Introduction to the Australian ISM and IRAP
The Australian Government Information Security Manual (ISM) is the cornerstone cyber security framework produced by the Australian Signals Directorate (ASD) through its Australian Cyber Security Centre (ACSC). It sets out a risk-based, principles-plus-controls approach that organisations use to protect their systems, applications and data from cyber threats. The Information Security Registered Assessors Program (IRAP) is the complementary assessment scheme: it endorses suitably qualified and independent assessors who evaluate the security posture of systems against the ISM and, where relevant, the Protective Security Policy Framework (PSPF), producing an IRAP assessment report that informs an authorising officer's risk-based decision to authorise a system to operate.
This guide is written for two audiences at once. For the auditor or IRAP assessor, it enumerates the cyber security principles, the ISM guidelines (control domains), the maturity model of the Essential Eight, and the discipline of gathering objective evidence to support control effectiveness findings. For the implementer, CISO or security-uplift lead, it lays out how to scope a system, tier controls by data classification, run a phased implementation, and prepare for an IRAP assessment so the resulting report supports an authorisation to operate (ATO). Throughout, this article uses British and Indian English conventions and reflects the ISM as maintained on a quarterly release cadence by the ACSC.
Copyright and licensing note
The ISM is Commonwealth of Australia material published by the ASD/ACSC and is made available under a Creative Commons Attribution 4.0 licence, subject to the ACSC's terms of use and the exclusion of the Commonwealth Coat of Arms and third-party content. This guide is original explanatory commentary written by CyberSigma. It does not reproduce the copyrighted ISM control text, control identifiers verbatim, or the official OSCAL/spreadsheet releases. Always work from the current authoritative ISM release published at cyber.gov.au, as control wording and identifiers change each quarterly update.
What is the ISM / IRAP
The ISM is a living document. Rather than being a static standard frozen at a point in time, the ACSC re-issues it approximately every quarter (historically March, June, September and December) with new, amended and retired controls, each carrying a unique numeric control identifier and a first-published and last-updated date. This cadence lets the framework track emerging threats such as ransomware, supply chain compromise, cloud misconfiguration and identity attacks. The ISM is structured around a small set of enduring cyber security principles supported by a large body of prescriptive, testable controls grouped into thematic guidelines.
The ISM's principles are organised under four activities that describe the lifecycle of a cyber security function: Govern (identify and manage security risks), Protect (implement controls to reduce risk), Detect (identify and understand cyber security events) and Respond (respond to and recover from cyber security incidents). These map deliberately onto internationally recognised functions and give organisations a common vocabulary for describing capability.
IRAP is the assessment vehicle. An IRAP assessor is an individual endorsed by the ASD who holds relevant qualifications and security clearance and who has passed the IRAP training and examination. IRAP assessors are independent of the systems they assess. Their role is not to authorise a system - that authority rests with the system owner's authorising officer - but to provide an objective assessment of the implementation and effectiveness of controls, identify residual risks, and document them so the authorising officer can make an informed, risk-based ATO decision. IRAP is frequently used to assess cloud service providers, gateways, and government or government-adjacent systems handling OFFICIAL, OFFICIAL: Sensitive, PROTECTED, SECRET and TOP SECRET information.
| Concept | Meaning in the Australian context |
|---|
| ISM | Information Security Manual - the control catalogue and principles maintained by ASD/ACSC |
| IRAP | Information Security Registered Assessors Program - the endorsement and assessment scheme |
| IRAP assessor | ASD-endorsed independent professional who assesses systems against the ISM/PSPF |
| PSPF | Protective Security Policy Framework - governance/personnel/physical/information security policy for Commonwealth entities |
| Essential Eight | ASD's prioritised set of eight mitigation strategies with a four-level maturity model |
| Authorising Officer | The accountable executive who accepts residual risk and grants an authorisation to operate |
| ATO | Authorisation to operate - the formal decision permitting a system to process information |
| System security plan (SSP) | The document describing a system, its controls and how the ISM is applied |
Who must comply and scope of applicability
The ISM is mandated for non-corporate Commonwealth entities (NCCEs) through the PSPF, which directs entities to apply the ISM's cyber security principles and controls commensurate with the sensitivity or classification of the information they hold. Corporate Commonwealth entities and wholly-owned Commonwealth companies are strongly encouraged to apply it. Beyond the direct mandate, the ISM's reach extends across the economy because it is the de facto benchmark used to establish trust with government.
