Cloud Controls Matrix Template

Overview
The Cloud Controls Matrix Template is intended for use by Infosec Registered Assessors Program (IRAP)
assessors to capture the implementation of controls from the Information Security Manual (ISM) by a Cloud
Service Provider (CSP). In doing so, the CCM template provides indicative guidance on the scoping of
security assessments, however, it should be noted that the guidance is not definitive and should be
interpreted by IRAP assessors in the context of the services being assessed. The CCM template also
captures the ability for consumers to implement controls for services built upon a CSP's services by
identifying where they are responsible for configuring their own services in accordance with the ISM.

ISM Controls
This content lists the controls from the ISM as typically found in the associated System Security Plan Annex
Template. The applicability markings can be used to filter out security classifications and essential eight
maturity levels that are not applicable to the service being assessed. Note, the 'NC' applicability marking is
applicable to non-classified services offered to all consumers while the 'OS', 'P', 'S' and 'TS' applicability
markings represent additional controls that are only applicable to classified services offered to
Commonwealth entities.

Scoping Considerations
The assessment boundary establishes the scope of protection for a service and must be clearly defined.
Specifically, the assessment boundary is what a CSP agrees to protect, or is within the scope of their
responsibilities. This includes the facilities, people, systems, software, processes and procedures that
support their business functions.

All aspects of a CSP should be considered in scope at the commencement of a security assessment. Any
environments that are subsequently deemed out of scope should be documented in the security
assessment report and accompanied by an adequate justification for their exclusion. In conducting a
security assessment, each environment should be assessed separately ensuring that the assessment covers
each administration environment and cloud production environment.

Administration Environment
This includes controls associated with a CSP’s administration environment. In assessing a CSP’s
administrative environment, this would typically include all machines located in their management offices.
Broadly speaking, where these machines are on a CSP’s corporate network, they must be assessed.
Alternatively, where a dedicated administrative zone and workstations are used, the scope may be
restricted to this environment instead.

Note, a CSP’s corporate environment should be included in scope of the security assessment until it is
proven that it is sufficiently segregated and segmented from the CSP’s cloud production environment and
that the CSP performs secure administrative practices.

Cloud Production - Common Controls

This includes controls associated with the cloud production environment that are common across all
services. Typically this would include all machines located in the data centre.

Cloud Production - System Specific

This includes controls applicable to an individual service that have not been assessed as part of the
common controls assessment. For example, tenancy segmentation and segregation configuration where
these vary between services, or service-specific technologies such as web conferencing.

Implementation of Services
Responsible Entity
List the CSP, any outsourced service provider, or the consumer that is responsible for the implementation
of the control.

Note, similar to a consumer relying on a CSP, the CSP itself may be equally reliant on any outsourced
service provider they use. To this end, it is critical that the consumer is made as aware as possible of the
overall security posture of a CSP by taking into consideration these dependencies.

If performing a security assessment where an outsourced service provider is used by a CSP, the IRAP
assessor needs to determine the risk of the outsourced service. In doing so, the amount of information
available will vary greatly based on the particular outsourced service provider used. As such, the IRAP
security assessor will need to adapt to these circumstances. If the outsourced service provider has not
already undergone an IRAP assessment themselves, or has but is unwilling to share their security
assessment report, this should be explicitly noted in order to provide the consumer with visibility of this
situation. Alternatively, where an existing security assessment report is available, this information should
be captured and presented alongside the assessed service. Note, if the outsourced service provider was
assessed using an earlier version of the ISM a gap analysis will be required.

Not Assessed This control is yet to be assessed in the context of the environment. Note,
this serves as the default implementation status and should be changed to
one of the below status following a security assessment. At the completion
of the security assessment, no control should be marked as 'Not Assessed’.

Cloud Service Provider
Outsourced Service Provider
The cloud service provider is responsible for the implementation and
configuration of this control. Note, the associated consumer control should
be marked as 'Inherited'.
An outsource service provider is responsible for the implementation and
configuration of this control on behalf of the cloud service provider. Note,
the associated consumer control should be marked as 'Inherited'.

Consumer The consumer is responsible for the implementation and configuration of

this control. Note, the associated consumer control should be marked as
'Self Implemented'.
Shared The cloud service provider, and potentially an outsourced service provider,
are responsible for the implementation of this control while the consumer
is responsible for its configuration. Note, the associated consumer control
should be marked as 'Self Configured'.

Not Applicable This control does not apply to the service being assessed. Note, a control
may be marked as 'Not Applicable' for a number of reasons, including: the
technology is not used by the service, the control is not applicable to the
security classification the service is being assessed against, or the control
has been assessed as a common control rather than a service-specific

Implementation Status
This articulates the extent of the implementation of controls within the assessment boundary.
Not Assessed This control is yet to be assessed in the context of the environment. Note,
this serves as the default implementation status and should be changed to
one of the below status following a security assessment. At the completion
of the security assessment, no control should be marked as 'Not Assessed’.
 Effective The CSP is effectively meeting the control's objective. Note, where the CSP
relies on an outsourced service provider to also implement this control, the
control should only be marked as ‘Effective’ if both parties effectively meet
the control’s objective. For example, both the CSP and the outsourced
service provider ensure that multi-factor authentication is used to
authenticate users.

Alternate Control The CSP is effectively meeting the control's objective though an alternate
control. In doing so, the alternate control meets or exceeds the objective of
the original control.
Ineffective The CSP is not adequately meeting the control's objective. Note, this
includes where an alternate control was used in an attempt to meet the
original control's objective but did not meet or exceed the objective of the
original control.

No Visibility The assessor was unable to obtain adequate visibility of the control's
implementation. Note, this will commonly be the case when a CSP relies on
an outsourced service provider to implement the control but was unable to
provide visibility of the outsourced service provider's implementation.

Not Implemented The CSP has decided not to implement the control. For example, the CSP
decided not to invest in the use of dedicated administrative workstations, or
foreign nationals had privileged access to a service.
Not Applicable This control does not apply to the service being assessed. Note, a control
may be marked as 'Not Applicable' for a number of reasons, including: the
technology is not used by the service, the control is not applicable to the
security classification the service is being assessed against, or the control
has been assessed as a common control rather than a service-specific

Implementation Comments
Any amplifying comments relating to the implementation status of a control should be provided at this
point by the IRAP assessor.

Consumer Control Type

This articulates the responsibilities of consumers when using the assessed service.
Not Assessed This control is yet to be assessed in the context of the environment. Note,
this serves as the default implementation status and should be changed to
one of the below status following a security assessment. At the completion
of the security assessment, no control should be marked as 'Not Assessed’.

Inherited The CSP manages the implementation and configuration of this control.
Consumers are not required to implement or configure this control in any
way.
Self Implemented The consumer manages the implementation and configuration of this
control. The CSP is not required to implement or configure this control in
any way.
Self Configured The CSP manages the implementation of this control while the consumer is
responsible for its configuration. For example, while the CSP may offer
multi-factor authentication, it is the consumer’s responsibility to configure
this feature for their user accounts.
 Not Possible The CSP would normally manage the implementation of this control while
the consumer would be responsible for its configuration, however, the CSP
has not implemented this control. For example, the consumer is unable to
configure multi-factor authentication for their user accounts as the CSP
doesn’t offer that functionality.

Not Applicable This control does not apply to the service being assessed. Note, a control
may be marked as 'Not Applicable' for a number of reasons, including: the
technology is not used by the service, the control is not applicable to the
security classification the service is being assessed against, or the control
has been assessed as a common control rather than a service-specific

Consumer Guidance
Any amplifying comments relating to the implementation of a control by a consumer should be provided at
this point by the IRAP assessor.

Further information
Further information on conducting security assessments of cloud services can be found within the Cloud
Assessment and Authorisation publication and the Cloud Security Assessment Report Template.
 ISM Controls Scoping Considerations Implementation of Services
Guideline Section Topic Identifier Revision Updated NC OS P S TS ML1 ML2 ML3 Description Administration Cloud Production - Cloud Production - Responsible Implementation Implementation Consumer Consumer
Environment Common Controls Service Specific Entity Status Comments Control Type Guidance
Guidelines for Cyber Chief Information Providing cyber security ISM-0714 6 Jun-24 Yes Yes Yes Yes Yes No No No A CISO is appointed to provide cyber security leadership and Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer leadership and guidance guidance for their organisation (covering information technology governance of the CSP and the CSP governance of the CSP and
and operational technology). should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Overseeing the cyber ISM-1478 1 Oct-20 Yes Yes Yes Yes Yes No No No The CISO oversees their organisation’s cyber security program and Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer security program ensures their organisation’s compliance with cyber security policy, governance of the CSP and the CSP governance of the CSP and
standards, regulations and legislation. should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Overseeing the cyber ISM-1617 0 Oct-20 Yes Yes Yes Yes Yes No No No The CISO regularly reviews and updates their organisation’s cyber Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer security program security program to ensure its relevance in addressing cyber governance of the CSP and the CSP governance of the CSP and
threats and harnessing business and cyber security opportunities. should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Overseeing the cyber ISM-1966 0 Dec-24 Yes Yes Yes Yes Yes No No No The CISO develops, implements, maintains and verifies on a regular Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer security program basis a register of systems used by their organisation. governance of the CSP and the CSP governance of the CSP and
should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Overseeing the cyber ISM-0724 2 Oct-20 Yes Yes Yes Yes Yes No No No The CISO implements cyber security measurement metrics and key Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer security program performance indicators for their organisation. governance of the CSP and the CSP governance of the CSP and
should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Coordinating cyber ISM-0725 3 Dec-21 Yes Yes Yes Yes Yes No No No The CISO coordinates cyber security and business alignment Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer security through a cyber security steering committee or advisory board, governance of the CSP and the CSP governance of the CSP and
comprising of key cyber security and business executives, which should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
meets formally and on a regular basis. common controls common controls

Guidelines for Cyber Chief Information Coordinating cyber ISM-0726 2 Oct-20 Yes Yes Yes Yes Yes No No No The CISO coordinates security risk management activities between Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer security cyber security and business teams. governance of the CSP and the CSP governance of the CSP and
should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Reporting on cyber ISM-0718 4 Jun-24 Yes Yes Yes Yes Yes No No No The CISO regularly reports directly to their organisation’s executive Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer security committee or board of directors on cyber security matters. governance of the CSP and the CSP governance of the CSP and
should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Reporting on cyber ISM-1918 0 Jun-24 Yes Yes Yes Yes Yes No No No The CISO regularly reports directly to their organisation’s audit, risk Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer security and compliance committee (or equivalent) on cyber security governance of the CSP and the CSP governance of the CSP and
matters. should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Overseeing cyber security ISM-0733 2 Oct-20 Yes Yes Yes Yes Yes No No No The CISO is fully aware of all cyber security incidents within their Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer incident response organisation. governance of the CSP and the CSP governance of the CSP and
activities should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Overseeing cyber security ISM-1618 0 Oct-20 Yes Yes Yes Yes Yes No No No The CISO oversees their organisation’s response to cyber security Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer incident response incidents. governance of the CSP and the CSP governance of the CSP and
activities should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Contributing to business ISM-0734 4 Sep-23 Yes Yes Yes Yes Yes No No No The CISO contributes to the development, implementation and Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer continuity and disaster maintenance of business continuity and disaster recovery plans for governance of the CSP and the CSP governance of the CSP and
recovery planning their organisation to ensure that business-critical services are should be captured by the should be captured by the
supported appropriately in the event of a disaster. common controls common controls Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Chief Information Communicating a cyber ISM-0720 3 Sep-23 Yes Yes Yes Yes Yes No No No The CISO oversees the development, implementation and Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer security vision and maintenance of a cyber security communications strategy to assist governance of the CSP and the CSP governance of the CSP and
strategy in communicating the cyber security vision and strategy for their should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
organisation. common controls common controls

