The purpose of the Australian Government Information Security Manual (ISM) is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and information from cyber threats.
The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cyber security professionals and information technology managers.
The ISM represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). This advice is provided in accordance with ASD’s designated functions under section 7(1)(ca) of the Intelligence Services Act 2001.
The ACSC also provides cyber security advice in the form of consumer guides, Australian Communications Security Instructions and other cyber security-related publications. In these cases, device and application-specific advice may take precedence over the advice in the ISM.
Legislation and legal considerations
Organisations are not required as a matter of law to comply with the ISM, unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply. Furthermore, the ISM does not override any obligations imposed by legislation or law. Finally, if the ISM conflicts with legislation or law, the latter takes precedence.
While the ISM contains examples of when legislation or laws may be relevant for organisations, there is no comprehensive consideration of such issues.
Cyber security principles
The purpose of the cyber security principles within the ISM is to provide strategic guidance on how organisations can protect their systems and information from cyber threats. These cyber security principles are grouped into four key activities: govern, protect, detect and respond. Organisations should be able to demonstrate that the cyber security principles are being adhered to within their organisation.
Cyber security guidelines
The purpose of the cyber security guidelines within the ISM is to provide practical guidance on how organisations can protect their systems and information from cyber threats. These cyber security guidelines cover governance, physical security, personnel security, and information and communications technology security matters. Organisations should consider the cyber security guidelines that are relevant to each of the systems that they operate.
The complete ISM, including all supporting materials and changes documents, is constantly being reviewed and updated. The latest release can be found at https://www.cyber.gov.au/acsc/view-all-content/ism.
Additional cyber security-related publications from the ACSC can be found at https://www.cyber.gov.au/acsc/view-all-content/publications.