| Organisation type | Applicability of ISM / IRAP |
|---|
| Non-corporate Commonwealth entities | Mandatory via the PSPF; must apply ISM controls appropriate to classification and hold current authorisations |
| Corporate Commonwealth entities and companies | Strongly encouraged; often adopted contractually or by policy |
| Cloud service providers (CSPs) serving government | Must undergo IRAP assessment of their service to be considered for government workloads; supports the Hosting Certification Framework |
| Systems integrators, MSPs and gateway providers | IRAP assessment expected where they store, process or transmit government information |
| Defence industry participants | Bound via the Defence Industry Security Program (DISP) which references ISM controls |
| State and territory government agencies | Frequently adopt the ISM or align to it for interoperability with the Commonwealth |
| Critical infrastructure operators | May align to ISM/Essential Eight alongside SOCI Act and the Cyber Security Act obligations |
| Private enterprises pursuing government contracts | Adopt ISM/Essential Eight to meet tender and contractual security requirements |
Scope of applicability within an organisation is set by identifying the systems that store, process or transmit government or otherwise sensitive information, and by the highest classification of data handled. A system's classification (OFFICIAL through TOP SECRET) determines the depth of controls required, the physical and personnel security posture, the caveats and compartments in play, and whether the system must sit in an accredited facility.
Structure of the ISM / IRAP
The ISM is built in layers: the cyber security principles at the top set direction; the guidelines (control domains) group the detailed controls thematically; and each control carries a unique identifier, an applicability marking by classification, and a description of the required outcome. The table below sets out the major structural elements a reader will encounter.
| Structural element | Description |
|---|
| Cyber security principles | High-level statements grouped under Govern, Protect, Detect and Respond that describe the intent of the framework |
| Guidelines | Thematic chapters (control domains) such as system management, cryptography, gateways, email and networking that hold the detailed controls |
| Controls | Individual, testable requirements with unique numeric identifiers, applicability by classification, and update history |
| Applicability markings | Each control is marked for the classifications to which it applies (OFFICIAL, PROTECTED, SECRET, TOP SECRET) |
| Essential Eight | A prioritised subset of eight mitigation strategies with a defined maturity model |
| Strategies to Mitigate Cyber Security Incidents | The broader catalogue from which the Essential Eight is drawn |
| OSCAL and spreadsheet releases | Machine-readable and tabular publications of the control set for tooling and GRC ingestion |
| ISM activity (function) | Focus |
|---|
| Govern | Identifying and managing security risks, roles, and the cyber security strategy |
| Protect | Implementing controls to reduce likelihood and impact of incidents |
| Detect | Identifying and understanding cyber security events through logging and monitoring |
| Respond | Responding to, containing and recovering from cyber security incidents |
Master assessment checklist
This is the operational heart of the guide. The subsections below walk through each ISM guideline (control domain) as an assessment area. For every area we provide what an assessor should verify and the typical objective evidence that demonstrates control effectiveness. This is intended to be comprehensive across the ISM's guidelines; use it alongside the current ISM release to confirm control identifiers and applicability by classification, and record findings as Effective, Ineffective, Partially effective or Not applicable with residual risk noted.
