What is ISM by Australian Signals Directorate
​​Australia remains a target of sophisticated, large scale cyber exploitation by malicious actors by which adversaries aim to covertly gather information from ICT systems. Australia now also faces the risk of cyber attacks—offensive actions intended to deny, degrade, disrupt, or destroy information and ICT systems.
​
The Information Security Manual (ISM) by the Australian Signals Directorate outlines a risk-based cybersecurity framework that organisations can apply. It details important information about cyber threats and outlines principles and controls to protect agency systems and their information.
Who are the Australian Signals Directorate or ASD?
The Australian Signals Directorate (ASD) is a crucial member of Australia’s national security community, working across intelligence, cyber security, and offensive operations in support of the Australian Government and Australian Defence Force (ADF).
What is the Information Security Manual (ISM) ?
The purpose of the Australian Government Information Security Manual (ISM) is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and data from cyber threats.
Who is the ISM intended for?
The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cyber security professionals and information technology managers.
​
When assessing cyber risk status, ISM outlines five key questions that organisations must ask themselves. These are:​​​​​
01
Is the organisation ready to respond to targeted cyber security incidents?
02
What would the cost be of a cyber security incident?
03
Who would benefit from having access to our information?
04
What controls do we have in place to protect ourselves from cyber threats?
05
Does staff behaviour foster a strong security culture?
How does it work?
ISM consists of cybersecurity principles and cybersecurity guidelines
Cybersecurity Principles
These principles provide strategic guidance on how organisations can protect their systems and data from cyber attacks and threats. These principles are divided into four key actions; govern, protect, detect and respond. To comply with the ISM, organisations must provide proof or demonstrate that they are adhering to these principles.
​
​
Cybersecurity Guidelines
These are practical guidelines that an organisation can apply to safeguard its systems and data from cyber attack and threats. These cyber security guidelines cover governance, physical security, personnel security, and information and communications technology security matters. Organisations should consider the cyber security guidelines that are relevant to each of the systems that they operate.
​
Complying with ISM
Compliance with ISM controls is categorised into ‘must’ and ‘should’ requirements.
Requirements are evaluated according to the degree of risk an organisation is accepting by not complying with the ISM control.
Non-compliance with ‘must’ requirements represent a high cyber security risk. Non-compliance with ‘should’ controls represent a medium to low-security risk.
How We Do It
The StickmanCyber team can help review your organisations controls against the requirements of ISM and provide recommendations to achieve compliance. We follow a standard 5-step approach to help evaluate current systems and work towards compliance.