Guidelines for Cyber Chief Information Working with suppliers ISM-0731 2 Oct-20 Yes Yes Yes Yes Yes No No No The CISO oversees cyber supply chain risk management activities Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer for their organisation. governance of the CSP and the CSP governance of the CSP and
should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Receiving and managing a ISM-0732 2 Oct-20 Yes Yes Yes Yes Yes No No No The CISO receives and manages a dedicated cyber security budget Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer dedicated cyber security for their organisation. governance of the CSP and the CSP governance of the CSP and
budget should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Overseeing cyber security ISM-0717 2 Oct-20 Yes Yes Yes Yes Yes No No No The CISO oversees the management of cyber security personnel Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer personnel within their organisation. governance of the CSP and the CSP governance of the CSP and
should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber Chief Information Overseeing cyber security ISM-0735 3 Dec-22 Yes Yes Yes Yes Yes No No No The CISO oversees the development, implementation and Not applicable as it relates to the Applicable to the governance of Not applicable as it relates to the
Security Roles Security Officer awareness raising maintenance of their organisation’s cyber security awareness governance of the CSP and the CSP governance of the CSP and
training program. should be captured by the should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Cyber System owners System ownership and ISM-1071 1 Sep-18 Yes Yes Yes Yes Yes No No No Each system has a designated system owner. Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles oversight governance of the common the CSP or service
cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber System owners System ownership and ISM-1525 1 Jan-21 Yes Yes Yes Yes Yes No No No System owners register each system with its authorising officer. Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles oversight governance of the common the CSP or service
cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber System owners Protecting systems and ISM-1633 0 Jan-21 Yes Yes Yes Yes Yes No No No System owners determine the type, value and security objectives Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles their resources for each system based on an assessment of the impact if it were to governance of the common the CSP or service
be compromised. cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber System owners Protecting systems and ISM-1634 1 Jun-22 Yes Yes Yes Yes Yes No No No System owners select controls for each system and tailor them to Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles their resources achieve desired security objectives. governance of the common the CSP or service
cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber System owners Protecting systems and ISM-1635 2 Jun-22 Yes Yes Yes Yes Yes No No No System owners implement controls for each system and its Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles their resources operating environment. governance of the common the CSP or service
cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber System owners Protecting systems and ISM-1636 2 Dec-24 Yes Yes Yes Yes No No No No System owners ensure controls for each system and its operating Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles their resources environment undergo a security assessment by their organisation’s governance of the common the CSP or service
own assessors or Infosec Registered Assessor Program (IRAP) cloud production environment
assessors to determine if they have been implemented correctly Not Assessed Not Assessed Not Assessed
and are operating as intended.

Guidelines for Cyber System owners Protecting systems and ISM-1967 0 Dec-24 No No No No Yes No No No System owners ensure controls for each TOP SECRET system and its Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles their resources operating environment, including each sensitive compartmented governance of the common the CSP or service
information system and its operating environment, undergo a cloud production environment
security assessment by Australian Signals Directorate (ASD)
assessors (or their delegates) to determine if they have been Not Assessed Not Assessed Not Assessed
implemented correctly and are operating as intended.

Guidelines for Cyber System owners Protecting systems and ISM-0027 5 Dec-24 Yes Yes Yes Yes No No No No System owners obtain authorisation to operate each non-classified, Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles their resources OFFICIAL: Sensitive, PROTECTED and SECRET system from its governance of the common the CSP or service
authorising officer based on the acceptance of the security risks cloud production environment Not Assessed Not Assessed Not Assessed
associated with its operation.

Guidelines for Cyber System owners Protecting systems and ISM-1968 0 Dec-24 No No No No Yes No No No System owners obtain authorisation to operate each TOP SECRET Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles their resources system, including each sensitive compartmented information governance of the common the CSP or service
system, from Director-General ASD (or their delegate) based on the cloud production environment
acceptance of the security risks associated with its operation. Not Assessed Not Assessed Not Assessed

Guidelines for Cyber System owners Protecting systems and ISM-1526 2 Jun-22 Yes Yes Yes Yes Yes No No No System owners monitor each system, and associated cyber threats, Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles their resources security risks and controls, on an ongoing basis. governance of the common the CSP or service
cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber System owners Annual reporting of ISM-1587 0 Aug-20 Yes Yes Yes Yes Yes No No No System owners report the security status of each system to its Applicable if different to the Applicable to the governance of Applicable if different per system
Security Roles system security status authorising officer at least annually. governance of the common the CSP or service
cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Managing cyber security Cyber security incident ISM-0576 10 Sep-23 Yes Yes Yes Yes Yes No No No A cyber security incident management policy, and associated cyber Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents management policy security incident response plan, is developed, implemented and governance of the common the CSP or service
maintained. cloud production environment Not Assessed Not Assessed Not Assessed
Guidelines for Cyber Managing cyber security Cyber security incident ISM-1784 1 Sep-23 Yes Yes Yes Yes Yes No No No The cyber security incident management policy, including the Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents management policy associated cyber security incident response plan, is exercised at governance of the common the CSP or service
least annually. cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Managing cyber security Cyber security incident ISM-0125 6 Dec-22 Yes Yes Yes Yes Yes No No No A cyber security incident register is developed, implemented and Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents register maintained. management of cyber security the CSP or service
incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Managing cyber security Cyber security incident ISM-1803 0 Dec-22 Yes Yes Yes Yes Yes No No No A cyber security incident register contains the following for each Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents register cyber security incident: management of cyber security the CSP or service
• the date the cyber security incident occurred incidents in the common cloud
• the date the cyber security incident was discovered production environment
• a description of the cyber security incident
• any actions taken in response to the cyber security incident Not Assessed Not Assessed Not Assessed
• to whom the cyber security incident was reported.

Guidelines for Cyber Managing cyber security Insider threat mitigation ISM-1625 2 Jun-24 Yes Yes Yes Yes Yes No No No An insider threat mitigation program is developed, implemented Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents program and maintained. governance of the common the CSP or service
cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Managing cyber security Insider threat mitigation ISM-1626 1 Jun-24 Yes Yes Yes Yes Yes No No No Legal advice is sought regarding the development and Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents program implementation of an insider threat mitigation program. governance of the common the CSP or service
cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Managing cyber security Access to sufficient data ISM-0120 5 May-20 Yes Yes Yes Yes Yes No No No Cyber security personnel have access to sufficient data sources and Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents sources and tools tools to ensure that systems can be monitored for key indicators of governance of the common the CSP or service
compromise. cloud production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Managing cyber security Reporting cyber security ISM-0123 4 Jun-23 Yes Yes Yes Yes Yes No Yes Yes Cyber security incidents are reported to the Chief Information Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents incidents Security Officer, or one of their delegates, as soon as possible after management of cyber security the CSP or service
they occur or are discovered. incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Managing cyber security Reporting cyber security ISM-0140 8 Sep-23 Yes Yes Yes Yes Yes No Yes Yes Cyber security incidents are reported to ASD as soon as possible Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents incidents to ASD after they occur or are discovered. management of cyber security the CSP or service
incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Managing cyber security Reporting cyber security ISM-1880 0 Dec-23 Yes Yes Yes Yes Yes No No No Cyber security incidents that involve customer data are reported to Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents incidents to customers customers and the public in a timely manner after they occur or management of cyber security the CSP or service
and the public are discovered. incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Managing cyber security Reporting cyber security ISM-1881 0 Dec-23 Yes Yes Yes Yes Yes No No No Cyber security incidents that do not involve customer data are Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents incidents incidents to customers reported to customers and the public in a timely manner after they management of cyber security the CSP or service
and the public occur or are discovered. incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Responding to cyber Enacting cyber security ISM-1819 2 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Following the identification of a cyber security incident, the cyber Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents incident response plans security incident response plan is enacted. management of cyber security the CSP or service
incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Responding to cyber Handling and containing ISM-0133 2 Jun-21 Yes Yes Yes Yes Yes No No No When a data spill occurs, data owners are advised and access to Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents data spills the data is restricted. management of cyber security the CSP or service
incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Responding to cyber Handling and containing ISM-0917 7 Oct-19 Yes Yes Yes Yes Yes No No No When malicious code is detected, the following steps are taken to Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents malicious code infections handle the infection: management of cyber security the CSP or service
• the infected systems are isolated incidents in the common cloud
• all previously connected media used in the period leading up to production environment
the infection are scanned for signs of infection and isolated if
necessary
• antivirus software is used to remove the infection from infected Not Assessed Not Assessed Not Assessed
systems and media
• if the infection cannot be reliably removed, systems are restored
from a known good backup or rebuilt.

Guidelines for Cyber Responding to cyber Handling and containing ISM-1969 0 Dec-24 Yes Yes Yes Yes Yes No No No Malicious code, when stored or communicated, is treated Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents malicious code infections beforehand to prevent accidental execution. management of cyber security the CSP or service
incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Responding to cyber Handling and containing ISM-1970 0 Dec-24 Yes Yes Yes Yes Yes No No No Malicious code processed for cyber security incident response or Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents malicious code infections research purposes is done so in a dedicated analysis environment management of cyber security the CSP or service
that is segregated from other systems. incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Responding to cyber Handling and containing ISM-0137 4 Dec-21 Yes Yes Yes Yes Yes No No No Legal advice is sought before allowing intrusion activity to continue Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents intrusions on a system for the purpose of collecting further data or evidence. management of cyber security the CSP or service
incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Responding to cyber Handling and containing ISM-1609 2 Dec-21 Yes Yes Yes Yes Yes No No No System owners are consulted before allowing intrusion activity to Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents intrusions continue on a system for the purpose of collecting further data or management of cyber security the CSP or service
evidence. incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Responding to cyber Handling and containing ISM-1731 0 Dec-21 Yes Yes Yes Yes Yes No No No Planning and coordination of intrusion remediation activities are Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents intrusions conducted on a separate system to that which has been management of cyber security the CSP or service
compromised. incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Responding to cyber Handling and containing ISM-1732 0 Dec-21 Yes Yes Yes Yes Yes No No No To the extent possible, all intrusion remediation activities are Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents intrusions conducted in a coordinated manner during the same planned management of cyber security the CSP or service
outage. incidents in the common cloud
production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Responding to cyber Handling and containing ISM-1213 3 Sep-23 Yes Yes Yes Yes Yes No No No Following intrusion remediation activities, full network traffic is Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents intrusions captured for at least seven days and analysed to determine management of cyber security the CSP or service
whether malicious actors have been successfully removed from the incidents in the common cloud
system. production environment Not Assessed Not Assessed Not Assessed

Guidelines for Cyber Responding to cyber Maintaining the integrity ISM-0138 5 Mar-23 Yes Yes Yes Yes Yes No No No The integrity of evidence gathered during an investigation is Applicable if different to the Applicable to the governance of Applicable if different per system
Security Incidents security incidents of evidence maintained by investigators: management of cyber security the CSP or service
• recording all of their actions incidents in the common cloud
• maintaining a proper chain of custody production environment Not Assessed Not Assessed Not Assessed
• following all instructions provided by relevant law enforcement
agencies.