Cyber security roles, governance and risk management
| What to verify | Typical evidence |
|---|
| A Chief Information Security Officer (CISO) or equivalent is appointed with defined authority | Appointment letter, role description, delegation instrument, organisation chart |
| System owners are identified and accountable for each system | System register mapping systems to owners and authorising officers |
| A cyber security strategy and supporting policies exist and are approved | Approved strategy, policy suite, board or executive endorsement records |
| Security risk management is performed and risks are recorded and treated | Risk register, risk assessments, treatment plans, residual risk acceptances |
| Authorisation to operate is current for each system before it processes data | Signed ATO letters, expiry dates, re-authorisation schedule |
Guidelines for cyber security incidents
| What to verify | Typical evidence |
|---|
| A documented cyber security incident response plan (IRP) exists and is exercised | IRP document, tabletop exercise records, after-action reports |
| A cyber security incident register captures detection, handling and closure | Incident register entries with timelines and classifications |
| Incidents are reported to the ASD/ACSC where required | Copies of ReportCyber or ACSC notifications with reference numbers |
| Roles for incident detection, triage and escalation are assigned | RACI matrix, on-call roster, escalation runbooks |
| Post-incident reviews drive corrective action | Lessons-learned records, closed corrective actions |
Guidelines for procurement and outsourcing
| What to verify | Typical evidence |
|---|
| Suppliers and cloud services are assessed for security before engagement | Vendor risk assessments, IRAP reports for CSPs, due-diligence records |
| Contracts include security requirements, right-to-audit and breach notification | Contract clauses, security schedules, data-handling annexes |
| Supply chain risk (including foreign ownership/control) is considered | Supply chain risk assessments, sovereignty and data-residency analysis |
| Managed service providers are governed and monitored | MSP oversight reports, access reviews, SLA/security reporting |
Guidelines for security documentation
| What to verify | Typical evidence |
|---|
| A system security plan (SSP) exists for each in-scope system | Current SSP with control implementation statements |
| A statement of applicability / control matrix maps ISM controls to implementation | Control matrix showing implemented, alternative or not-applicable status |
| Standard operating procedures support secure operation | SOPs for patching, backup, access management and monitoring |
| An emergency/incident procedures set is maintained | Incident procedures, business continuity and disaster recovery plans |
| Documentation is version-controlled and reviewed periodically | Document control register, review dates, approvals |
Guidelines for physical security
| What to verify | Typical evidence |
|---|
| Facilities are certified/accredited to the classification of information held | Facility certification, SCEC zone ratings, accreditation records |
| Physical access to servers, network and media is controlled | Access control logs, visitor registers, CCTV coverage records |
| ICT equipment and media are protected in transit and at rest | Secure transport procedures, safe/container records, tamper controls |
| Environmental and power protections support availability | UPS/generator test records, environmental monitoring logs |
Guidelines for personnel security
| What to verify | Typical evidence |
|---|
| Personnel hold clearances appropriate to the information they access | Clearance records (Baseline/NV1/NV2/PV) mapped to access |
| Security awareness and role-based training is delivered | Training completion records, phishing simulation results |
| Need-to-know and least-privilege principles govern access | Access approval records, periodic access recertification |
| Onboarding and offboarding revoke or grant access promptly | Joiner/mover/leaver records, deprovisioning evidence |
Guidelines for communications infrastructure and communications systems
| What to verify | Typical evidence |
|---|
| Cabling infrastructure is installed and separated per classification | Cable registers, colour/separation standards, inspection records |
| Emanation security (TEMPEST) is considered where required | Emanation security assessments for higher classifications |
| Telephony and fax handling of sensitive information is controlled | Telephony policy, secure-phone provisioning records |
| Video and collaboration platforms are approved and configured securely | Approved platform list, hardening baselines, recording controls |
Guidelines for enterprise mobility
| What to verify | Typical evidence |
|---|
| Mobile devices are enrolled and managed via MDM/EMM | MDM enrolment reports, compliance dashboards |
| Mobile device baselines enforce encryption, PIN and remote wipe | Device policy configuration, encryption attestation |
| Bring-your-own-device (BYOD) is governed or prohibited per policy | BYOD policy, containerisation configuration, exceptions register |
| Travel and overseas-use risks are managed for mobile devices | Travel device procedures, clean-device issue and sanitisation records |
Guidelines for evaluated products and ICT equipment
| What to verify | Typical evidence |
|---|
| Products handling classified data are evaluated/certified where required | Common Criteria certificates, ASD-approved product listings |
| ICT equipment is hardened and configured to vendor and ASD guidance | Hardening baselines, configuration scans against benchmarks |
| Equipment lifecycle from acquisition to disposal is controlled | Asset register, sanitisation and destruction certificates |
| High-assurance requirements are met for higher classifications | HACE/high-assurance product deployment records |
Guidelines for media
| What to verify | Typical evidence |
|---|
| Media is labelled and handled per its classification | Media register, labelling standard, handling procedures |
| Media sanitisation and destruction follow ASD-approved methods | Sanitisation logs, destruction certificates, degausser records |
| Media reuse and reclassification is controlled | Reclassification records, sanitisation verification |
| Removable media use is restricted and monitored | USB/device control policy, DLP logs, port-control configuration |
Guidelines for system hardening
| What to verify | Typical evidence |
|---|
| Operating systems are hardened to ASD/vendor baselines | Configuration baselines, benchmark scan results (e.g. against CIS/ASD hardening) |
