Knowledge Center / ISM / IRAP
ASD / ACSC (Australia) · Australia

Australia ISM & IRAP

Australian government security manual and assessor program.

Introduction to the Australian ISM and IRAP

The Australian Government Information Security Manual (ISM) is the cornerstone cyber security framework produced by the Australian Signals Directorate (ASD) through its Australian Cyber Security Centre (ACSC). It sets out a risk-based, principles-plus-controls approach that organisations use to protect their systems, applications and data from cyber threats. The Information Security Registered Assessors Program (IRAP) is the complementary assessment scheme: it endorses suitably qualified and independent assessors who evaluate the security posture of systems against the ISM and, where relevant, the Protective Security Policy Framework (PSPF), producing an IRAP assessment report that informs an authorising officer's risk-based decision to authorise a system to operate.

This guide is written for two audiences at once. For the auditor or IRAP assessor, it enumerates the cyber security principles, the ISM guidelines (control domains), the maturity model of the Essential Eight, and the discipline of gathering objective evidence to support control effectiveness findings. For the implementer, CISO or security-uplift lead, it lays out how to scope a system, tier controls by data classification, run a phased implementation, and prepare for an IRAP assessment so the resulting report supports an authorisation to operate (ATO). Throughout, this article uses British and Indian English conventions and reflects the ISM as maintained on a quarterly release cadence by the ACSC.

Copyright and licensing note
The ISM is Commonwealth of Australia material published by the ASD/ACSC and is made available under a Creative Commons Attribution 4.0 licence, subject to the ACSC's terms of use and the exclusion of the Commonwealth Coat of Arms and third-party content. This guide is original explanatory commentary written by CyberSigma. It does not reproduce the copyrighted ISM control text, control identifiers verbatim, or the official OSCAL/spreadsheet releases. Always work from the current authoritative ISM release published at cyber.gov.au, as control wording and identifiers change each quarterly update.

What is the ISM / IRAP

The ISM is a living document. Rather than being a static standard frozen at a point in time, the ACSC re-issues it approximately every quarter (historically March, June, September and December) with new, amended and retired controls, each carrying a unique numeric control identifier and a first-published and last-updated date. This cadence lets the framework track emerging threats such as ransomware, supply chain compromise, cloud misconfiguration and identity attacks. The ISM is structured around a small set of enduring cyber security principles supported by a large body of prescriptive, testable controls grouped into thematic guidelines.

The ISM's principles are organised under four activities that describe the lifecycle of a cyber security function: Govern (identify and manage security risks), Protect (implement controls to reduce risk), Detect (identify and understand cyber security events) and Respond (respond to and recover from cyber security incidents). These map deliberately onto internationally recognised functions and give organisations a common vocabulary for describing capability.

IRAP is the assessment vehicle. An IRAP assessor is an individual endorsed by the ASD who holds relevant qualifications and security clearance and who has passed the IRAP training and examination. IRAP assessors are independent of the systems they assess. Their role is not to authorise a system - that authority rests with the system owner's authorising officer - but to provide an objective assessment of the implementation and effectiveness of controls, identify residual risks, and document them so the authorising officer can make an informed, risk-based ATO decision. IRAP is frequently used to assess cloud service providers, gateways, and government or government-adjacent systems handling OFFICIAL, OFFICIAL: Sensitive, PROTECTED, SECRET and TOP SECRET information.

ConceptMeaning in the Australian context
ISMInformation Security Manual - the control catalogue and principles maintained by ASD/ACSC
IRAPInformation Security Registered Assessors Program - the endorsement and assessment scheme
IRAP assessorASD-endorsed independent professional who assesses systems against the ISM/PSPF
PSPFProtective Security Policy Framework - governance/personnel/physical/information security policy for Commonwealth entities
Essential EightASD's prioritised set of eight mitigation strategies with a four-level maturity model
Authorising OfficerThe accountable executive who accepts residual risk and grants an authorisation to operate
ATOAuthorisation to operate - the formal decision permitting a system to process information
System security plan (SSP)The document describing a system, its controls and how the ISM is applied

Who must comply and scope of applicability

The ISM is mandated for non-corporate Commonwealth entities (NCCEs) through the PSPF, which directs entities to apply the ISM's cyber security principles and controls commensurate with the sensitivity or classification of the information they hold. Corporate Commonwealth entities and wholly-owned Commonwealth companies are strongly encouraged to apply it. Beyond the direct mandate, the ISM's reach extends across the economy because it is the de facto benchmark used to establish trust with government.