Guidelines for Cyber supply chain risk Cyber supply chain risk ISM-1631 3 Jun-24 Yes Yes Yes Yes Yes No No No Suppliers of applications, IT equipment, OT equipment and services Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management management activities associated with systems are identified. governance of the CSP and arrangements between the CSP or service
Outsourcing should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Cyber supply chain risk ISM-1452 5 Jun-24 Yes Yes Yes Yes Yes No No No A supply chain risk assessment is performed for suppliers of Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management management activities applications, IT equipment, OT equipment and services in order to governance of the CSP and arrangements between the CSP or service
Outsourcing assess the impact to a system’s security risk profile. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers
Guidelines for Cyber supply chain risk Cyber supply chain risk ISM-1567 2 Sep-22 Yes Yes Yes Yes Yes No No No Suppliers identified as high risk by a cyber supply chain risk Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management management activities assessment are not used. governance of the CSP and arrangements between the CSP or service
Outsourcing should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Cyber supply chain risk ISM-1568 5 Jun-24 Yes Yes Yes Yes Yes No No No Applications, IT equipment, OT equipment and services are chosen Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management management activities from suppliers that have demonstrated a commitment to the governance of the CSP and arrangements between the CSP or service
Outsourcing security of their products and services. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Cyber supply chain risk ISM-1882 1 Jun-24 Yes Yes Yes Yes Yes No No No Applications, IT equipment, OT equipment and services are chosen Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management management activities from suppliers that have demonstrated a commitment to governance of the CSP and arrangements between the CSP or service
Outsourcing transparency for their products and services. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Cyber supply chain risk ISM-1632 4 Jun-24 Yes Yes Yes Yes Yes No No No Applications, IT equipment, OT equipment and services are chosen Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management management activities from suppliers that have a strong track record of maintaining the governance of the CSP and arrangements between the CSP or service
Outsourcing security of their own systems and cyber supply chains. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Cyber supply chain risk ISM-1569 2 Sep-22 Yes Yes Yes Yes Yes No No No A shared responsibility model is created, documented and shared Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management management activities between suppliers and their customers in order to articulate the governance of the CSP and arrangements between the CSP or service
Outsourcing security responsibilities of each party. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Supplier relationship ISM-1785 1 Dec-22 Yes Yes Yes Yes Yes No No No A supplier relationship management policy is developed, Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management management implemented and maintained. governance of the CSP and arrangements between the CSP or service
Outsourcing should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Supplier relationship ISM-1786 1 Dec-22 Yes Yes Yes Yes Yes No No No An approved supplier list is developed, implemented and Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management management maintained. governance of the CSP and arrangements between the CSP or service
Outsourcing should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Sourcing applications, IT ISM-1787 2 Jun-24 Yes Yes Yes Yes Yes No No No Applications, IT equipment, OT equipment and services are Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management equipment, OT sourced from approved suppliers. governance of the CSP and arrangements between the CSP or service
Outsourcing equipment and services should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Sourcing applications, IT ISM-1788 2 Jun-24 Yes Yes Yes Yes Yes No No No Multiple potential suppliers are identified for sourcing critical Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management equipment, OT applications, IT equipment, OT equipment and services. governance of the CSP and arrangements between the CSP or service
Outsourcing equipment and services should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Sourcing applications, IT ISM-1789 2 Jun-24 Yes Yes Yes Yes Yes No No No Sufficient spares of critical IT equipment and OT equipment are Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management equipment, OT sourced and kept in reserve. governance of the CSP and arrangements between the CSP or service
Outsourcing equipment and services should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Delivery of applications, ISM-1790 1 Jun-24 Yes Yes Yes Yes Yes No No No Applications, IT equipment, OT equipment and services are Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management IT equipment, OT delivered in a manner that maintains their integrity. governance of the CSP and arrangements between the CSP or service
Outsourcing equipment and services should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Delivery of applications, ISM-1791 1 Jun-24 Yes Yes Yes Yes Yes No No No The integrity of applications, IT equipment, OT equipment and Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management IT equipment, OT services are assessed as part of acceptance of products and governance of the CSP and arrangements between the CSP or service
Outsourcing equipment and services services. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Cyber supply chain risk Delivery of applications, ISM-1792 1 Jun-24 Yes Yes Yes Yes Yes No No No The authenticity of applications, IT equipment, OT equipment and Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and management IT equipment, OT services are assessed as part of acceptance of products and governance of the CSP and arrangements between the CSP or service
Outsourcing equipment and services services. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Managed services ISM-1736 1 Dec-22 Yes Yes Yes Yes Yes No No No A managed service register is developed, implemented, maintained Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services and verified on a regular basis. governance of the CSP and arrangements between the CSP or service
Outsourcing should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Managed services ISM-1737 1 Sep-22 Yes Yes Yes Yes Yes No No No A managed service register contains the following for each Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services managed service: governance of the CSP and arrangements between the CSP or service
Outsourcing • managed service provider’s name should be captured by the and their customers as well as
• managed service’s name common controls the CSP and their outsourced
• purpose for using the managed service third-party providers
• sensitivity or classification of data involved
• due date for the next security assessment of the managed service Not Assessed Not Assessed Not Assessed
• contractual arrangements for the managed service
• point of contact for users of the managed service
• 24/7 contact details for the managed service provider.

Guidelines for Managed services and Assessment of managed ISM-1793 1 Dec-24 Yes Yes Yes Yes No No No No Managed service providers and their non-classified, OFFICIAL: Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services service providers Sensitive, PROTECTED and SECRET managed services undergo an governance of the CSP and arrangements between the CSP or service
Outsourcing Infosec Registered Assessor Program (IRAP) assessment, using the should be captured by the and their customers as well as
latest release of the ISM available prior to the beginning of the common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
IRAP assessment (or a subsequent release), at least every 24 third-party providers
months.

Guidelines for Managed services and Assessment of managed ISM-1971 0 Dec-24 No No No No Yes No No No Managed service providers and their TOP SECRET managed Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services service providers services, including sensitive compartmented information managed governance of the CSP and arrangements between the CSP or service
Outsourcing services, undergo a security assessment by ASD assessors (or their should be captured by the and their customers as well as
delegates), using the latest release of the ISM available prior to the common controls the CSP and their outsourced
beginning of the security assessment (or a subsequent release), at third-party providers Not Assessed Not Assessed Not Assessed
least every 24 months.

Guidelines for Managed services and Outsourced cloud ISM-1637 2 Dec-22 Yes Yes Yes Yes Yes No No No An outsourced cloud service register is developed, implemented, Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services services maintained and verified on a regular basis. governance of the CSP and arrangements between the CSP or service
Outsourcing should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Outsourced cloud ISM-1638 3 Sep-22 Yes Yes Yes Yes Yes No No No An outsourced cloud service register contains the following for Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services services each outsourced cloud service: governance of the CSP and arrangements between the CSP or service
Outsourcing • cloud service provider’s name should be captured by the and their customers as well as
• cloud service’s name common controls the CSP and their outsourced
• purpose for using the cloud service third-party providers
• sensitivity or classification of data involved
• due date for the next security assessment of the cloud service Not Assessed Not Assessed Not Assessed
• contractual arrangements for the cloud service
• point of contact for users of the cloud service
• 24/7 contact details for the cloud service provider.
Guidelines for Managed services and Outsourced cloud ISM-1529 2 Dec-21 No No No Yes Yes No No No Only community or private clouds are used for outsourced SECRET Applicable Applicable Applicable
Procurement and cloud services services and TOP SECRET cloud services. Not Assessed Not Assessed Not Assessed
Outsourcing
Guidelines for Managed services and Assessment of ISM-1570 2 Dec-24 Yes Yes Yes Yes No No No No Outsourced cloud service providers and their non-classified, Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services outsourced cloud service OFFICIAL: Sensitive, PROTECTED and SECRET cloud services governance of the CSP and arrangements between the CSP or service
Outsourcing providers undergo an IRAP assessment, using the latest release of the ISM should be captured by the and their customers as well as
available prior to the beginning of the IRAP assessment (or a common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
subsequent release), at least every 24 months. third-party providers

Guidelines for Managed services and Assessment of ISM-1972 0 Dec-24 No No No No Yes No No No Outsourced cloud service providers and their TOP SECRET cloud Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services outsourced cloud service services, including sensitive compartmented information cloud governance of the CSP and arrangements between the CSP or service
Outsourcing providers services, undergo a security assessment by ASD assessors (or their should be captured by the and their customers as well as
delegates), using the latest release of the ISM available prior to the common controls the CSP and their outsourced
beginning of the security assessment (or a subsequent release), at third-party providers Not Assessed Not Assessed Not Assessed
least every 24 months.

Guidelines for Managed services and Contractual security ISM-1395 7 Dec-22 Yes Yes Yes Yes Yes No No No Service providers, including any subcontractors, provide an Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with appropriate level of protection for any data entrusted to them or governance of the CSP and arrangements between the CSP or service
Outsourcing service providers their services. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-0072 9 Dec-22 Yes Yes Yes Yes Yes No No No Security requirements associated with the confidentiality, integrity Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with and availability of data are documented in contractual governance of the CSP and arrangements between the CSP or service
Outsourcing service providers arrangements with service providers and reviewed on a regular should be captured by the and their customers as well as
and ongoing basis to ensure they remain fit for purpose. common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-1571 3 Dec-22 Yes Yes Yes Yes Yes No No No The right to verify compliance with security requirements is Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with documented in contractual arrangements with service providers. governance of the CSP and arrangements between the CSP or service
Outsourcing service providers should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-1738 1 Dec-22 Yes Yes Yes Yes Yes No No No The right to verify compliance with security requirements Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with documented in contractual arrangements with service providers is governance of the CSP and arrangements between the CSP or service
Outsourcing service providers exercised on a regular and ongoing basis. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-1804 0 Dec-22 Yes Yes Yes Yes Yes No No No Break clauses associated with failure to meet security requirements Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with are documented in contractual arrangements with service governance of the CSP and arrangements between the CSP or service
Outsourcing service providers providers. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-0141 7 Dec-22 Yes Yes Yes Yes Yes No No No The requirement for service providers to report cyber security Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with incidents to a designated point of contact as soon as possible after governance of the CSP and arrangements between the CSP or service
Outsourcing service providers they occur or are discovered is documented in contractual should be captured by the and their customers as well as
arrangements with service providers. common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-1794 1 Dec-22 Yes Yes Yes Yes Yes No No No A minimum notification period of one month by service providers Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with for significant changes to their own service provider arrangements governance of the CSP and arrangements between the CSP or service
Outsourcing service providers is documented in contractual arrangements with service providers. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-1451 4 Dec-22 Yes Yes Yes Yes Yes No No No Types of data and its ownership is documented in contractual Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with arrangements with service providers. governance of the CSP and arrangements between the CSP or service
Outsourcing service providers should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-1572 3 Jun-23 Yes Yes Yes Yes Yes No No No The regions or availability zones where data will be processed, Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with stored and communicated, as well as a minimum notification governance of the CSP and arrangements between the CSP or service
Outsourcing service providers period for any configuration changes, is documented in contractual should be captured by the and their customers as well as
arrangements with service providers. common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-1573 3 Dec-22 Yes Yes Yes Yes Yes No No No Access to all logs relating to an organisation’s data and services is Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with documented in contractual arrangements with service providers. governance of the CSP and arrangements between the CSP or service
Outsourcing service providers should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-1574 3 Dec-22 Yes Yes Yes Yes Yes No No No The storage of data in a portable manner that allows for backups, Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with service migration and service decommissioning without any loss of governance of the CSP and arrangements between the CSP or service
Outsourcing service providers data is documented in contractual arrangements with service should be captured by the and their customers as well as
providers. common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Contractual security ISM-1575 1 Dec-22 Yes Yes Yes Yes Yes No No No A minimum notification period of one month for the cessation of Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services requirements with any services by a service provider is documented in contractual governance of the CSP and arrangements between the CSP or service
Outsourcing service providers arrangements with service providers. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Access to systems, ISM-1073 6 Jun-24 Yes Yes Yes Yes Yes No No No An organisation’s systems, applications and data are not accessed Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services applications and data by or administered by a service provider unless a contractual governance of the CSP and arrangements between the CSP or service
Outsourcing service providers arrangement exists between the organisation and the service should be captured by the and their customers as well as
provider to do so. common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Managed services and Access to systems, ISM-1576 3 Jun-24 Yes Yes Yes Yes Yes No No No If an organisation’s systems, applications or data are accessed or Not applicable as it relates to the Applicable to contractual Applicable if different per system
Procurement and cloud services applications and data by administered by a service provider in an unauthorised manner, the governance of the CSP and arrangements between the CSP or service
Outsourcing service providers organisation is immediately notified. should be captured by the and their customers as well as
common controls the CSP and their outsourced Not Assessed Not Assessed Not Assessed
third-party providers