| Application hardening and application control (allow-listing) is enforced | Application control policy, blocked-execution logs |
| Microsoft Office macros and untrusted content are restricted | Macro settings, GPO/Intune policy, execution logs |
| Web browsers, PDF readers and email clients are hardened | Browser hardening config, attachment and script blocking evidence |
| Credentials, service accounts and local admin rights are minimised | Privileged account inventory, LAPS/PAM configuration |
Guidelines for system management
| What to verify | Typical evidence |
|---|
| Patch and vulnerability management covers OS and applications on defined timelines | Patch compliance reports, vulnerability scan results, remediation SLAs |
| Change management governs system changes | Change tickets, approvals, CAB records |
| Configuration and asset management maintain an accurate baseline | CMDB, asset inventory, drift-detection reports |
| Administrative activities use secure, jump-host or PAW methods | PAW/jump-host configuration, admin session logs |
| System backups are performed, protected and tested for restoration | Backup schedules, restore-test records, offline/immutable backup evidence |
Guidelines for system monitoring
| What to verify | Typical evidence |
|---|
| Event logging is enabled for OS, applications, network and security devices | Logging policy, sample log extracts, coverage matrix |
| Logs are centralised, time-synchronised and protected from tampering | SIEM configuration, NTP settings, log-integrity controls |
| Log retention meets ISM and business requirements | Retention configuration, archive evidence |
| Security events are monitored and alerted on continuously | SOC runbooks, alert rules, on-call arrangements |
| Vulnerability disclosure and threat intelligence feed monitoring | VDP records, threat intel ingestion, ACSC alert action logs |
Guidelines for software development
| What to verify | Typical evidence |
|---|
| A secure software development lifecycle (SDLC) is defined and followed | SDLC policy, secure coding standards, gate approvals |
| Application security testing (SAST/DAST/dependency and pen testing) is performed | Test reports, remediation records, retest evidence |
| Development, test and production environments are separated | Environment topology, access separation evidence |
| Web application security controls address common vulnerabilities | OWASP-aligned test results, WAF configuration |
Guidelines for database systems
| What to verify | Typical evidence |
|---|
| Databases are hardened, patched and access-controlled | DB hardening baseline, patch records, role/permission review |
| Sensitive data at rest is encrypted where required | Encryption configuration, key management evidence |
| Database activity is logged and monitored | DB audit logs, privileged-query monitoring |
| Database servers are network-segmented from untrusted zones | Segmentation diagrams, firewall rule review |
Guidelines for email
| What to verify | Typical evidence |
|---|
| Email authentication (SPF, DKIM, DMARC) is deployed and enforced | DNS records, DMARC reports at enforcement policy |
| Content filtering and anti-malware inspect inbound and outbound mail | Gateway configuration, quarantine and detection logs |
| Email protective marking is applied per classification | Marking tool configuration, sample marked messages |
| Encryption/TLS protects email in transit | TLS enforcement configuration, connector settings |
Guidelines for networking
| What to verify | Typical evidence |
|---|
| Network architecture is segmented by trust and classification | Network diagrams, VLAN/zone design, segmentation test results |
| Network access control and device authentication is enforced | 802.1X/NAC configuration, unauthorised-device detection |
| Wireless networks are secured and separated | Wireless config, encryption standards, guest separation |
| Intrusion detection/prevention monitors network traffic | IDS/IPS configuration and alert logs |
| Service continuity and denial-of-service protections exist | DDoS protection arrangements, failover testing |
Guidelines for cryptography
| What to verify | Typical evidence |
|---|
| Approved cryptographic algorithms and protocols (ASD Approved Cryptographic Algorithms) are used | Cipher suite configuration, TLS/IPsec settings |
| High-assurance cryptographic equipment is used where required | HACE deployment records for higher classifications |
| Key management covers generation, distribution, storage and destruction | Key management plan, HSM configuration, key ceremony records |
| Data at rest and in transit is encrypted per classification | Encryption inventory, at-rest and in-transit evidence |
Guidelines for gateways
| What to verify | Typical evidence |
|---|
| Gateways between networks of differing trust are architected and controlled | Gateway design, security architecture, data-flow diagrams |
| Cross Domain Solutions (CDS) are used where crossing classification boundaries | CDS accreditation, ASD consultation records |
| Content filtering, data transfer and import/export controls are enforced | Transfer logs, content inspection policy, one-way transfer evidence |
| Web content filtering and web proxy controls protect users | Proxy configuration, category blocking, TLS inspection records |
Guidelines for data transfers
| What to verify | Typical evidence |
|---|
| Data import and export is governed by policy and trusted sources | Transfer policy, approval records, source verification |
| Content is scanned/sanitised during transfer between domains | Content sanitisation logs, malware scan evidence |
| Bulk and manual transfers are logged and reviewed | Transfer registers, review records |
Cloud computing and Essential Eight (cross-cutting)
| What to verify | Typical evidence |
|---|
| Cloud services hold current IRAP assessments appropriate to classification | IRAP assessment reports, consumer guidance, shared-responsibility matrix |
| Consumer responsibilities in the shared-responsibility model are implemented | Cloud configuration baselines, CSPM findings and remediation |
| The Essential Eight is implemented to the target maturity level | Essential Eight Maturity Model self/independent assessment |
| Application control, patching, MFA and backups meet Essential Eight expectations | Allow-listing logs, patch SLAs, MFA coverage, restore tests |
Scoping, materiality and tiering
ISM controls are not applied uniformly; they are tiered by the classification of the information a system handles. The higher the classification, the more controls apply and the more stringent their implementation. Scoping therefore begins with a data classification exercise and a system boundary definition.