Organisation typeApplicability of ISM / IRAP
Non-corporate Commonwealth entitiesMandatory via the PSPF; must apply ISM controls appropriate to classification and hold current authorisations
Corporate Commonwealth entities and companiesStrongly encouraged; often adopted contractually or by policy
Cloud service providers (CSPs) serving governmentMust undergo IRAP assessment of their service to be considered for government workloads; supports the Hosting Certification Framework
Systems integrators, MSPs and gateway providersIRAP assessment expected where they store, process or transmit government information
Defence industry participantsBound via the Defence Industry Security Program (DISP) which references ISM controls
State and territory government agenciesFrequently adopt the ISM or align to it for interoperability with the Commonwealth
Critical infrastructure operatorsMay align to ISM/Essential Eight alongside SOCI Act and the Cyber Security Act obligations
Private enterprises pursuing government contractsAdopt ISM/Essential Eight to meet tender and contractual security requirements

Scope of applicability within an organisation is set by identifying the systems that store, process or transmit government or otherwise sensitive information, and by the highest classification of data handled. A system's classification (OFFICIAL through TOP SECRET) determines the depth of controls required, the physical and personnel security posture, the caveats and compartments in play, and whether the system must sit in an accredited facility.

Structure of the ISM / IRAP

The ISM is built in layers: the cyber security principles at the top set direction; the guidelines (control domains) group the detailed controls thematically; and each control carries a unique identifier, an applicability marking by classification, and a description of the required outcome. The table below sets out the major structural elements a reader will encounter.

Structural elementDescription
Cyber security principlesHigh-level statements grouped under Govern, Protect, Detect and Respond that describe the intent of the framework
GuidelinesThematic chapters (control domains) such as system management, cryptography, gateways, email and networking that hold the detailed controls
ControlsIndividual, testable requirements with unique numeric identifiers, applicability by classification, and update history
Applicability markingsEach control is marked for the classifications to which it applies (OFFICIAL, PROTECTED, SECRET, TOP SECRET)
Essential EightA prioritised subset of eight mitigation strategies with a defined maturity model
Strategies to Mitigate Cyber Security IncidentsThe broader catalogue from which the Essential Eight is drawn
OSCAL and spreadsheet releasesMachine-readable and tabular publications of the control set for tooling and GRC ingestion
ISM activity (function)Focus
GovernIdentifying and managing security risks, roles, and the cyber security strategy
ProtectImplementing controls to reduce likelihood and impact of incidents
DetectIdentifying and understanding cyber security events through logging and monitoring
RespondResponding to, containing and recovering from cyber security incidents

Master assessment checklist

This is the operational heart of the guide. The subsections below walk through each ISM guideline (control domain) as an assessment area. For every area we provide what an assessor should verify and the typical objective evidence that demonstrates control effectiveness. This is intended to be comprehensive across the ISM's guidelines; use it alongside the current ISM release to confirm control identifiers and applicability by classification, and record findings as Effective, Ineffective, Partially effective or Not applicable with residual risk noted.

Cyber security roles, governance and risk management

What to verifyTypical evidence
A Chief Information Security Officer (CISO) or equivalent is appointed with defined authorityAppointment letter, role description, delegation instrument, organisation chart
System owners are identified and accountable for each systemSystem register mapping systems to owners and authorising officers
A cyber security strategy and supporting policies exist and are approvedApproved strategy, policy suite, board or executive endorsement records
Security risk management is performed and risks are recorded and treatedRisk register, risk assessments, treatment plans, residual risk acceptances
Authorisation to operate is current for each system before it processes dataSigned ATO letters, expiry dates, re-authorisation schedule

Guidelines for cyber security incidents

What to verifyTypical evidence
A documented cyber security incident response plan (IRP) exists and is exercisedIRP document, tabletop exercise records, after-action reports
A cyber security incident register captures detection, handling and closureIncident register entries with timelines and classifications
Incidents are reported to the ASD/ACSC where requiredCopies of ReportCyber or ACSC notifications with reference numbers
Roles for incident detection, triage and escalation are assignedRACI matrix, on-call roster, escalation runbooks
Post-incident reviews drive corrective actionLessons-learned records, closed corrective actions