Guidelines for Security Development and Cyber security strategy ISM-0039 6 Dec-22 Yes Yes Yes Yes Yes No No No A cyber security strategy is developed, implemented and Not applicable as it relates to the Applicable Applicable if different per system
Documentation maintenance of security maintained. governance of the CSP and or service
documentation should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Security Development and Approval of security ISM-0047 4 May-19 Yes Yes Yes Yes Yes No No No Organisational-level security documentation is approved by the Not applicable as it relates to the Applicable Applicable if different per system
Documentation maintenance of security documentation Chief Information Security Officer while system-specific security governance of the CSP and or service
documentation documentation is approved by the system’s authorising officer. should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Security Development and Approval of security ISM-1739 0 Mar-22 Yes Yes Yes Yes Yes No No No A system’s security architecture is approved prior to the Not applicable as it relates to the Applicable Applicable if different per system
Documentation maintenance of security documentation development of the system. governance of the CSP and or service
documentation should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Security Development and Maintenance of security ISM-0888 5 May-19 Yes Yes Yes Yes Yes No No No Security documentation is reviewed at least annually and includes Not applicable as it relates to the Applicable Applicable if different per system
Documentation maintenance of security documentation a ‘current as at [date]’ or equivalent statement. governance of the CSP and or service
documentation should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Security Development and Communication of ISM-1602 0 Aug-20 Yes Yes Yes Yes Yes No No No Security documentation, including notification of subsequent Not applicable as it relates to the Applicable Applicable if different per system
Documentation maintenance of security security documentation changes, is communicated to all stakeholders. governance of the CSP and or service
documentation should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Security System-specific security System security plan ISM-0041 6 Jun-24 Yes Yes Yes Yes Yes No No No Systems have a system security plan that includes an overview of Not applicable as it relates to the Applicable Applicable if different per system
Documentation documentation the system (covering the system’s purpose, the system boundary governance of the CSP and or service
and how the system is managed) as well as an annex that covers should be captured by the
applicable controls from this document and any additional controls common controls Not Assessed Not Assessed Not Assessed
that have been identified and implemented.
Guidelines for Security System-specific security Cyber security incident ISM-0043 5 Sep-23 Yes Yes Yes Yes Yes No No No Systems have a cyber security incident response plan that covers Not applicable as it relates to the Applicable Applicable if different per system
Documentation documentation response plan the following: governance of the CSP and or service
• guidelines on what constitutes a cyber security incident should be captured by the
• the types of cyber security incidents likely to be encountered and common controls
the expected response to each type
• how to report cyber security incidents, internally to an
organisation and externally to relevant authorities
• other parties which need to be informed in the event of a cyber
security incident
• the authority, or authorities, responsible for investigating and
responding to cyber security incidents
• the criteria by which an investigation of a cyber security incident
would be requested from a law enforcement agency, the Not Assessed Not Assessed Not Assessed
Australian Signals Directorate or other relevant authority
• the steps necessary to ensure the integrity of evidence relating to
a cyber security incident
• system contingency measures or a reference to such details if
they are located in a separate document.

Guidelines for Security System-specific security Continuous monitoring ISM-1163 10 Sep-23 Yes Yes Yes Yes Yes No No No Systems have a continuous monitoring plan that includes: Not applicable as it relates to the Applicable Applicable if different per system
Documentation documentation plan • conducting vulnerability scans for systems at least fortnightly governance of the CSP and or service
• conducting vulnerability assessments and penetration tests for should be captured by the
systems prior to deployment, including prior to deployment of common controls
significant changes, and at least annually thereafter
• analysing identified vulnerabilities to determine their potential
impact Not Assessed Not Assessed Not Assessed
• implementing mitigations based on risk, effectiveness and cost.

Guidelines for Security System-specific security Security assessment ISM-1563 1 Jun-22 Yes Yes Yes Yes Yes No No No At the conclusion of a security assessment for a system, a security Not applicable as it relates to the Applicable Applicable if different per system
Documentation documentation report assessment report is produced by the assessor and covers: governance of the CSP and or service
• the scope of the security assessment should be captured by the
• the system’s strengths and weaknesses common controls
• security risks associated with the operation of the system
• the effectiveness of the implementation of controls Not Assessed Not Assessed Not Assessed
• any recommended remediation actions.

Guidelines for Security System-specific security Plan of action and ISM-1564 0 May-20 Yes Yes Yes Yes Yes No No No At the conclusion of a security assessment for a system, a plan of Not applicable as it relates to the Applicable Applicable if different per system
Documentation documentation milestones action and milestones is produced by the system owner. governance of the CSP and or service
should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Physical Facilities and systems Physical access to ISM-1973 0 Dec-24 Yes No No No No No No No Non-classified systems are secured in suitably secure facilities. Applicable with the assessor to Applicable with the assessor to Applicable if different per system
Security systems confirm a suitable physical confirm a suitable physical or service
security certification report exists security certification report exists Not Assessed Not Assessed Not Assessed

Guidelines for Physical Facilities and systems Physical access to ISM-0810 7 Dec-24 No Yes Yes Yes Yes No No No Classified systems are secured in facilities that meet the Applicable with the assessor to Applicable with the assessor to Applicable if different per system
Security systems requirements for a security zone suitable for their classification. confirm a suitable physical confirm a suitable physical or service
security certification report exists security certification report exists Not Assessed Not Assessed Not Assessed

Guidelines for Physical Facilities and systems Physical access to ISM-1974 0 Dec-24 Yes No No No No No No No Non-classified servers, network devices and cryptographic Applicable with the assessor to Applicable with the assessor to Applicable if different per system
Security servers, network devices equipment are secured in suitably secure server rooms or confirm a suitable physical confirm a suitable physical or service
and cryptographic communications rooms. security certification report exists security certification report exists
equipment Not Assessed Not Assessed Not Assessed

Guidelines for Physical Facilities and systems Physical access to ISM-1053 5 Dec-24 No Yes Yes Yes Yes No No No Classified servers, network devices and cryptographic equipment Applicable with the assessor to Applicable with the assessor to Applicable if different per system
Security servers, network devices are secured in server rooms or communications rooms that meet confirm a suitable physical confirm a suitable physical or service
and cryptographic the requirements for a security zone suitable for their security certification report exists security certification report exists
equipment classification. Not Assessed Not Assessed Not Assessed

Guidelines for Physical Facilities and systems Physical access to ISM-1975 0 Dec-24 Yes No No No No No No No Non-classified servers, network devices and cryptographic Applicable with the assessor to Applicable with the assessor to Applicable if different per system
Security servers, network devices equipment are secured in suitably secure security containers. confirm a suitable physical confirm a suitable physical or service
and cryptographic security certification report exists security certification report exists
equipment Not Assessed Not Assessed Not Assessed

Guidelines for Physical Facilities and systems Physical access to ISM-1530 3 Dec-24 No Yes Yes Yes Yes No No No Classified servers, network devices and cryptographic equipment Applicable with the assessor to Applicable with the assessor to Applicable if different per system
Security servers, network devices are secured in security containers suitable for their classification confirm a suitable physical confirm a suitable physical or service
and cryptographic taking into account the combination of security zones they reside security certification report exists security certification report exists
equipment in. Not Assessed Not Assessed Not Assessed

Guidelines for Physical Facilities and systems Physical access to ISM-0813 5 Dec-24 Yes Yes Yes Yes Yes No No No Server rooms, communications rooms and security containers are Applicable Applicable Applicable if different per system
Security servers, network devices not left in unsecured states. or service
and cryptographic
equipment Not Assessed Not Assessed Not Assessed

Guidelines for Physical Facilities and systems Physical access to ISM-1074 4 Dec-24 Yes Yes Yes Yes Yes No No No Keys or equivalent access mechanisms to server rooms, Applicable Applicable Applicable if different per system
Security servers, network devices communications rooms and security containers are appropriately or service
and cryptographic controlled.
equipment Not Assessed Not Assessed Not Assessed

Guidelines for Physical Facilities and systems Physical access to ISM-1296 4 Jun-22 Yes Yes Yes Yes Yes No No No Physical security is implemented to protect network devices in Applicable Applicable Applicable if different per system
Security network devices in public public areas from physical damage or unauthorised access. or service Not Assessed Not Assessed Not Assessed
areas
Guidelines for Physical Facilities and systems Bringing radio frequency ISM-1543 4 Dec-22 No No No Yes Yes No No No An authorised RF and IR device register for SECRET and TOP SECRET Applicable Applicable Applicable if different per system
Security and infrared devices into areas is developed, implemented, maintained and verified on a or service Not Assessed Not Assessed Not Assessed
facilities regular basis.
Guidelines for Physical Facilities and systems Bringing radio frequency ISM-0225 3 Sep-21 No No No Yes Yes No No No Unauthorised RF and IR devices are not brought into SECRET and Applicable Applicable Applicable if different per system
Security and infrared devices into TOP SECRET areas. or service Not Assessed Not Assessed Not Assessed
facilities
Guidelines for Physical Facilities and systems Bringing radio frequency ISM-0829 4 Mar-19 No No No Yes Yes No No No Security measures are used to detect and respond to unauthorised Applicable Applicable Applicable if different per system
Security and infrared devices into RF devices in SECRET and TOP SECRET areas. or service Not Assessed Not Assessed Not Assessed
facilities
Guidelines for Physical Facilities and systems Preventing observation ISM-0164 3 Dec-21 Yes Yes Yes Yes Yes No No No Unauthorised people are prevented from observing systems, in Applicable Applicable Applicable if different per system
Security by unauthorised people particular workstation displays and keyboards, within facilities. or service Not Assessed Not Assessed Not Assessed

Guidelines for Physical IT equipment and media Securing IT equipment ISM-0161 6 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment and media are secured when not in use. Applicable Applicable Applicable if different per system
Security and media or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Cyber security awareness Providing cyber security ISM-0252 7 Mar-22 Yes Yes Yes Yes Yes No No No Cyber security awareness training is undertaken annually by all Not applicable as it relates to the Applicable to personnel using Not applicable as it relates to the
Security training awareness training personnel and covers: governance of the CSP and and supporting the governance of the CSP and
• the purpose of the cyber security awareness training should be captured by the administration environment should be captured by the
• security appointments and contacts common controls common controls
• authorised use of systems and their resources
• protection of systems and their resources Not Assessed Not Assessed Not Assessed
• reporting of cyber security incidents and suspected compromises
of systems and their resources.