| Classification | Indicative control posture |
|---|
| OFFICIAL | Baseline good-practice cyber hygiene; routine ISM controls; Essential Eight recommended |
| OFFICIAL: Sensitive | Enhanced handling, marking and access controls above baseline |
| PROTECTED | Substantially more ISM controls apply; stronger cryptography, gateways, monitoring and personnel clearances |
| SECRET | High-assurance controls, accredited facilities, cleared personnel, restricted connectivity |
| TOP SECRET | Most stringent controls, high-assurance products, strict physical/emanation security and compartmentation |
Materiality also flows from the aggregation of data (many low-classification records may aggregate to a higher effective sensitivity), the criticality of the system to business or national outcomes, and the threat exposure (internet-facing versus air-gapped). Where a control cannot be met as written, the ISM permits alternative controls or a formal risk acceptance, provided the residual risk is documented and accepted by the authorising officer.
Implementation approach
A pragmatic ISM implementation follows a phased path from discovery to sustained assurance. Each phase produces deliverables that feed the eventual IRAP assessment and ATO.
Phase 1 - Discovery and scoping
- Classify information and define system boundaries and data flows
- Identify system owner, authorising officer and stakeholders
- Establish the applicable classification and therefore the applicable ISM control set
- Assess whether an IRAP assessment will be required and to what depth
Deliverables: system inventory, data classification register, scope statement, high-level architecture and data-flow diagrams.
Phase 2 - Gap assessment
- Map current controls to the applicable ISM guidelines and controls
- Perform a maturity assessment of the Essential Eight against the target level
- Identify gaps, alternative controls and areas needing risk acceptance
- Prioritise remediation by risk and effort
Deliverables: control matrix / statement of applicability, gap register, prioritised remediation plan, Essential Eight maturity baseline.
Phase 3 - Remediation and control implementation
- Implement technical controls (hardening, patching, MFA, logging, segmentation, encryption)
- Implement process controls (change, incident, access recertification, backup testing)
- Deploy or configure tooling (SIEM, PAM, MDM, application control, DLP)
- Update documentation - SSP, SOPs, incident and continuity plans
Deliverables: implemented controls with evidence, updated SSP, SOP suite, remediation closure records.
Phase 4 - IRAP assessment and authorisation
- Engage an ASD-endorsed IRAP assessor to conduct Stage 1 (documentation) and Stage 2 (implementation) review
- Support evidence gathering, walkthroughs and technical testing
- Receive the IRAP assessment report with findings and residual risks
- Present residual risks to the authorising officer for an ATO decision
Deliverables: IRAP assessment report, security assessment report, plan of action and milestones (POA&M), signed ATO.
Phase 5 - Continuous assurance
- Operate continuous monitoring, vulnerability management and log review
- Track ISM quarterly releases and update the control baseline accordingly
- Re-assess Essential Eight maturity periodically
- Schedule re-authorisation before ATO expiry and after significant change
Deliverables: continuous monitoring reports, updated risk register, maintained maturity assessments, re-authorisation package.
