Australia · Australian Signals Directorate (ASD) / ACSC
ISM

Information Security Manual

The ASD's cybersecurity framework used by Australian Government agencies to protect their information and systems.

Status · Updated quarterly

What ISM actually is.

The Information Security Manual (ISM) is a risk-based framework published by the ASD that an entity can apply using their risk-management framework to protect their information and systems from cyber threats. The ISM is structured around cyber-security principles and associated controls. Agencies apply controls relative to the classification of the data being protected, from OFFICIAL through to TOP SECRET. For IRAP assessments, the ISM is the authoritative control catalogue.

Applies to

Non-corporate Commonwealth entities (mandatorily, via the PSPF) and corporate Commonwealth entities under the Archives Act. Widely adopted by state and territory governments and by suppliers handling government data.

Key requirements

The control areas the framework covers.

Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.

  1. 01

    Govern

    Identify and manage security risks, roles, accountabilities and reporting - tied to the agency risk framework.

  2. 02

    Protect

    Implement security controls to reduce security risks, across personnel, information, cyber, physical, ICT and supply chain.

  3. 03

    Detect

    Detect and understand cybersecurity events, including monitoring of systems and analysis of event data.

  4. 04

    Respond

    Respond to and recover from cybersecurity incidents through planning, exercises and post-incident review.

Official source

Read it from the issuing body.

For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.

Australian Signals Directorate (ASD) / ACSC

Information Security Manual

cyber.gov.au/resources-business-and-government/essential-cyber-security/ism
Further reading

Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.

Services

How Vectra delivers against ISM.

Assessment, engineering and operational services that line up with the framework's control areas.

Advisory

IRAP Assessment

PROTECTED-certified assessors for Australian government and regulated entities.
Advisory

ASD Essential Eight

Reach Maturity Level 3 across the ACSC's eight prioritised mitigation strategies.
Advisory

Penetration Testing

Find it before the attackers do - CREST-certified engagements that deliver actionable findings, not compliance checkboxes.
Managed XDR

Managed Detection & Response

Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
Industries

Where ISM shows up.

Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.

Regulated

Government

IRAP-assessed, PROTECTED-cleared cybersecurity for Commonwealth, state and local agencies operating under the ISM and PSPF.

Security, engineered around you.

Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.

+61 8 8208 0800 1800 816 044 info@vectra-corp.com