Guidelines for Personnel Cyber security awareness Providing cyber security ISM-1565 0 Jun-20 Yes Yes Yes Yes Yes No No No Tailored privileged user training is undertaken annually by all Not applicable as it relates to the Applicable to personnel using Not applicable as it relates to the
Security training awareness training privileged users. governance of the CSP and and supporting the governance of the CSP and
should be captured by the administration environment should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Personnel Cyber security awareness Managing and reporting ISM-1740 0 Mar-22 Yes Yes Yes Yes Yes No No No Personnel dealing with banking details and payment requests are Not applicable as it relates to the Applicable to personnel using Not applicable as it relates to the
Security training suspicious changes to advised of what business email compromise is, how to manage governance of the CSP and and supporting the governance of the CSP and
banking details or such situations and how to report it. should be captured by the administration environment should be captured by the
payment requests common controls common controls Not Assessed Not Assessed Not Assessed

Guidelines for Personnel Cyber security awareness Reporting suspicious ISM-0817 4 Jan-20 Yes Yes Yes Yes Yes No No No Personnel are advised of what suspicious contact via online Not applicable as it relates to the Applicable to personnel using Not applicable as it relates to the
Security training contact via online services is and how to report it. governance of the CSP and and supporting the governance of the CSP and
services should be captured by the administration environment should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Personnel Cyber security awareness Posting work information ISM-0820 5 Jan-20 Yes Yes Yes Yes Yes No No No Personnel are advised to not post work information to Not applicable as it relates to the Applicable to personnel using Not applicable as it relates to the
Security training to online services unauthorised online services and to report cases where such governance of the CSP and and supporting the governance of the CSP and
information is posted. should be captured by the administration environment should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Personnel Cyber security awareness Posting work information ISM-1146 3 Dec-24 Yes Yes Yes Yes Yes No No No Personnel are advised to maintain separate work and personal user Not applicable as it relates to the Applicable to personnel using Not applicable as it relates to the
Security training to online services accounts for online services. governance of the CSP and and supporting the governance of the CSP and
should be captured by the administration environment should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls
Guidelines for Personnel Cyber security awareness Posting personal ISM-0821 3 Oct-19 Yes Yes Yes Yes Yes No No No Personnel are advised of security risks associated with posting Not applicable as it relates to the Applicable to personnel using Not applicable as it relates to the
Security training information to online personal information to online services and are encouraged to use governance of the CSP and and supporting the governance of the CSP and
services any available privacy settings to restrict who can view such should be captured by the administration environment should be captured by the Not Assessed Not Assessed Not Assessed
information. common controls common controls

Guidelines for Personnel Cyber security awareness Sending and receiving ISM-0824 2 Sep-18 Yes Yes Yes Yes Yes No No No Personnel are advised not to send or receive files via unauthorised Not applicable as it relates to the Applicable to personnel using Not applicable as it relates to the
Security training files via online services online services. governance of the CSP and and supporting the governance of the CSP and
should be captured by the administration environment should be captured by the Not Assessed Not Assessed Not Assessed
common controls common controls

Guidelines for Personnel Access to systems and System usage policy ISM-1864 0 Sep-23 Yes Yes Yes Yes Yes No No No A system usage policy is developed, implemented and maintained. Applicable Applicable Applicable if different per system
Security their resources or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and System access ISM-0432 7 Dec-21 Yes Yes Yes Yes Yes No No No Access requirements for a system and its resources are Applicable Applicable Applicable if different per system
Security their resources requirements documented in its system security plan. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and System access ISM-0434 7 Mar-22 Yes Yes Yes Yes Yes No No No Personnel undergo appropriate employment screening and, where Applicable Applicable Applicable if different per system
Security their resources requirements necessary, hold an appropriate security clearance before being or service Not Assessed Not Assessed Not Assessed
granted access to a system and its resources.
Guidelines for Personnel Access to systems and System access ISM-0435 3 Aug-19 Yes Yes Yes Yes Yes No No No Personnel receive any necessary briefings before being granted Applicable Applicable Applicable if different per system
Security their resources requirements access to a system and its resources. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and System access ISM-1865 0 Sep-23 Yes Yes Yes Yes Yes No No No Personnel agree to abide by usage policies associated with a Applicable Applicable Applicable if different per system
Security their resources requirements system and its resources before being granted access to the system or service Not Assessed Not Assessed Not Assessed
and its resources.
Guidelines for Personnel Access to systems and User identification ISM-0414 4 Aug-19 Yes Yes Yes Yes Yes No No No Personnel granted access to a system and its resources are Applicable Applicable Applicable if different per system
Security their resources uniquely identifiable. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and User identification ISM-0415 3 Aug-19 Yes Yes Yes Yes Yes No No No The use of shared user accounts is strictly controlled, and Applicable Applicable Applicable if different per system
Security their resources personnel using such accounts are uniquely identifiable. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and User identification ISM-1583 0 Aug-20 Yes Yes Yes Yes Yes No No No Personnel who are contractors are identified as such. Applicable Applicable Applicable if different per system
Security their resources or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and User identification ISM-0420 11 Dec-21 No No No Yes Yes No No No Where a system processes, stores or communicates AUSTEO, Applicable Applicable Applicable if different per system
Security their resources AGAO or REL data, personnel who are foreign nationals are or service Not Assessed Not Assessed Not Assessed
identified as such, including by their specific nationality.
Guidelines for Personnel Access to systems and Unprivileged access to ISM-0405 7 Dec-21 Yes Yes Yes Yes Yes No No No Requests for unprivileged access to systems, applications and data Applicable Applicable Applicable if different per system
Security their resources systems repositories are validated when first requested. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Unprivileged access to ISM-1852 0 Jun-23 Yes Yes Yes Yes Yes No No No Unprivileged access to systems, applications and data repositories Applicable Applicable Applicable if different per system
Security their resources systems is limited to only what is required for users and services to or service Not Assessed Not Assessed Not Assessed
undertake their duties.
Guidelines for Personnel Access to systems and Unprivileged access to ISM-1566 3 Dec-23 Yes Yes Yes Yes Yes No No No Use of unprivileged access is centrally logged. Applicable Applicable Applicable if different per system
Security their resources systems or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Unprivileged access to ISM-0409 8 Jun-22 No No No Yes Yes No No No Foreign nationals, including seconded foreign nationals, do not Applicable Applicable Applicable if different per system
Security their resources systems by foreign have access to systems that process, store or communicate or service
nationals AUSTEO or REL data unless effective controls are in place to ensure Not Assessed Not Assessed Not Assessed
such data is not accessible to them.

Guidelines for Personnel Access to systems and Unprivileged access to ISM-0411 7 Jun-22 No No No Yes Yes No No No Foreign nationals, excluding seconded foreign nationals, do not Applicable Applicable Applicable if different per system
Security their resources systems by foreign have access to systems that process, store or communicate AGAO or service
nationals data unless effective controls are in place to ensure such data is Not Assessed Not Assessed Not Assessed
not accessible to them.

Guidelines for Personnel Access to systems and Privileged access to ISM-1507 3 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Requests for privileged access to systems, applications and data Applicable Applicable Applicable if different per system
Security their resources systems repositories are validated when first requested. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Privileged access to ISM-1508 3 Dec-23 Yes Yes Yes Yes Yes No No Yes Privileged access to systems, applications and data repositories is Applicable Applicable Applicable if different per system
Security their resources systems limited to only what is required for users and services to undertake or service Not Assessed Not Assessed Not Assessed
their duties.
Guidelines for Personnel Access to systems and Privileged access to ISM-1175 6 Sep-24 Yes Yes Yes Yes Yes Yes Yes Yes Privileged user accounts (excluding those explicitly authorised to Applicable Applicable Applicable if different per system
Security their resources systems access online services) are prevented from accessing the internet, or service Not Assessed Not Assessed Not Assessed
email and web services.
Guidelines for Personnel Access to systems and Privileged access to ISM-1883 1 Sep-24 Yes Yes Yes Yes Yes Yes Yes Yes Privileged user accounts explicitly authorised to access online Applicable Applicable Applicable if different per system
Security their resources systems services are strictly limited to only what is required for users and or service Not Assessed Not Assessed Not Assessed
services to undertake their duties.
Guidelines for Personnel Access to systems and Privileged access to ISM-1649 0 Sep-21 Yes Yes Yes Yes Yes No No Yes Just-in-time administration is used for administering systems and Applicable Applicable Applicable if different per system
Security their resources systems applications. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Privileged access to ISM-0445 8 Sep-24 Yes Yes Yes Yes Yes Yes Yes Yes Privileged users are assigned a dedicated privileged user account to Applicable Applicable Applicable if different per system
Security their resources systems be used solely for duties requiring privileged access. or service Not Assessed Not Assessed Not Assessed