Maturity and capability model
The Essential Eight Maturity Model (E8MM) is the ISM ecosystem's primary capability model. It defines Maturity Level Zero through Maturity Level Three, describing progressively stronger implementation of the eight mitigation strategies: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Target level should be set by threat exposure and risk appetite - many entities target Maturity Level Two, with higher-risk systems targeting Level Three.
| Maturity level | Description |
|---|
| Maturity Level Zero | Weaknesses in the entity's overall cyber security posture; mitigation strategies not implemented to the exploited-technique threshold |
| Maturity Level One | Mitigations aligned to adversaries using commodity, widely available tradecraft to gain and expand access |
| Maturity Level Two | Mitigations aligned to adversaries willing to invest more time and use modestly effective tradecraft, including targeting credentials and bypassing weaker controls |
| Maturity Level Three | Mitigations aligned to adaptive, well-resourced adversaries who exploit weaknesses in configuration and monitoring using bespoke tradecraft |
Maturity should be assessed as an aggregate - an entity is only at a level if all eight strategies meet that level's requirements. Assessments may be self-assessed or, for higher assurance, conducted independently by an IRAP assessor or ASD-recognised provider.
Assessment and audit approach
An IRAP assessment is a structured, two-stage engagement that mirrors risk-based assurance methodologies. The following steps describe the end-to-end approach an assessor and organisation will follow.
- Scope and plan the assessment: confirm system boundary, classification, applicable controls and assessment stages with the IRAP assessor and system owner.
- Stage 1 - security assessment planning and documentation review: examine the SSP, control matrix, risk assessment and supporting documentation for completeness and adequacy of design.
- Stage 2 - control implementation and effectiveness review: conduct interviews, configuration inspection, sampling and technical testing to confirm controls operate as documented.
- Gather objective evidence for each in-scope control and record an effectiveness finding with supporting rationale.
- Identify residual security risks where controls are ineffective, partially effective or replaced by alternatives, and assign risk ratings.
- Produce the IRAP assessment report and security assessment report documenting findings, residual risks and recommendations.
- Develop a plan of action and milestones (POA&M) to remediate outstanding weaknesses over time.
- Present the assessment outputs to the authorising officer, who makes a risk-based authorisation to operate decision.
- Establish continuous monitoring and schedule re-assessment before ATO expiry or after significant change.
Evidence request list
Assessors will request evidence across governance, technical and operational categories. Organising an evidence library ahead of assessment materially shortens the engagement.
- Governance: cyber security strategy, policy suite, CISO/system-owner appointments, risk register, risk acceptances, previous ATO letters
- Documentation: system security plan, control matrix / statement of applicability, SOPs, incident response plan, business continuity and disaster recovery plans
- Architecture: network and data-flow diagrams, system boundary definition, asset and configuration inventory (CMDB)
- Access management: identity provider configuration, MFA coverage, privileged access management records, access recertification evidence
- Hardening and configuration: OS and application hardening baselines, benchmark scan results, application control policy and logs
- Vulnerability and patch: vulnerability scan reports, patch compliance dashboards, remediation SLAs and records
- Monitoring and logging: logging policy, SIEM configuration, sample log extracts, alerting rules, SOC runbooks
- Cryptography: approved-algorithm configuration, key management plan, HSM/TLS/IPsec settings
- Backup and recovery: backup schedules, restore-test evidence, immutable/offline backup arrangements
- Personnel and physical: clearance records, training and awareness completion, facility certifications, physical access logs
- Supplier and cloud: vendor risk assessments, CSP IRAP reports, shared-responsibility matrices, contracts and security schedules
- Incident and change: incident register, ReportCyber/ACSC notifications, change records and CAB approvals
Roles and responsibilities
| Role | Responsibility |
|---|
| Authorising Officer | Accepts residual risk and grants the authorisation to operate; accountable for the system's risk posture |
| System Owner | Owns the system, its SSP and control implementation; sponsors remediation and assessment |
| Chief Information Security Officer (CISO) | Sets cyber security strategy and policy; oversees risk management and assurance across the entity |
| IRAP Assessor | Independently assesses controls against the ISM/PSPF and documents findings and residual risks |
| Security Operations / SOC | Monitors, detects and responds to cyber security events; maintains logging and alerting |
| IT / Platform Teams | Implement and operate technical controls - hardening, patching, backups, segmentation |
| Risk and Compliance | Maintains the risk register, tracks control assurance and coordinates re-authorisation |
