrypting media |
| ISM-1543 | 0.11 | Guidelines for physical security › Bringing radio frequency and infrared devices into facilities |
| ISM-0233 | 0.11 | Guidelines for communications systems › Cordless telephone systems |
| ISM-1801 | 0.10 | Guidelines for networking › Regularly restarting network devices |
| ISM-2084 | 0.10 | Guidelines for software development › Secure artificial intelligence application development |
| ISM-0549 | 0.10 | Guidelines for communications systems › Traffic separation |
| ISM-1493 | 0.09 | Guidelines for system management › Software registers |
| ISM-1740 | 0.09 | Guidelines for personnel security › Managing and reporting suspicious changes to banking details or payment requests |
| ISM-2069 | 0.09 | Guidelines for physical security › Bringing photographic and video recording devices into facilities |
| ISM-0072 | 0.09 | Guidelines for procurement and outsourcing › Contractual security requirements with service providers |
| ISM-0402 | 0.07 | Guidelines for software development › Software security testing |
| ISM-0846 | 0.07 | Guidelines for system hardening › Application control |
| ISM-1970 | 0.07 | Guidelines for cyber security incidents › Handling and containing malicious code infections |
| ISM-1579 | 0.07 | Guidelines for networking › Capacity and availability planning and monitoring for online services |
| ISM-1928 | 0.07 | Guidelines for system hardening › Microsoft Active Directory services |
| ISM-0307 | 0.06 | Guidelines for information technology equipment › On-site maintenance or repairs |
| ISM-0820 | 0.06 | Guidelines for personnel security › Posting work-related information on online services |
| ISM-0294 | 0.06 | Guidelines for information technology equipment › Labelling IT equipment |
Editorial / grammatical (38)
Cosmetic edits (normalised edit distance < 0.05). ISM-0138, ISM-0305, ISM-0310, ISM-0332, ISM-0484, ISM-0536, ISM-0694, ISM-0835, ISM-1036, ISM-1037, ISM-1076, ISM-1219, ISM-1245, ISM-1272, ISM-1289, ISM-1293, ISM-1297, ISM-1400, ISM-1417, ISM-1419, ISM-1429, ISM-1452, ISM-1483, ISM-1569, ISM-1574, ISM-1866, ISM-1939, ISM-1940, ISM-1941, ISM-1942, ISM-1983, ISM-2005, ISM-2006, ISM-2008, ISM-2035, ISM-2037, ISM-2060, ISM-2095
Relocated (149)
32 cross-chapter moves (listed) · 117 intra-chapter section/topic reshuffles (count only).
| From chapter | To chapter | Controls |
|---|---|---|
| Guidelines for system monitoring | Guidelines for security assurance | ISM-0109 ISM-0580 ISM-0585 ISM-0988 ISM-1228 ISM-1405 ISM-1815 ISM-1906 ISM-1907 ISM-1959 ISM-1960 ISM-1961 ISM-1983 ISM-1984 ISM-1985 ISM-1986 ISM-1987 ISM-1988 ISM-1989 |
| Guidelines for cyber security incidents | Guidelines for security assurance | ISM-0120 |
| Guidelines for cryptography | Guidelines for media | ISM-0459 |
| Guidelines for system management | Guidelines for security assurance | ISM-1698 ISM-1699 ISM-1700 ISM-1701 ISM-1702 ISM-1703 ISM-1752 ISM-1807 ISM-1808 ISM-1900 ISM-1921 |
Scope / applicability changes (0)
No control changed its classification reach this release.
Removed (0)
None.
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (13 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026