Guidelines for Personnel Access to systems and Privileged access to ISM-1263 5 Sep-24 Yes Yes Yes Yes Yes No No No Unique privileged user accounts are used for administering Applicable Applicable Applicable if different per system
Security their resources systems individual server applications. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Privileged access to ISM-1509 3 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Privileged access events are centrally logged. Applicable Applicable Applicable if different per system
Security their resources systems or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Privileged access to ISM-1650 3 Sep-24 Yes Yes Yes Yes Yes No Yes Yes Privileged user account and security group management events are Applicable Applicable Applicable if different per system
Security their resources systems centrally logged. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Privileged access to ISM-0446 5 Jun-21 No No No Yes Yes No No No Foreign nationals, including seconded foreign nationals, do not Applicable Applicable Applicable if different per system
Security their resources systems by foreign have privileged access to systems that process, store or or service Not Assessed Not Assessed Not Assessed
nationals communicate AUSTEO or REL data.
Guidelines for Personnel Access to systems and Privileged access to ISM-0447 4 Jun-21 No No No Yes Yes No No No Foreign nationals, excluding seconded foreign nationals, do not Applicable Applicable Applicable if different per system
Security their resources systems by foreign have privileged access to systems that process, store or or service Not Assessed Not Assessed Not Assessed
nationals communicate AGAO data.
Guidelines for Personnel Access to systems and Suspension of access to ISM-0430 7 Sep-19 Yes Yes Yes Yes Yes No No No Access to systems, applications and data repositories is removed or Applicable Applicable Applicable if different per system
Security their resources systems suspended on the same day personnel no longer have a legitimate or service Not Assessed Not Assessed Not Assessed
requirement for access.
Guidelines for Personnel Access to systems and Suspension of access to ISM-1591 0 Aug-20 Yes Yes Yes Yes Yes No No No Access to systems, applications and data repositories is removed or Applicable Applicable Applicable if different per system
Security their resources systems suspended as soon as practicable when personnel are detected or service Not Assessed Not Assessed Not Assessed
undertaking malicious activities.
Guidelines for Personnel Access to systems and Suspension of access to ISM-1404 4 Dec-23 Yes Yes Yes Yes Yes No No No Unprivileged access to systems and applications is disabled after 45 Applicable Applicable Applicable if different per system
Security their resources systems days of inactivity. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Suspension of access to ISM-1648 1 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Privileged access to systems and applications is disabled after 45 Applicable Applicable Applicable if different per system
Security their resources systems days of inactivity. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Suspension of access to ISM-1716 1 Dec-23 Yes Yes Yes Yes Yes No No No Access to data repositories is disabled after 45 days of inactivity. Applicable Applicable Applicable if different per system
Security their resources systems or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Suspension of access to ISM-1647 1 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Privileged access to systems, applications and data repositories is Applicable Applicable Applicable if different per system
Security their resources systems disabled after 12 months unless revalidated. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Recording authorisation ISM-0407 5 Sep-23 Yes Yes Yes Yes Yes No No No A secure record is maintained for the life of each system covering Applicable Applicable Applicable if different per system
Security their resources for personnel to access the following for each user: or service
systems • their user identification
• their signed agreement to abide by usage policies for the system
and its resources
• who provided authorisation for their access
• when their access was granted
• the level of access that they were granted
• when their access, and their level of access, was last reviewed Not Assessed Not Assessed Not Assessed
• when their level of access was changed, and to what extent (if
applicable)
• when their access was withdrawn (if applicable).

Guidelines for Personnel Access to systems and Temporary access to ISM-0441 8 Jun-22 Yes Yes Yes Yes Yes No No No When personnel are granted temporary access to a system, Applicable Applicable Applicable if different per system
Security their resources systems effective controls are put in place to restrict their access to only or service Not Assessed Not Assessed Not Assessed
data required for them to undertake their duties.
Guidelines for Personnel Access to systems and Temporary access to ISM-0443 3 Sep-18 No No No Yes Yes No No No Temporary access is not granted to systems that process, store or Applicable Applicable Applicable if different per system
Security their resources systems communicate caveated or sensitive compartmented information. or service Not Assessed Not Assessed Not Assessed

Guidelines for Personnel Access to systems and Emergency access to ISM-1610 0 Aug-20 Yes Yes Yes Yes Yes No No No A method of emergency access to systems is documented and Applicable Applicable Applicable if different per system
Security their resources systems tested at least once when initially implemented and each time or service
fundamental information technology infrastructure changes occur. Not Assessed Not Assessed Not Assessed

Guidelines for Personnel Access to systems and Emergency access to ISM-1611 0 Aug-20 Yes Yes Yes Yes Yes No No No Break glass accounts are only used when normal authentication Applicable Applicable Applicable if different per system
Security their resources systems processes cannot be used. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Emergency access to ISM-1612 0 Aug-20 Yes Yes Yes Yes Yes No No No Break glass accounts are only used for specific authorised activities. Applicable Applicable Applicable if different per system
Security their resources systems or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Emergency access to ISM-1614 0 Aug-20 Yes Yes Yes Yes Yes No No No Break glass account credentials are changed by the account Applicable Applicable Applicable if different per system
Security their resources systems custodian after they are accessed by any other party. or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Emergency access to ISM-1615 0 Aug-20 Yes Yes Yes Yes Yes No No No Break glass accounts are tested after credentials are changed. Applicable Applicable Applicable if different per system
Security their resources systems or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Emergency access to ISM-1613 2 Dec-23 Yes Yes Yes Yes Yes No No No Use of break glass accounts is centrally logged. Applicable Applicable Applicable if different per system
Security their resources systems or service Not Assessed Not Assessed Not Assessed
Guidelines for Personnel Access to systems and Control of Australian ISM-0078 5 Jun-21 No No No Yes Yes No No No Systems processing, storing or communicating AUSTEO or AGAO Applicable Applicable Applicable if different per system
Security their resources systems data remain at all times under the control of an Australian national or service
working for or on behalf of the Australian Government. Not Assessed Not Assessed Not Assessed

Guidelines for Personnel Access to systems and Control of Australian ISM-0854 6 Dec-21 No No No Yes Yes No No No AUSTEO and AGAO data can only be accessed from systems under Applicable Applicable Applicable if different per system
Security their resources systems the sole control of the Australian Government that are located or service
within facilities authorised by the Australian Government. Not Assessed Not Assessed Not Assessed
Guidelines for Cabling infrastructure Cabling infrastructure ISM-0181 3 Mar-21 Yes Yes Yes Yes Yes No No No Cabling infrastructure is installed in accordance with relevant Applicable Applicable Not applicable as it is highly likely
Communications standards Australian Standards, as directed by the Australian common infrastructure is used
Infrastructure Communications and Media Authority. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Use of fibre-optic cables ISM-1111 3 Mar-21 Yes Yes Yes Yes Yes No No No Fibre-optic cables are used for cabling infrastructure instead of Applicable Applicable Not applicable as it is highly likely
Communications copper cables. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cable register ISM-0211 7 Dec-22 Yes Yes Yes Yes Yes No No No A cable register is developed, implemented, maintained and Applicable Applicable Not applicable as it is highly likely
Communications verified on a regular basis. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cable register ISM-0208 6 Jun-21 Yes Yes Yes Yes Yes No No No A cable register contains the following for each cable: Applicable Applicable Not applicable as it is highly likely
Communications • cable identifier common infrastructure is used
Infrastructure • cable colour across different services
• sensitivity/classification
• source
• destination Not Assessed Not Assessed Not Assessed
• location
• seal numbers (if applicable).

Guidelines for Cabling infrastructure Floor plan diagrams ISM-1645 2 Dec-22 Yes Yes Yes Yes Yes No No No Floor plan diagrams are developed, implemented, maintained and Applicable Applicable Not applicable as it is highly likely
Communications verified on a regular basis. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Floor plan diagrams ISM-1646 0 Jun-21 Yes Yes Yes Yes Yes No No No Floor plan diagrams contain the following: Applicable Applicable Not applicable as it is highly likely
Communications • cable paths (including ingress and egress points between floors) common infrastructure is used
Infrastructure • cable reticulation system and conduit paths across different services
• floor concentration boxes
• wall outlet boxes Not Assessed Not Assessed Not Assessed
• network cabinets.

Guidelines for Cabling infrastructure Cable labelling processes ISM-0206 7 Dec-22 Yes Yes Yes Yes Yes No No No Cable labelling processes, and supporting cable labelling Applicable Applicable Not applicable as it is highly likely
Communications and procedures procedures, are developed, implemented and maintained. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Labelling cables ISM-1096 2 Oct-19 Yes Yes Yes Yes Yes No No No Cables are labelled at each end with sufficient source and Applicable Applicable Not applicable as it is highly likely
Communications destination details to enable the physical identification and common infrastructure is used
Infrastructure inspection of the cable. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Labelling building ISM-1639 0 Mar-21 Yes Yes Yes Yes Yes No No No Building management cables are labelled with their purpose in Applicable Applicable Not applicable as it is highly likely
Communications management cables black writing on a yellow background, with a minimum size of 2.5 common infrastructure is used
Infrastructure cm x 1 cm, and attached at five-metre intervals. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Labelling cables for ISM-1640 0 Mar-21 Yes Yes Yes Yes Yes No No No Cables for foreign systems installed in Australian facilities are Applicable Applicable Not applicable as it is highly likely
Communications foreign systems in labelled at inspection points. common infrastructure is used
Infrastructure Australian facilities across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cable colours ISM-1820 0 Mar-23 Yes Yes Yes Yes Yes No No No Cables for individual systems use a consistent colour. Applicable Applicable Not applicable as it is highly likely
Communications common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cable colours ISM-0926 11 Dec-24 Yes Yes Yes No No No No No Non-classified, OFFICIAL: Sensitive and PROTECTED cables are Applicable Applicable Not applicable as it is highly likely
Communications coloured neither salmon pink nor red. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cable colours ISM-1718 1 Mar-23 No No No Yes No No No No SECRET cables are coloured salmon pink. Applicable Applicable Not applicable as it is highly likely
Communications common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cable colours ISM-1719 1 Mar-23 No No No No Yes No No No TOP SECRET cables are coloured red. Applicable Applicable Not applicable as it is highly likely
Communications common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cable colour non- ISM-1216 4 Jun-24 No No No Yes Yes No No No SECRET and TOP SECRET cables with non-conformant cable Applicable Applicable Not applicable as it is highly likely
Communications conformance colouring are banded with the appropriate colour and labelled at common infrastructure is used
Infrastructure inspection points. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cable inspectability ISM-1112 4 Dec-24 Yes Yes Yes Yes No No No No Cables in non-TOP SECRET areas are inspectable every five metres Applicable Applicable Not applicable as it is highly likely
Communications or less. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cable inspectability ISM-1119 2 Dec-21 Yes Yes Yes Yes Yes No No No Cables in TOP SECRET areas are fully inspectable for their entire Applicable Applicable Not applicable as it is highly likely
Communications length. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Common cable bundles ISM-0187 8 Mar-23 No No No Yes No No No No SECRET cables, when bundled together or run in conduit, are run Applicable Applicable Not applicable as it is highly likely
Communications and conduits exclusively in their own individual cable bundle or conduit. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Common cable bundles ISM-1821 0 Mar-23 No No No No Yes No No No TOP SECRET cables, when bundled together or run in conduit, are Applicable Applicable Not applicable as it is highly likely
Communications and conduits run exclusively in their own individual cable bundle or conduit. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Common cable ISM-1114 4 Mar-23 Yes Yes Yes Yes Yes No No No Cable bundles or conduits sharing a common cable reticulation Applicable Applicable Not applicable as it is highly likely
Communications reticulation systems system have a dividing partition or visible gap between each cable common infrastructure is used
Infrastructure bundle and conduit. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Enclosed cable ISM-1130 4 Dec-21 Yes Yes Yes Yes Yes No No No In shared facilities, cables are run in an enclosed cable reticulation Applicable to shared facilities Applicable to shared facilities Not applicable as it is highly likely
Communications reticulation systems system. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Covers for enclosed cable ISM-1164 3 Dec-21 Yes Yes Yes Yes Yes No No No In shared facilities, conduits or the front covers of ducts, cable Applicable to shared facilities Applicable to shared facilities Not applicable as it is highly likely
Communications reticulation systems trays in floors and ceilings, and associated fittings are clear plastic. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Sealing cable reticulation ISM-0195 7 Jun-22 No No No No Yes No No No In shared facilities, uniquely identifiable SCEC-approved tamper- Applicable to shared facilities Applicable to shared facilities Not applicable as it is highly likely
Communications systems and conduits evident seals are used to seal all removable covers on TOP SECRET common infrastructure is used
Infrastructure cable reticulation systems. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Sealing cable reticulation ISM-0194 3 Dec-21 No No No No Yes No No No In shared facilities, a visible smear of conduit glue is used to seal all Applicable to shared facilities Applicable to shared facilities Not applicable as it is highly likely
Communications systems and conduits plastic conduit joints and TOP SECRET conduits connected by common infrastructure is used
Infrastructure threaded lock nuts. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Labelling conduits ISM-0201 3 Mar-21 No No No No Yes No No No Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 Applicable Applicable Not applicable as it is highly likely
Communications cm, attached at five-metre intervals and marked as ‘TS RUN’. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cables in walls ISM-1115 4 Dec-19 Yes Yes Yes Yes Yes No No No Cables from cable trays to wall outlet boxes are run in flexible or Applicable Applicable Not applicable as it is highly likely
Communications plastic conduit. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Cables in party walls ISM-1133 3 Dec-21 No No No No Yes No No No In shared facilities, TOP SECRET cables are not run in party walls. Applicable to shared facilities Applicable to shared facilities Not applicable as it is highly likely
Communications common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Wall penetrations ISM-1122 2 Dec-21 No No No No Yes No No No Where wall penetrations exit a TOP SECRET area into a lower Applicable Applicable Not applicable as it is highly likely
Communications classified area, TOP SECRET cables are encased in conduit with all common infrastructure is used
Infrastructure gaps between the TOP SECRET conduit and the wall filled with an across different services Not Assessed Not Assessed Not Assessed
appropriate sealing compound.

