Understanding the Australian Information Security Manual (ISM)

The Essential Eight identifies the most critical cybersecurity risk mitigation controls, providing a set of minimum baseline strategies. As organizations work to mature the security posture, the Essential Eight maturity model offers some options that they can use. However, for organizations that need to implement a more comprehensive security program, the Australian  Signals Directorate (ASD) published the Information Security Manual (ISM).

In December 2025, the ASD updated the ISM to address changes in technology use, including artificial intelligence. By understanding what the ISM is and how to use it for implementing cybersecurity controls, organizations can improve their security and compliance posture.

What is the Information Security Manual (ISM)?

The ISM is the set of cybersecurity principles and practical guidance for protecting information and operational technology systems from cyber threats.

It takes a risk-based approach that applies the following framework:

• Define the system: Determine system boundary, business criticality, and security objectives.
• Select controls: Tailor controls to achieve desired outcomes.
• Implement controls: Implement and document controls.
• Assess controls: Ensure control implementations function as intended.
• Authorize the system: Determine whether security risks are acceptable and authorize the system to operate.
• Monitor the system: Continuously monitor to identify potential issues impacting security posture.

The following six cybersecurity principles are the outcomes that organizations should be able to prove:

• Govern (GOV): Develop and maintain a strong and resilient cyber security culture.
• Identify (IDE): Identify assets and associated security risks.
• Protect (PRO): Implement and maintain controls to manage security risks.
• Detect (DET): Detect and analyse cyber security events to identify cyber security incidents.
• Respond (RES): Respond to cyber security incidents.
• Recover (REC): Resume normal business operations following cyber security incidents.

What Do The ISM Principles Cover?

The six principles outlined in the ISM manual offer strategic guidance for how organizations should manage their information security.

Govern

The ISM outlines the following principles:

• GOV-01 – Executive cyber security accountability: Assigns accountability to board of directors or executive committee.
• GOV-02 – Executive cyber security leadership: Assigns oversight to chief information security officer (CISO).
• GOV-03 – Security risk management: Embeds security risk management into organizational risk management.
• GOV-04 – Cyber security resourcing: Onboard the appropriate personnel and resources.
• GOV-05 – Security risk acceptance: Review and accept residual risks prior to authorization.
• GOV-06 – Security risk communication: Communicate residual risks to stakeholders.
• GOV-07 – Security risk insights: Review security risk management regularly and update procedures and processes as needed.

Identify

The ISM outlines the following principles:

• IDE-01 – Asset identification: Identify and document systems.
• IDE-02 – Business criticality identification: Determine and document system business criticality.
• IDE-03 – Security requirements identification: Determine and document confidentiality, integrity, and availability requirements.
• IDE-04 – Security risk identification: Identify and document security risks.

Protect

The ISM outlines the following principles:

• PRO-01 – Secure system lifecycle: Plan, design, develop, test, deploy, maintain, and decommission systems according to business criticality and confidentiality, integrity and availability requirements.
• PRO-02 – Secure by design: Plan, design, develop, test, deploy, maintain, and decommission systems using secure by design and default principles and practices.
• PRO-03 – Trustworthy suppliers: Use trustworthy suppliers for system delivery and support.
• PRO-04 – Attack surface reduction: Configure systems to reduce attack surface.
• PRO-05 – Secure administration: Administer systems in a secure and accountable way.
• PRO-06 – Vulnerability management: Identify and mitigate vulnerability in a timely manner.
• PRO-07 – Trustworthy software execution: Ensure only trustworthy, supported, operating systems and software execute code on systems.
• PRO-08 – Data encryption: Encrypt data-at-rest and in-transit.
• PRO-09 – Content filtering: Control and inspect data communicated between different security domains.
• PRO-10 – Regular proven backups: Regularly back up operating systems, applications, settings, and data.
• PRO-11 – Trustworthy personnel: Only grant system access to trustworthy personnel.
• PRO-12 – Least privilege access: Grant users the least amount of access necessary to complete job functions.
• PRO-13 – Robust access control: Control access with robust and secure identity, credential and access management.
• PRO-14 – Cyber security awareness training: Provide personnel ongoing cybersecurity awareness training.
• PRO-15 – Physical access restriction: Restrict and monitor physical access to systems.

Detect

The ISM outlines the following principles:

• DET-01 – Centralised event logging: Collect all configuration changes and security relevant logs in a single, secure location.
• DET-02 – Cyber security event detection: Analyze all configuration changes and security relevant logs in a timely manner to detect potential cyber events.
• DET-03 – Cyber security incident identification: Analyze all incidents in a timely manner.

Respond

The ISM outlines the following principles:

• RES-01 – Cyber security incident planning: Implement cybersecurity incident response, business continuity and disaster recovery plans to support continued business operations and normal business operations resumption.
• RES-02 – Cyber security incident reporting: Report cybersecurity incidents and the response activities internally and externally as appropriate.
• RES-03 – Cyber security incident response: Contain, eradicate, and recover from cybersecurity incidents in a timely manner.
• RES-04 – Cyber security incident insights: Identify areas of improvement after a cybersecurity incident and take action in a timely manner.

Recover

The ISM outlines the following principle:

• REC-01 – Business operations resumption: Accept residual security risks before resuming normal business operations after a cybersecurity incident.

What Are the ISM Guidelines?

