There are two categories of compliance associated with ISM controls: 'must' and 'should'. These compliance requirements are determined according to the degree of security risk an agency would be accepting by not implementing the associated control.
The Australian Signals Directorate's (ASD) assessment of whether a control is a 'must' or a 'should' is based on ASD's experience in providing cyber and information security advice and assistance to the Australian Government and reflects what ASD assesses the risk level to be.
Non-compliance with 'must' and 'must not' controls are likely to represent a high security risk to information and systems.
Non-compliance with 'should' and 'should not' controls are likely to represent a medium-to-low security risk to information and systems.
The Accreditation Authority is able to consider the justification for non-compliance and accept any associated residual security risk. Non-compliance with controls where the authority is marked 'ASD' must be granted by the Director ASD.
It is best to be compliant, however, identifying non-compliance allows you to identify, understand, know, mitigate and accept the associated risk.