Guidelines for Cabling infrastructure Wall outlet boxes ISM-1105 4 Mar-23 No No No Yes Yes No No No SECRET and TOP SECRET wall outlet boxes contain exclusively Applicable Applicable Not applicable as it is highly likely
Communications SECRET or TOP SECRET cables. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Labelling wall outlet ISM-1095 5 Dec-21 Yes Yes Yes Yes Yes No No No Wall outlet boxes denote the systems, cable identifiers and wall Applicable Applicable Not applicable as it is highly likely
Communications boxes outlet box identifier. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed
Guidelines for Cabling infrastructure Wall outlet box colours ISM-1822 0 Mar-23 Yes Yes Yes Yes Yes No No No Wall outlet boxes for individual systems use a consistent colour. Applicable Applicable Not applicable as it is highly likely
Communications common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Wall outlet box colours ISM-1107 7 Dec-24 Yes Yes Yes No No No No No Non-classified, OFFICIAL: Sensitive and PROTECTED wall outlet Applicable Applicable Not applicable as it is highly likely
Communications boxes are coloured neither salmon pink nor red. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Wall outlet box colours ISM-1720 0 Dec-21 No No No Yes No No No No SECRET wall outlet boxes are coloured salmon pink. Applicable Applicable Not applicable as it is highly likely
Communications common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Wall outlet box colours ISM-1721 0 Dec-21 No No No No Yes No No No TOP SECRET wall outlet boxes are coloured red. Applicable Applicable Not applicable as it is highly likely
Communications common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Wall outlet box covers ISM-1109 3 Dec-19 Yes Yes Yes Yes Yes No No No Wall outlet box covers are clear plastic. Applicable Applicable Not applicable as it is highly likely
Communications common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Fly lead installation ISM-0218 7 Jun-24 No No No No Yes No No No If TOP SECRET fibre-optic fly leads exceeding five metres in length Applicable Applicable Not applicable as it is highly likely
Communications are used to connect wall outlet boxes to IT equipment, they are run common infrastructure is used
Infrastructure in a protective and easily inspected pathway that is clearly labelled across different services
at the IT equipment end with the wall outlet box’s identifier. Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Connecting cable ISM-1102 3 Dec-21 Yes Yes Yes Yes Yes No No No Cable reticulation systems leading into cabinets are terminated as Applicable Applicable Not applicable as it is highly likely
Communications reticulation systems to close as possible to the cabinet. common infrastructure is used
Infrastructure cabinets across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Connecting cable ISM-1101 3 Dec-21 Yes Yes Yes Yes Yes No No No In TOP SECRET areas, cable reticulation systems leading into Applicable Applicable Not applicable as it is highly likely
Communications reticulation systems to cabinets in server rooms or communications rooms are terminated common infrastructure is used
Infrastructure cabinets as close as possible to the cabinet. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Connecting cable ISM-1103 3 Dec-21 Yes Yes Yes Yes Yes No No No In TOP SECRET areas, cable reticulation systems leading into Applicable Applicable Not applicable as it is highly likely
Communications reticulation systems to cabinets not in server rooms or communications rooms are common infrastructure is used
Infrastructure cabinets terminated at the boundary of the cabinet. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Terminating cables in ISM-1098 5 Mar-23 No No No Yes No No No No SECRET cables are terminated in an individual cabinet; or for small Applicable Applicable Not applicable as it is highly likely
Communications cabinets systems, a cabinet with a division plate between any SECRET cables common infrastructure is used
Infrastructure and non-SECRET cables. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Terminating cables in ISM-1100 1 Sep-18 No No No No Yes No No No TOP SECRET cables are terminated in an individual TOP SECRET Applicable Applicable Not applicable as it is highly likely
Communications cabinets cabinet. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Terminating cables on ISM-0213 4 Mar-23 No No No Yes Yes No No No SECRET and TOP SECRET cables are terminated on their own Applicable Applicable Not applicable as it is highly likely
Communications patch panels individual patch panels. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Physical separation of ISM-0216 3 Mar-23 No No No No Yes No No No TOP SECRET patch panels are installed in individual TOP SECRET Applicable Applicable Not applicable as it is highly likely
Communications cabinets and patch cabinets. common infrastructure is used
Infrastructure panels across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Physical separation of ISM-0217 5 Mar-23 No No No No Yes No No No Where spatial constraints demand non-TOP SECRET patch panels Applicable Applicable Not applicable as it is highly likely
Communications cabinets and patch be installed in the same cabinet as a TOP SECRET patch panel: common infrastructure is used
Infrastructure panels • a physical barrier in the cabinet is provided to separate patch across different services
panels
• only personnel holding a Positive Vetting security clearance have
access to the cabinet Not Assessed Not Assessed Not Assessed
• approval from the TOP SECRET system’s authorising officer is
obtained prior to installation.

Guidelines for Cabling infrastructure Physical separation of ISM-1116 4 Mar-23 No No No No Yes No No No A visible gap exists between TOP SECRET cabinets and non-TOP Applicable Applicable Not applicable as it is highly likely
Communications cabinets and patch SECRET cabinets. common infrastructure is used
Infrastructure panels across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Audio secure rooms ISM-0198 3 Dec-21 No No No No Yes No No No When penetrating a TOP SECRET audio secure room, the Australian Applicable Applicable Not applicable as it is highly likely
Communications Security Intelligence Organisation is consulted and all directions common infrastructure is used
Infrastructure provided are complied with. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Cabling infrastructure Power reticulation ISM-1123 4 Jun-24 No No No No Yes No No No A power distribution board with a feed from an Uninterruptible Applicable Applicable Not applicable as it is highly likely
Communications Power Supply is used to power all TOP SECRET IT equipment. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Emanation security Electromagnetic ISM-0250 5 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment meets industry and government standards relating to Applicable Applicable Not applicable as it is highly likely
Communications interference/electromag electromagnetic interference/electromagnetic compatibility. common infrastructure is used
Infrastructure netic compatibility across different services Not Assessed Not Assessed Not Assessed
standards

Guidelines for Emanation security Emanation security ISM-1884 0 Dec-23 No Yes Yes Yes Yes No No No Emanation security doctrine produced by ASD for the management Applicable Applicable Not applicable as it is highly likely
Communications doctrine of emanation security matters is complied with. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Emanation security Emanation security ISM-1137 5 Dec-23 No No No Yes Yes No No No System owners deploying SECRET or TOP SECRET systems within Applicable Applicable Not applicable as it is highly likely
Communications threat assessments fixed facilities contact ASD for an emanation security threat common infrastructure is used
Infrastructure assessment. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Emanation security Emanation security ISM-0249 6 Dec-23 No No No Yes Yes No No No System owners deploying SECRET or TOP SECRET systems in mobile Applicable Applicable Not applicable as it is highly likely
Communications threat assessments platforms, or as a deployable capability, contact ASD for an common infrastructure is used
Infrastructure emanation security threat assessment. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Emanation security Emanation security ISM-0246 6 Dec-24 No No No Yes Yes No No No When an emanation security threat assessment is required, it is Applicable Applicable Not applicable as it is highly likely
Communications threat assessments sought as early as possible in a system’s life cycle. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Emanation security Emanation security ISM-1885 1 Dec-24 No No No Yes Yes No No No Recommended actions contained within TEMPEST requirements Applicable Applicable Not applicable as it is highly likely
Communications threat assessments statements issued for systems are implemented by system owners. common infrastructure is used
Infrastructure across different services Not Assessed Not Assessed Not Assessed

Guidelines for Telephone systems Telephone system usage ISM-1078 4 Dec-22 Yes Yes Yes Yes Yes No No No A telephone system usage policy is developed, implemented and Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems policy maintained. customer systems customer systems customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Telephone systems Personnel awareness ISM-0229 4 Jun-24 Yes Yes Yes Yes Yes No No No Personnel are advised of the permitted sensitivity or classification Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems of information that can be discussed over internal and external customer systems customer systems customer systems Not Assessed Not Assessed Not Assessed
telephone systems.
Guidelines for Telephone systems Personnel awareness ISM-0230 3 Sep-18 Yes Yes Yes Yes Yes No No No Personnel are advised of security risks posed by non-secure Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems telephone systems in areas where sensitive or classified customer systems customer systems customer systems Not Assessed Not Assessed Not Assessed
conversations can occur.
Guidelines for Telephone systems Personnel awareness ISM-0231 2 Dec-21 Yes Yes Yes Yes Yes No No No When using cryptographic equipment to permit different levels of Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems conversation for different kinds of connections, telephone systems customer systems customer systems customer systems
give a visual indication of what kind of connection has been made. Not Assessed Not Assessed Not Assessed

Guidelines for Telephone systems Protecting conversations ISM-0232 3 Sep-18 Yes Yes Yes Yes Yes No No No Telephone systems used for sensitive or classified conversations Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems encrypt all traffic that passes over external systems. customer systems customer systems customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Telephone systems Cordless telephone ISM-0233 4 Mar-23 Yes Yes Yes Yes Yes No No No Cordless telephone handsets and headsets are not used for Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems systems sensitive or classified conversations unless all communications are customer systems customer systems customer systems Not Assessed Not Assessed Not Assessed
encrypted.
Guidelines for Telephone systems Speakerphones ISM-0235 5 Dec-24 Yes Yes Yes Yes Yes No No No Speakerphones are not used on telephone systems in TOP SECRET Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems areas unless the telephone system is located in an audio secure customer systems customer systems customer systems
room, the room is audio secure during conversations and only
personnel involved in conversations are present in the room. Not Assessed Not Assessed Not Assessed