Guidelines for procurement and outsourcing

What to verifyTypical evidence
Suppliers and cloud services are assessed for security before engagementVendor risk assessments, IRAP reports for CSPs, due-diligence records
Contracts include security requirements, right-to-audit and breach notificationContract clauses, security schedules, data-handling annexes
Supply chain risk (including foreign ownership/control) is consideredSupply chain risk assessments, sovereignty and data-residency analysis
Managed service providers are governed and monitoredMSP oversight reports, access reviews, SLA/security reporting

Guidelines for security documentation

What to verifyTypical evidence
A system security plan (SSP) exists for each in-scope systemCurrent SSP with control implementation statements
A statement of applicability / control matrix maps ISM controls to implementationControl matrix showing implemented, alternative or not-applicable status
Standard operating procedures support secure operationSOPs for patching, backup, access management and monitoring
An emergency/incident procedures set is maintainedIncident procedures, business continuity and disaster recovery plans
Documentation is version-controlled and reviewed periodicallyDocument control register, review dates, approvals

Guidelines for physical security

What to verifyTypical evidence
Facilities are certified/accredited to the classification of information heldFacility certification, SCEC zone ratings, accreditation records
Physical access to servers, network and media is controlledAccess control logs, visitor registers, CCTV coverage records
ICT equipment and media are protected in transit and at restSecure transport procedures, safe/container records, tamper controls
Environmental and power protections support availabilityUPS/generator test records, environmental monitoring logs

Guidelines for personnel security

What to verifyTypical evidence
Personnel hold clearances appropriate to the information they accessClearance records (Baseline/NV1/NV2/PV) mapped to access
Security awareness and role-based training is deliveredTraining completion records, phishing simulation results
Need-to-know and least-privilege principles govern accessAccess approval records, periodic access recertification
Onboarding and offboarding revoke or grant access promptlyJoiner/mover/leaver records, deprovisioning evidence

Guidelines for communications infrastructure and communications systems

What to verifyTypical evidence
Cabling infrastructure is installed and separated per classificationCable registers, colour/separation standards, inspection records
Emanation security (TEMPEST) is considered where requiredEmanation security assessments for higher classifications
Telephony and fax handling of sensitive information is controlledTelephony policy, secure-phone provisioning records
Video and collaboration platforms are approved and configured securelyApproved platform list, hardening baselines, recording controls

Guidelines for enterprise mobility

What to verifyTypical evidence
Mobile devices are enrolled and managed via MDM/EMMMDM enrolment reports, compliance dashboards
Mobile device baselines enforce encryption, PIN and remote wipeDevice policy configuration, encryption attestation
Bring-your-own-device (BYOD) is governed or prohibited per policyBYOD policy, containerisation configuration, exceptions register
Travel and overseas-use risks are managed for mobile devicesTravel device procedures, clean-device issue and sanitisation records

Guidelines for evaluated products and ICT equipment

What to verifyTypical evidence
Products handling classified data are evaluated/certified where requiredCommon Criteria certificates, ASD-approved product listings
ICT equipment is hardened and configured to vendor and ASD guidanceHardening baselines, configuration scans against benchmarks
Equipment lifecycle from acquisition to disposal is controlledAsset register, sanitisation and destruction certificates
High-assurance requirements are met for higher classificationsHACE/high-assurance product deployment records

Guidelines for media

What to verifyTypical evidence
Media is labelled and handled per its classificationMedia register, labelling standard, handling procedures
Media sanitisation and destruction follow ASD-approved methodsSanitisation logs, destruction certificates, degausser records
Media reuse and reclassification is controlledReclassification records, sanitisation verification
Removable media use is restricted and monitoredUSB/device control policy, DLP logs, port-control configuration

Guidelines for system hardening

What to verifyTypical evidence
Operating systems are hardened to ASD/vendor baselinesConfiguration baselines, benchmark scan results (e.g. against CIS/ASD hardening)
Application hardening and application control (allow-listing) is enforcedApplication control policy, blocked-execution logs
Microsoft Office macros and untrusted content are restrictedMacro settings, GPO/Intune policy, execution logs
Web browsers, PDF readers and email clients are hardenedBrowser hardening config, attachment and script blocking evidence
Credentials, service accounts and local admin rights are minimisedPrivileged account inventory, LAPS/PAM configuration

