Skip to main content

The updated Australian Government Information Security Manual (ISM) has been released by the Australian Cyber Security Centre (ACSC).

The 2018 release supports a move towards a risk-based approach that gives organisations greater flexibility to manage their cyber security based on their own unique circumstances, enabling greater innovation within Government.

The ISM is an important source of cyber security advice to businesses, industry and government. The manual represents the ACSC's knowledge of best practice cyber security measures based on their experience in responding to cyber security incidents within Australia. The ISM also complements the Australian Government’s Protective Security Policy Framework (PSPF).

"The ISM is the Australian Government’s flagship document in supporting organisations to protect their information and ICT systems," said the Head of the ACSC, Alastair MacGibbon.

"The ISM is updated regularly to make sure people are best equipped to tackle the security risks associated with prevailing cyber threats" he said. "You'll see the document has been streamlined, to remove duplication and make it easier to use."

"What hasn’t changed is each organisation’s responsibility to protect their people, information and assets."

Specific updates to the ISM include:

  • changes to reflect the updated Australian Government Security Classification Scheme to be introduced as part of PSPF reforms
  • changes to reflect broader PSPF move from a compliance-based regime to a risk management approach for protective security within government
  • the removal of residual compliance concepts in favour of risk management concepts
  • the addition of new controls to support the implementation of the 'Essential Eight'
  • changes to streamline and simplify existing content, where appropriate.

The ACSC is grateful for the assistance our staff have received from Information Security Registered Program (IRAP) members from throughout industry, who were consulted about proposed changes as part of the development of the 2018 update to the ISM, as well as the Information Technology Security Advisors (ITSAs) across government.

The Australian Signals Directorate is required to provide cyber security advice to government and industry as part of its functions under the Intelligence Services Act 2001.

For more information, read the 2018 Australian Government Information Security Manual.

If you have any questions regarding this guidance you can contact us via 1300 CYBER1 (1300 292 371) or

To report a cyber security incident go to or call 1300 CYBER1 (1300 292 371)