| Personnel Security / HR | Manages clearances, onboarding/offboarding and security awareness training |
| Procurement / Vendor Management | Ensures supplier and cloud security requirements and IRAP assessments are in place |
KPIs and metrics to track
- Essential Eight maturity level achieved per strategy versus target
- Percentage of assets patched within defined SLA windows for critical and high vulnerabilities
- MFA coverage across privileged, remote and internet-facing access
- Mean time to detect (MTTD) and mean time to respond (MTTR) for cyber security incidents
- Percentage of systems with a current, valid authorisation to operate
- Backup restore-test success rate and recovery time/point objectives met
- Log coverage percentage against the defined logging matrix
- Number of open high/critical findings and average age of remediation
- Percentage of privileged accounts under PAM and reviewed each cycle
- Security awareness training completion and phishing simulation failure rate
- Number of in-scope cloud services with current IRAP assessments
- Percentage of ISM control matrix items marked Effective versus Ineffective/Partial
Readiness checklist
- Information classified and system boundaries and data flows documented
- System owner and authorising officer identified and engaged
- Applicable ISM control set determined by classification
- System security plan and control matrix completed and current
- Essential Eight assessed against a defined target maturity level
- MFA enforced for privileged, remote and internet-facing access
- Application control and hardening baselines deployed and monitored
- Patch and vulnerability management operating within defined SLAs
- Centralised logging and continuous monitoring in place
- Backups performed, protected and restore-tested
- Incident response plan documented and exercised
- Cloud services and suppliers hold current IRAP assessments where required
- Risk register and residual risk acceptances documented
- Evidence library assembled and mapped to controls
- IRAP assessor engaged and assessment scope agreed
- Re-authorisation and continuous assurance schedule established
Common gaps and findings
- Essential Eight implemented partially - MFA or application control present but not to the claimed maturity level across all systems
- Patch timelines exceeded for internet-facing services, leaving exploitable windows open
- System security plan outdated or missing control implementation detail, so design cannot be verified
- Logging gaps - critical systems not forwarding logs to the SIEM or insufficient retention
- Privileged access sprawl - excessive local admin rights and unmanaged service accounts
- Backups not restore-tested, or backups reachable and mutable from production (ransomware risk)
- Cloud shared-responsibility misunderstood - consumer-side configuration left insecure despite an IRAP-assessed platform
- Alternative controls used without documented, accepted residual risk
- Physical or personnel security not aligned to the classification of information handled
- Authorisation to operate lapsed or granted without addressing known high risks
- Email authentication (DMARC) left at monitor rather than enforcement
- Segmentation weak - flat networks allow lateral movement between trust zones
ISM / IRAP mapped to other frameworks
The ISM shares conceptual DNA with international frameworks, which helps organisations reuse effort and communicate posture to global stakeholders. The mapping below is indicative and directional rather than a control-by-control crosswalk.
| ISM / IRAP element | Comparable element in other frameworks |
|---|
| Govern / Protect / Detect / Respond activities | NIST CSF functions (Identify, Protect, Detect, Respond, Recover); ISO/IEC 27001 clauses and Annex A |
| System security plan and control matrix | NIST 800-53 SSP; ISO 27001 Statement of Applicability |
| IRAP assessment and ATO | US FedRAMP/RMF assessment and authorisation (SA&A); ISO 27001 certification audit |
| Essential Eight maturity model | CIS Controls Implementation Groups; NIST CSF tiers |
| Cryptography guidelines (ASD approved algorithms) | NIST FIPS 140-3 validated cryptography |
| Cloud IRAP assessment | FedRAMP authorisation; ISO 27017/27018 cloud controls; SOC 2 Type II |
| Incident response guidelines | NIST 800-61; ISO 27035 |
| Supply chain / procurement guidelines | NIST 800-161; ISO 27036 |
| PSPF governance/personnel/physical | ISO 27001 organisational, people and physical controls (Annex A themes) |
How CyberSigma helps
CyberSigma brings CERT-In empanelled and PCI QSA rigour to Australian ISM and IRAP engagements. We run classification and scoping workshops, build your system security plan and ISM control matrix, and perform a gap assessment against the current quarterly ISM release and the Essential Eight Maturity Model. Our uplift teams remediate technical and process gaps - hardening, MFA, application control, logging, segmentation and restore-tested backups - and assemble an assessment-ready evidence library. We coordinate the IRAP assessment with ASD-endorsed assessors, help translate findings into a prioritised POA&M, and support your authorising officer through the ATO decision. Post-authorisation, we operate continuous assurance so you stay aligned as the ISM evolves each quarter. Talk to CyberSigma to move from ISM gap to authorised-to-operate with confidence.