Guidelines for system management

What to verifyTypical evidence
Patch and vulnerability management covers OS and applications on defined timelinesPatch compliance reports, vulnerability scan results, remediation SLAs
Change management governs system changesChange tickets, approvals, CAB records
Configuration and asset management maintain an accurate baselineCMDB, asset inventory, drift-detection reports
Administrative activities use secure, jump-host or PAW methodsPAW/jump-host configuration, admin session logs
System backups are performed, protected and tested for restorationBackup schedules, restore-test records, offline/immutable backup evidence

Guidelines for system monitoring

What to verifyTypical evidence
Event logging is enabled for OS, applications, network and security devicesLogging policy, sample log extracts, coverage matrix
Logs are centralised, time-synchronised and protected from tamperingSIEM configuration, NTP settings, log-integrity controls
Log retention meets ISM and business requirementsRetention configuration, archive evidence
Security events are monitored and alerted on continuouslySOC runbooks, alert rules, on-call arrangements
Vulnerability disclosure and threat intelligence feed monitoringVDP records, threat intel ingestion, ACSC alert action logs

Guidelines for software development

What to verifyTypical evidence
A secure software development lifecycle (SDLC) is defined and followedSDLC policy, secure coding standards, gate approvals
Application security testing (SAST/DAST/dependency and pen testing) is performedTest reports, remediation records, retest evidence
Development, test and production environments are separatedEnvironment topology, access separation evidence
Web application security controls address common vulnerabilitiesOWASP-aligned test results, WAF configuration

Guidelines for database systems

What to verifyTypical evidence
Databases are hardened, patched and access-controlledDB hardening baseline, patch records, role/permission review
Sensitive data at rest is encrypted where requiredEncryption configuration, key management evidence
Database activity is logged and monitoredDB audit logs, privileged-query monitoring
Database servers are network-segmented from untrusted zonesSegmentation diagrams, firewall rule review

Guidelines for email

What to verifyTypical evidence
Email authentication (SPF, DKIM, DMARC) is deployed and enforcedDNS records, DMARC reports at enforcement policy
Content filtering and anti-malware inspect inbound and outbound mailGateway configuration, quarantine and detection logs
Email protective marking is applied per classificationMarking tool configuration, sample marked messages
Encryption/TLS protects email in transitTLS enforcement configuration, connector settings

Guidelines for networking

What to verifyTypical evidence
Network architecture is segmented by trust and classificationNetwork diagrams, VLAN/zone design, segmentation test results
Network access control and device authentication is enforced802.1X/NAC configuration, unauthorised-device detection
Wireless networks are secured and separatedWireless config, encryption standards, guest separation
Intrusion detection/prevention monitors network trafficIDS/IPS configuration and alert logs
Service continuity and denial-of-service protections existDDoS protection arrangements, failover testing

Guidelines for cryptography

What to verifyTypical evidence
Approved cryptographic algorithms and protocols (ASD Approved Cryptographic Algorithms) are usedCipher suite configuration, TLS/IPsec settings
High-assurance cryptographic equipment is used where requiredHACE deployment records for higher classifications
Key management covers generation, distribution, storage and destructionKey management plan, HSM configuration, key ceremony records
Data at rest and in transit is encrypted per classificationEncryption inventory, at-rest and in-transit evidence

Guidelines for gateways

What to verifyTypical evidence
Gateways between networks of differing trust are architected and controlledGateway design, security architecture, data-flow diagrams
Cross Domain Solutions (CDS) are used where crossing classification boundariesCDS accreditation, ASD consultation records
Content filtering, data transfer and import/export controls are enforcedTransfer logs, content inspection policy, one-way transfer evidence
Web content filtering and web proxy controls protect usersProxy configuration, category blocking, TLS inspection records

Guidelines for data transfers

What to verifyTypical evidence
Data import and export is governed by policy and trusted sourcesTransfer policy, approval records, source verification
Content is scanned/sanitised during transfer between domainsContent sanitisation logs, malware scan evidence
Bulk and manual transfers are logged and reviewedTransfer registers, review records

Cloud computing and Essential Eight (cross-cutting)

What to verifyTypical evidence
Cloud services hold current IRAP assessments appropriate to classificationIRAP assessment reports, consumer guidance, shared-responsibility matrix
Consumer responsibilities in the shared-responsibility model are implementedCloud configuration baselines, CSPM findings and remediation
The Essential Eight is implemented to the target maturity levelEssential Eight Maturity Model self/independent assessment
Application control, patching, MFA and backups meet Essential Eight expectationsAllow-listing logs, patch SLAs, MFA coverage, restore tests

Scoping, materiality and tiering

ISM controls are not applied uniformly; they are tiered by the classification of the information a system handles. The higher the classification, the more controls apply and the more stringent their implementation. Scoping therefore begins with a data classification exercise and a system boundary definition.