To help organizations implement the appropriate operational and technical controls, the ISM provides guidelines for the following:

• Cybersecurity roles, defining responsibilities for board of directors, executive committee, CISO, and system owners.
• Cybersecurity incidents, including management and response.
• Procurement and outsourcing, including cyber supply chain risk management, managed services, and cloud services.
• Cybersecurity documentation, including documentation development and maintenance, and system specific documentation.
• Physical security, including facilities, systems, IT equipment, and media.
• Personnel security, including cybersecurity awareness training and access to systems and resources.
• Communications infrastructure, including cabling infrastructure and emanation security.
• Communications systems, including telephone systems, video conferencing, Internet Protocol telephony, multifunction devices, fax machines, and services.
• Enterprise mobility, including enterprise mobility, mobile device management, and mobile device usage.
• Evaluated products, including evaluated product procurement and usage.
• Information technology equipment, including equipment usage, maintenance and repairs, sanitization and destruction, and disposal.
• Media, including usage, sanitization, destruction, and disposal.
• System hardening, including operation systems, user applications, server applications, authentication, and virtualization.
• System management, including system administration, patching, and data backup and restoration.
• System monitoring, including event logging and monitoring.
• Software development, including software development fundamentals, artificial intelligence (AI) application development, mobile application development, and web application development.
• Database systems, including servers and databases.
• Email, including usage, gateways, and servers.
• Cryptography, including approved algorithms and protocols, Transport Layer Security (TLS), secure shell, secure/multi-purpose internet mail extension, and internet protocol security.
• Gateways, including cross domain solutions, firewalls, web application firewalls, diodes, web proxies, web content filters, content filtering, and peripheral switches.
• Data transfers.

Best Practices for ISM Risk Management and Compliance

As organizations work to implement the appropriate security risk management controls, they need solutions that help them manage the ongoing monitoring, maintenance, and documentation that compliance requires. Aligning control setting and monitoring with the ISM topic-based guidelines enables organizations to create the appropriate pipelines, dashboards, and alerts.

Centralize Log Data from Across the Environment

According to the guidelines for event logging and monitoring, organizations should use a centralized event logging solution that captures, protects, and manages event logs from multiple sources.

When seeking a technology, like a security incident and event management (SIEM) solution, organizations should consider the following capabilities:

• Scalable architecture for collecting, parsing, and normalizing logs from diverse sources.
• Flexible deployment across on-premises, private cloud, public cloud, or hybrid deployments.
• Tamper-proof retention and integrity using policy-driven retention with immutability, encryption, and audit trails.
• Unified format to enrich log data with GeoIP, threat intelligence, and asset context for faster searchability and correlation.

Continuously Monitor Systems with Event Correlation

Under the Protect, Detect, and Respond principles, organizations need to implement comprehensive real-time monitoring across the entire environment. Event correlation connects disparate logs to identify attack patterns, reduce noise, and prioritize threats.

When seeking a solution, organizations should look for the following capabilities:

• Configuration tracking that includes history for inputs, parsing, and alerts to prove coverage​.
• Workflow views of system health and changes for ongoing assessments​
• Ability to export monitoring evidence for audits, including information like timestamps, actors, and outcomes.
• Low-latency search and correlation across all sources.
• Rule-based alerts plus anomaly models enriched by threat intel.
• Grouping events into prioritised cases by user, host, or API activity.

Detect Incidents by Identifying Abnormal Activity

Incident detection relies on timely alerting from correlated events. Security teams need high-fidelity alerts that enable proactive threat identification and reduce false positives.

When seeking a solution, organizations should look for the following capabilities:

• Streaming pipelines that rapidly trigger alerts for timely detection.
• Machine learning and anomaly detection that identifies abnormal behavior across users, hosts, networks, and APIs.
• Dynamic risk scoring to appropriately escalate alerts based on information like CVSS, behavior, and asset criticality.
• Artificial intelligence that can create summaries, timelines, and evidence chains while also suggesting remediation actions.

Enact Incident Response Plan with Rapid Investigations

To rapidly contain threats, security teams need visibility across all log sources and the ability to reconstruct attack timelines while maintaining evidence integrity.

When seeking a solution, organizations should look for the following capabilities:

• Unified search across all sources, including endpoints, networks, cloud, and applications.
• Interactive timelines that provide one-click pivots that reduce the mean time to contain (MTTC) and mean time to respond (MTTR).
• Data enrichment that includes context about the asset details and event context.
• Workflows that capture evidence, assign tasks, and track containment steps.
• Ability to export evidence for post-incident reviews.

Build Dashboards for Ongoing Visibility and Compliance Reporting

When using the ISM as a compliance framework, organizations need continuous visibility into system health, threats, and control effectiveness through real-time monitoring and scheduled reports. Dashboards provide the at-a-glance visibility that enables security team efficiency.

When seeking a solution, organizations should look for the following capabilities:

• Pre-built dashboards across key monitoring requirements, like user activity, host activity, network activities.
• Compliance views that allow filtering by category, like time range or asset group.
• Executive summaries that enable the board of directors and executive team to manage their responsibilities.
• Scheduled reports that forward compliance information on a daily, weekly, monthly, or quarterly basis.
• Threat coverage visuals mapped to the MITRE ATT&CK Framework for insight into potential control gaps.

Graylog Security: Enabling Compliance with the Australian Information Security Manual

Graylog Security enables organizations to engage in real-time security monitoring and rapidly investigate potential incidents to manage DSP compliance. With Graylog Security, organizations can streamline their compliance processes while improving their overall security posture.

Using our scalable and customizable detections, security teams can build high-fidelity alerts that reduce alert fatigue and help them focus on the threats that matter most.

To learn more about how Graylog enables strong security outcomes and a lower TCO, contact us today for a demo.