Search

Mergers, acquisitions and Machinery of Government changes   Publication

Jun 10, 2022 - This publication provides guidance on strategies that organisations can apply during mergers, acquisitions and Machinery of Government changes.

2023 top routinely exploited vulnerabilities   Advisory

Nov 13, 2024 - This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets.
The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the following recommendations, and those found within the Mitigations section of this advisory, to reduce the risk of compromise by malicious cyber actors.

Choosing secure and verifiable technologies: Executive guidance   Publication

Dec 5, 2024 - This guide supports senior leaders to enable their organisations to understand their threat environment and make better-informed assessments and decisions to procure secure technologies.

Identifying and Mitigating Living Off the Land Techniques   Advisory

Feb 8, 2024 - This Guide, authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and the following agencies (hereafter referred to as the authoring agencies), provides information on common living off the land (LOTL) techniques and common gaps in cyber defense capabilities.

U.S., U.K., and Australia Issue Joint Cybersecurity Advisory   News

Jul 28, 2021 - Cyber Agencies Share Top Routinely Exploited Vulnerabilities

Domain Name System security for domain resolvers   Publication

Oct 6, 2021 - This publication explores DNS security for recursive resolution servers. It also shares helpful strategies to reduce the risk of DNS resolver subversion or compromise.

Secure by Demand   Publication

Jan 14, 2025 - This Secure by Demand guide, authored by CISA with contributions from the following partners, describes how OT owners and operators should integrate security into their procurement process when purchasing industrial automation and control systems as well as other OT products.

Guidelines for cryptography   Advice

Mar 18, 2025 - This chapter of the Information security manual (ISM) provides guidance on cryptography.

IRAP community feedback form  

Mar 1, 2021 - IRAP Community feedback form for the community to comment on a range of topics about the course

Managing the risks of legacy IT: Practitioner guidance   Publication

Jun 12, 2024 - This publication provides guidance for practitioners on managing the risks posed by legacy IT and outlines low-cost mitigations that organisations can draw upon.

Cloud computing security for tenants   Publication

Jan 18, 2024 - This publication is designed to assist an organisation’s cybersecurity team, cloud architects and business representatives to jointly perform a risk assessment and use cloud services securely.

Exercise in a Box  

Nov 17, 2022 - This service provides an all-in-one platform that organisations can use to assess and improve their cybersecurity practices, in a controlled environment, and as many times as they want.

How to become an IRAP Assessor   Program page

Aug 15, 2024 - IRAP Assessors are ASD-endorsed ICT professionals from across Australia who have the necessary experience and qualifications in ICT security assessment and risk management, and a detailed knowledge of ASD's Information Security Manual.

Defending against the malicious use of the Tor network   Publication

Oct 6, 2021 - The Tor network is a system that conceals a user’s IP address. It allows anonymous – and often malicious – communication. This guidance shares advice on how to detect and prevent traffic from the Tor network.

2021 Top Routinely Exploited Vulnerabilities   Advisory

Apr 28, 2022 - This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

System hardening and administration   

Apr 11, 2023 - It is important for all organisations to maintain the cybersecurity of their systems and data.

IRAP training partnership   News

Feb 23, 2021 - The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) is partnering with organisations in South Australia and the ACT to deliver cyber security assessment training services for Australian business and organisations.

Planning for critical vulnerabilities: What the board of directors needs to know   Publication

Dec 14, 2023 - This publication provides information on why it is important that the board of directors is aware of and plan for critical vulnerabilities that have the potential to cause major cybersecurity incidents.

Engaging with artificial intelligence   Publication

Jan 24, 2024 - The purpose of this paper is to provide organisations with guidance on how to use artificial intelligence (AI) systems securely. The paper summarises some important threats related to AI systems and includes cybersecurity mitigation strategies to aid organisations in engaging with AI while managing risk. It provides mitigations to assist both organisations that maintain their own AI systems and organisations that use third-party AI systems.

Guidelines for personnel security   Advice

Mar 18, 2025 - This chapter of the Information security manual (ISM) provides guidance on personnel security.

Cybersecurity guidelines  

Jun 13, 2024 - Practical guidance on how an organisation can protect their information technology and operational technology systems, applications and data from cyberthreats.

Best practices for event logging and threat detection   Publication

Aug 22, 2024 - This publication defines a baseline for event logging best practices to mitigate cyberthreats.

The Commonwealth Cyber Security Posture in 2023   Reports and statistics

Nov 16, 2023 - The Commonwealth Cyber Security Posture in 2023 informs Parliament on the implementation of cyber security measures across the Australian Government for the 2022–23 financial year. According to the Flipchart of PGPA Act Commonwealth entities and companies, as of 30 June 2023 the Australian Government comprised 100 non-corporate Commonwealth entities (NCEs), 72 corporate Commonwealth entities (CCEs) and 17 Commonwealth companies (CCs); totalling 189 Australian government entities.

Exploitation of Unitronics Programmable Logic Controllers (PLCs)   Alert

Dec 5, 2023 - The Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) is concerned about global exploitation of Programmable Logic Controllers (PLC) and is aware of reports of compromise of these devices in Australia. These devices are present in a number of critical sectors such as water, energy, fuel and healthcare.

Information Security Registered Assessor Program (IRAP)   News

Dec 15, 2022 - The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) is further enhancing cyber security assessment and training, improving cyber skills, and creating new cyber careers for Australians through the Information Security Registered Assessor Program (IRAP).

Enhanced visibility and hardening guidance for communications infrastructure   Advisory

Dec 4, 2024 - This guide provides network engineers and defenders of communications infrastructure with best practices to strengthen their visibility and harden their network devices against successful exploitation carried out by PRC-affiliated and other malicious cyber actors.

Secure your Wi-Fi and router   Guidance

Oct 29, 2024 - How to make your software, devices and networks harder to access and more resilient to attack.

Advice, guidance and publications  

Nov 3, 2022 - Find the latest cyber security advice, guidance and publications

Cloud computing security for cloud service providers   Publication

Jan 18, 2024 - This publication is designed to assist cloud service providers (CSPs) in offering secure cloud services. It can also assist assessors in validating the security posture of a cloud service, which is often verified through an Infosec Registered Assessors Program (IRAP) assessment of the CSP services.

Malicious email mitigation strategies   Publication

Oct 6, 2021 - Socially engineered emails containing malicious attachments and embedded links are routinely used in targeted cyber intrusions against organisations. This publication has been developed to provide mitigation strategies for the security risks posed by these malicious emails.