ClassificationIndicative control posture
OFFICIALBaseline good-practice cyber hygiene; routine ISM controls; Essential Eight recommended
OFFICIAL: SensitiveEnhanced handling, marking and access controls above baseline
PROTECTEDSubstantially more ISM controls apply; stronger cryptography, gateways, monitoring and personnel clearances
SECRETHigh-assurance controls, accredited facilities, cleared personnel, restricted connectivity
TOP SECRETMost stringent controls, high-assurance products, strict physical/emanation security and compartmentation

Materiality also flows from the aggregation of data (many low-classification records may aggregate to a higher effective sensitivity), the criticality of the system to business or national outcomes, and the threat exposure (internet-facing versus air-gapped). Where a control cannot be met as written, the ISM permits alternative controls or a formal risk acceptance, provided the residual risk is documented and accepted by the authorising officer.

Implementation approach

A pragmatic ISM implementation follows a phased path from discovery to sustained assurance. Each phase produces deliverables that feed the eventual IRAP assessment and ATO.

Phase 1 - Discovery and scoping

  • Classify information and define system boundaries and data flows
  • Identify system owner, authorising officer and stakeholders
  • Establish the applicable classification and therefore the applicable ISM control set
  • Assess whether an IRAP assessment will be required and to what depth

Deliverables: system inventory, data classification register, scope statement, high-level architecture and data-flow diagrams.

Phase 2 - Gap assessment

  • Map current controls to the applicable ISM guidelines and controls
  • Perform a maturity assessment of the Essential Eight against the target level
  • Identify gaps, alternative controls and areas needing risk acceptance
  • Prioritise remediation by risk and effort

Deliverables: control matrix / statement of applicability, gap register, prioritised remediation plan, Essential Eight maturity baseline.

Phase 3 - Remediation and control implementation

  • Implement technical controls (hardening, patching, MFA, logging, segmentation, encryption)
  • Implement process controls (change, incident, access recertification, backup testing)
  • Deploy or configure tooling (SIEM, PAM, MDM, application control, DLP)
  • Update documentation - SSP, SOPs, incident and continuity plans

Deliverables: implemented controls with evidence, updated SSP, SOP suite, remediation closure records.

Phase 4 - IRAP assessment and authorisation

  • Engage an ASD-endorsed IRAP assessor to conduct Stage 1 (documentation) and Stage 2 (implementation) review
  • Support evidence gathering, walkthroughs and technical testing
  • Receive the IRAP assessment report with findings and residual risks
  • Present residual risks to the authorising officer for an ATO decision

Deliverables: IRAP assessment report, security assessment report, plan of action and milestones (POA&M), signed ATO.

Phase 5 - Continuous assurance

  • Operate continuous monitoring, vulnerability management and log review
  • Track ISM quarterly releases and update the control baseline accordingly
  • Re-assess Essential Eight maturity periodically
  • Schedule re-authorisation before ATO expiry and after significant change

Deliverables: continuous monitoring reports, updated risk register, maintained maturity assessments, re-authorisation package.

Maturity and capability model

The Essential Eight Maturity Model (E8MM) is the ISM ecosystem's primary capability model. It defines Maturity Level Zero through Maturity Level Three, describing progressively stronger implementation of the eight mitigation strategies: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Target level should be set by threat exposure and risk appetite - many entities target Maturity Level Two, with higher-risk systems targeting Level Three.

Maturity levelDescription
Maturity Level ZeroWeaknesses in the entity's overall cyber security posture; mitigation strategies not implemented to the exploited-technique threshold
Maturity Level OneMitigations aligned to adversaries using commodity, widely available tradecraft to gain and expand access
Maturity Level TwoMitigations aligned to adversaries willing to invest more time and use modestly effective tradecraft, including targeting credentials and bypassing weaker controls
Maturity Level ThreeMitigations aligned to adaptive, well-resourced adversaries who exploit weaknesses in configuration and monitoring using bespoke tradecraft

Maturity should be assessed as an aggregate - an entity is only at a level if all eight strategies meet that level's requirements. Assessments may be self-assessed or, for higher assurance, conducted independently by an IRAP assessor or ASD-recognised provider.

Assessment and audit approach

An IRAP assessment is a structured, two-stage engagement that mirrors risk-based assurance methodologies. The following steps describe the end-to-end approach an assessor and organisation will follow.

  1. Scope and plan the assessment: confirm system boundary, classification, applicable controls and assessment stages with the IRAP assessor and system owner.
  2. Stage 1 - security assessment planning and documentation review: examine the SSP, control matrix, risk assessment and supporting documentation for completeness and adequacy of design.
  3. Stage 2 - control implementation and effectiveness review: conduct interviews, configuration inspection, sampling and technical testing to confirm controls operate as documented.
  4. Gather objective evidence for each in-scope control and record an effectiveness finding with supporting rationale.
  5. Identify residual security risks where controls are ineffective, partially effective or replaced by alternatives, and assign risk ratings.
  6. Produce the IRAP assessment report and security assessment report documenting findings, residual risks and recommendations.
  7. Develop a plan of action and milestones (POA&M) to remediate outstanding weaknesses over time.
  8. Present the assessment outputs to the authorising officer, who makes a risk-based authorisation to operate decision.
  9. Establish continuous monitoring and schedule re-assessment before ATO expiry or after significant change.

Evidence request list

Assessors will request evidence across governance, technical and operational categories. Organising an evidence library ahead of assessment materially shortens the engagement.

  • Governance: cyber security strategy, policy suite, CISO/system-owner appointments, risk register, risk acceptances, previous ATO letters
  • Documentation: system security plan, control matrix / statement of applicability, SOPs, incident response plan, business continuity and disaster recovery plans
  • Architecture: network and data-flow diagrams, system boundary definition, asset and configuration inventory (CMDB)
  • Access management: identity provider configuration, MFA coverage, privileged access management records, access recertification evidence
  • Hardening and configuration: OS and application hardening baselines, benchmark scan results, application control policy and logs
  • Vulnerability and patch: vulnerability scan reports, patch compliance dashboards, remediation SLAs and records
  • Monitoring and logging: logging policy, SIEM configuration, sample log extracts, alerting rules, SOC runbooks
  • Cryptography: approved-algorithm configuration, key management plan, HSM/TLS/IPsec settings
  • Backup and recovery: backup schedules, restore-test evidence, immutable/offline backup arrangements
  • Personnel and physical: clearance records, training and awareness completion, facility certifications, physical access logs
  • Supplier and cloud: vendor risk assessments, CSP IRAP reports, shared-responsibility matrices, contracts and security schedules
  • Incident and change: incident register, ReportCyber/ACSC notifications, change records and CAB approvals

Roles and responsibilities

RoleResponsibility
Authorising OfficerAccepts residual risk and grants the authorisation to operate; accountable for the system's risk posture
System OwnerOwns the system, its SSP and control implementation; sponsors remediation and assessment
Chief Information Security Officer (CISO)Sets cyber security strategy and policy; oversees risk management and assurance across the entity
IRAP AssessorIndependently assesses controls against the ISM/PSPF and documents findings and residual risks
Security Operations / SOCMonitors, detects and responds to cyber security events; maintains logging and alerting
IT / Platform TeamsImplement and operate technical controls - hardening, patching, backups, segmentation
Risk and ComplianceMaintains the risk register, tracks control assurance and coordinates re-authorisation
Personnel Security / HRManages clearances, onboarding/offboarding and security awareness training
Procurement / Vendor ManagementEnsures supplier and cloud security requirements and IRAP assessments are in place

KPIs and metrics to track

  • Essential Eight maturity level achieved per strategy versus target
  • Percentage of assets patched within defined SLA windows for critical and high vulnerabilities
  • MFA coverage across privileged, remote and internet-facing access
  • Mean time to detect (MTTD) and mean time to respond (MTTR) for cyber security incidents
  • Percentage of systems with a current, valid authorisation to operate
  • Backup restore-test success rate and recovery time/point objectives met
  • Log coverage percentage against the defined logging matrix
  • Number of open high/critical findings and average age of remediation
  • Percentage of privileged accounts under PAM and reviewed each cycle
  • Security awareness training completion and phishing simulation failure rate
  • Number of in-scope cloud services with current IRAP assessments
  • Percentage of ISM control matrix items marked Effective versus Ineffective/Partial

Readiness checklist

  • Information classified and system boundaries and data flows documented
  • System owner and authorising officer identified and engaged
  • Applicable ISM control set determined by classification
  • System security plan and control matrix completed and current
  • Essential Eight assessed against a defined target maturity level
  • MFA enforced for privileged, remote and internet-facing access
  • Application control and hardening baselines deployed and monitored
  • Patch and vulnerability management operating within defined SLAs
  • Centralised logging and continuous monitoring in place
  • Backups performed, protected and restore-tested
  • Incident response plan documented and exercised
  • Cloud services and suppliers hold current IRAP assessments where required
  • Risk register and residual risk acceptances documented
  • Evidence library assembled and mapped to controls
  • IRAP assessor engaged and assessment scope agreed
  • Re-authorisation and continuous assurance schedule established

Common gaps and findings

  • Essential Eight implemented partially - MFA or application control present but not to the claimed maturity level across all systems
  • Patch timelines exceeded for internet-facing services, leaving exploitable windows open
  • System security plan outdated or missing control implementation detail, so design cannot be verified
  • Logging gaps - critical systems not forwarding logs to the SIEM or insufficient retention
  • Privileged access sprawl - excessive local admin rights and unmanaged service accounts
  • Backups not restore-tested, or backups reachable and mutable from production (ransomware risk)
  • Cloud shared-responsibility misunderstood - consumer-side configuration left insecure despite an IRAP-assessed platform
  • Alternative controls used without documented, accepted residual risk
  • Physical or personnel security not aligned to the classification of information handled
  • Authorisation to operate lapsed or granted without addressing known high risks
  • Email authentication (DMARC) left at monitor rather than enforcement
  • Segmentation weak - flat networks allow lateral movement between trust zones

ISM / IRAP mapped to other frameworks

The ISM shares conceptual DNA with international frameworks, which helps organisations reuse effort and communicate posture to global stakeholders. The mapping below is indicative and directional rather than a control-by-control crosswalk.

ISM / IRAP elementComparable element in other frameworks
Govern / Protect / Detect / Respond activitiesNIST CSF functions (Identify, Protect, Detect, Respond, Recover); ISO/IEC 27001 clauses and Annex A
System security plan and control matrixNIST 800-53 SSP; ISO 27001 Statement of Applicability
IRAP assessment and ATOUS FedRAMP/RMF assessment and authorisation (SA&A); ISO 27001 certification audit
Essential Eight maturity modelCIS Controls Implementation Groups; NIST CSF tiers
Cryptography guidelines (ASD approved algorithms)NIST FIPS 140-3 validated cryptography
Cloud IRAP assessmentFedRAMP authorisation; ISO 27017/27018 cloud controls; SOC 2 Type II
Incident response guidelinesNIST 800-61; ISO 27035
Supply chain / procurement guidelinesNIST 800-161; ISO 27036
PSPF governance/personnel/physicalISO 27001 organisational, people and physical controls (Annex A themes)
How CyberSigma helps
CyberSigma brings CERT-In empanelled and PCI QSA rigour to Australian ISM and IRAP engagements. We run classification and scoping workshops, build your system security plan and ISM control matrix, and perform a gap assessment against the current quarterly ISM release and the Essential Eight Maturity Model. Our uplift teams remediate technical and process gaps - hardening, MFA, application control, logging, segmentation and restore-tested backups - and assemble an assessment-ready evidence library. We coordinate the IRAP assessment with ASD-endorsed assessors, help translate findings into a prioritised POA&M, and support your authorising officer through the ATO decision. Post-authorisation, we operate continuous assurance so you stay aligned as the ISM evolves each quarter. Talk to CyberSigma to move from ISM gap to authorised-to-operate with confidence.

Frequently asked questions

How do the ISM and Essential Eight relate?
The Essential Eight are baseline mitigation strategies; the ISM is the full control catalogue against which IRAP assessments are performed.
Official documents

Need help with ISM / IRAP?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.