Guidelines for Telephone systems Off-hook audio ISM-0236 5 Dec-21 Yes Yes Yes Yes Yes No No No Off-hook audio protection features are used on telephone systems Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems protection in areas where background conversations may exceed the customer systems customer systems customer systems
sensitivity or classification that the telephone system is authorised Not Assessed Not Assessed Not Assessed
for communicating.
Guidelines for Telephone systems Off-hook audio ISM-0931 7 Dec-24 Yes Yes Yes Yes Yes No No No In SECRET and TOP SECRET areas, push-to-talk handsets or push-to- Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems protection talk headsets are used to meet any off-hook audio protection customer systems customer systems customer systems Not Assessed Not Assessed Not Assessed
requirements.
Guidelines for Video conferencing and Video conferencing and ISM-1562 0 Dec-19 Yes Yes Yes Yes Yes No No No Video conferencing and IP telephony infrastructure is hardened. Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol Internet Protocol customer systems there is no VOIP in the cloud provided as a cloud service
telephony telephony infrastructure production environment offering
hardening Not Assessed Not Assessed Not Assessed

Guidelines for Video conferencing and Video-aware and voice- ISM-0546 9 Jun-22 Yes Yes Yes Yes Yes No No No When video conferencing or IP telephony traffic passes through a Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol aware firewalls and gateway containing a firewall or proxy, a video-aware or voice- customer systems there is no VOIP in the cloud provided as a cloud service
telephony proxies aware firewall or proxy is used. production environment offering Not Assessed Not Assessed Not Assessed

Guidelines for Video conferencing and Protecting video ISM-0548 4 Dec-21 Yes Yes Yes Yes Yes No No No Video conferencing and IP telephony calls are established using a Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol conferencing and secure session initiation protocol. customer systems there is no VOIP in the cloud provided as a cloud service
telephony Internet Protocol production environment offering Not Assessed Not Assessed Not Assessed
telephony traffic

Guidelines for Video conferencing and Protecting video ISM-0547 4 Dec-21 Yes Yes Yes Yes Yes No No No Video conferencing and IP telephony calls are conducted using a Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol conferencing and secure real-time transport protocol. customer systems there is no VOIP in the cloud provided as a cloud service
telephony Internet Protocol production environment offering Not Assessed Not Assessed Not Assessed
telephony traffic

Guidelines for Video conferencing and Video conferencing unit ISM-0554 1 Sep-18 Yes Yes Yes Yes Yes No No No An encrypted and non-replayable two-way authentication scheme Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol and Internet Protocol is used for call authentication and authorisation. customer systems there is no VOIP in the cloud provided as a cloud service
telephony phone authentication production environment offering Not Assessed Not Assessed Not Assessed

Guidelines for Video conferencing and Video conferencing unit ISM-0553 3 Sep-18 Yes Yes Yes Yes Yes No No No Authentication and authorisation is used for all actions on a video Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol and Internet Protocol conferencing network, including call setup and changing settings. customer systems there is no VOIP in the cloud provided as a cloud service
telephony phone authentication production environment offering Not Assessed Not Assessed Not Assessed

Guidelines for Video conferencing and Video conferencing unit ISM-0555 3 Dec-19 Yes Yes Yes Yes Yes No No No Authentication and authorisation is used for all actions on an IP Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol and Internet Protocol telephony network, including registering a new IP phone, changing customer systems there is no VOIP in the cloud provided as a cloud service
telephony phone authentication phone users, changing settings and accessing voicemail. production environment offering Not Assessed Not Assessed Not Assessed

Guidelines for Video conferencing and Video conferencing unit ISM-0551 7 Jan-20 Yes Yes Yes Yes Yes No No No IP telephony is configured such that: Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol and Internet Protocol • IP phones authenticate themselves to the call controller upon customer systems there is no VOIP in the cloud provided as a cloud service
telephony phone authentication registration production environment offering
• auto-registration is disabled and only authorised devices are
allowed to access the network Not Assessed Not Assessed Not Assessed
• unauthorised devices are blocked by default
• all unused and prohibited functionality is disabled.

Guidelines for Video conferencing and Video conferencing unit ISM-1014 6 Dec-21 No No No Yes Yes No No No Individual logins are implemented for IP phones used for SECRET or Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol and Internet Protocol TOP SECRET conversations. customer systems there is no VOIP in the cloud provided as a cloud service
telephony phone authentication production environment offering Not Assessed Not Assessed Not Assessed

Guidelines for Video conferencing and Traffic separation ISM-0549 4 Oct-19 Yes Yes Yes Yes Yes No No No Video conferencing and IP telephony traffic is separated physically Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol or logically from other data traffic. customer systems there is no VOIP in the cloud provided as a cloud service
telephony production environment offering Not Assessed Not Assessed Not Assessed

Guidelines for Video conferencing and Traffic separation ISM-0556 5 Oct-19 Yes Yes Yes Yes Yes No No No Workstations are not connected to video conferencing units or IP Not applicable as it relates to Not applicable as it is assumed Applicable where VOIP is
Communications Systems Internet Protocol phones unless the workstation or the device uses Virtual Local Area customer systems there is no VOIP in the cloud provided as a cloud service
telephony Networks or similar mechanisms to maintain separation between production environment offering
video conferencing, IP telephony and other data traffic. Not Assessed Not Assessed Not Assessed

Guidelines for Video conferencing and Internet Protocol phones ISM-0558 6 Dec-21 Yes Yes Yes Yes Yes No No No IP phones used in public areas do not have the ability to access Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems Internet Protocol in public areas data networks, voicemail and directory services. customer systems customer systems customer systems Not Assessed Not Assessed Not Assessed
telephony
Guidelines for Video conferencing and Microphones and ISM-0559 6 Dec-24 Yes Yes Yes No No No No No Microphones (including headsets and USB handsets) and webcams Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems Internet Protocol webcams are not used with non-SECRET workstations in SECRET areas. customer systems customer systems customer systems Not Assessed Not Assessed Not Assessed
telephony
Guidelines for Video conferencing and Microphones and ISM-1450 3 Dec-24 Yes Yes Yes Yes No No No No Microphones (including headsets and USB handsets) and webcams Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems Internet Protocol webcams are not used with non-TOP SECRET workstations in TOP SECRET customer systems customer systems customer systems Not Assessed Not Assessed Not Assessed
telephony areas.
Guidelines for Video conferencing and Denial of service ISM-1019 9 Dec-22 Yes Yes Yes Yes Yes No No No A denial of service response plan for video conferencing and IP Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems Internet Protocol response plan telephony services is developed, implemented and maintained. customer systems customer systems customer systems Not Assessed Not Assessed Not Assessed
telephony
Guidelines for Video conferencing and Denial of service ISM-1805 0 Dec-22 Yes Yes Yes Yes Yes No No No A denial of service response plan for video conferencing and IP Not applicable as it relates to Not applicable as it relates to Not applicable as it relates to
Communications Systems Internet Protocol response plan telephony services contains the following: customer systems customer systems customer systems
telephony • how to identify signs of a denial-of-service attack
• how to identify the source of a denial-of-service attack
• how capabilities can be maintained during a denial-of-service
attack Not Assessed Not Assessed Not Assessed
• what actions can be taken to respond to a denial-of-service
attack.

Guidelines for Fax machines and Fax machine and ISM-0588 4 Dec-22 Yes Yes Yes Yes Yes No No No A fax machine and MFD usage policy is developed, implemented Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Communications Systems multifunction devices multifunction device and maintained. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
usage policy segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Fax machines and Sending fax messages ISM-1092 2 Sep-18 Yes Yes Yes Yes Yes No No No Separate fax machines or MFDs are used for sending sensitive or Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Communications Systems multifunction devices classified fax messages and all other fax messages. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Fax machines and Sending fax messages ISM-0241 4 Dec-21 Yes Yes Yes Yes Yes No No No When sending fax messages, the fax message is encrypted to an Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Communications Systems multifunction devices appropriate level to be communicated over unsecured machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
telecommunications infrastructure. segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Fax machines and Receiving fax messages ISM-1075 2 Dec-21 Yes Yes Yes Yes Yes No No No The sender of a fax message makes arrangements for the receiver Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Communications Systems multifunction devices to collect the fax message as soon as possible after it is sent and for machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
the receiver to notify the sender if the fax message does not arrive segregated from administrative in the cloud production in the cloud production
in an agreed amount of time. endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Fax machines and Simultaneously ISM-0245 5 Dec-19 Yes Yes Yes Yes Yes No No No A direct connection from an MFD to a digital telephone system is Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Communications Systems multifunction devices connecting multifunction not enabled unless the digital telephone system is authorised to machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
devices to networks and operate at the same sensitivity or classification as the network to segregated from administrative in the cloud production in the cloud production
digital telephone systems which the MFD is connected. endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Fax machines and Authenticating to ISM-1854 0 Jun-23 Yes Yes Yes Yes Yes No No No Users authenticate to MFDs before they can print, scan or copy Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Communications Systems multifunction devices multifunction devices documents. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Fax machines and Authenticating to ISM-0590 8 Jun-23 Yes Yes Yes Yes Yes No No No Authentication measures for MFDs are the same strength as those Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Communications Systems multifunction devices multifunction devices used for workstations on networks they are connected to. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Fax machines and Scanning and copying ISM-0589 7 Jun-23 Yes Yes Yes Yes Yes No No No MFDs are not used to scan or copy documents above the sensitivity Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Communications Systems multifunction devices documents on or classification of networks they are connected to. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
multifunction devices segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Fax machines and Logging multifunction ISM-1855 1 Dec-23 Yes Yes Yes Yes Yes No No No Use of MFDs for printing, scanning and copying purposes, including Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Communications Systems multifunction devices device use the capture of shadow copies of documents, are centrally logged. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Fax machines and Observing fax machine ISM-1036 3 Sep-18 Yes Yes Yes Yes Yes No No No Fax machines and MFDs are located in areas where their use can Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Communications Systems multifunction devices and multifunction device be observed. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
use segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Enterprise Enterprise mobility Privately-owned mobile ISM-1297 5 Sep-23 Yes Yes Yes Yes Yes No No No Legal advice is sought prior to allowing privately-owned mobile Applicable where the CSP allows Not applicable as it is assumed Not applicable as it is assumed
Mobility devices and desktop devices and desktop computers to access systems or data. privately-owned mobile devices there are no mobile devices in there are no mobile devices in
computers to access customer data the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment
Guidelines for Enterprise Enterprise mobility Privately-owned mobile ISM-1400 9 Dec-24 No Yes Yes No No No No No Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or Applicable where the CSP allows Not applicable as it is assumed Not applicable as it is assumed
Mobility devices and desktop data using privately-owned mobile devices or desktop computers privately-owned mobile devices there are no mobile devices in there are no mobile devices in
computers have enforced separation of classified data from personal data. to access customer data the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Enterprise mobility Privately-owned mobile ISM-1866 0 Sep-23 No Yes Yes No No No No No Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or Applicable where the CSP allows Not applicable as it is assumed Not applicable as it is assumed
Mobility devices and desktop data using privately-owned mobile devices or desktop computers privately-owned mobile devices there are no mobile devices in there are no mobile devices in
computers are prevented from storing classified data on their privately-owned to access customer data the cloud production the cloud production
mobile devices and desktop computers. environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Enterprise Enterprise mobility Privately-owned mobile ISM-0694 8 Sep-23 No No No Yes Yes No No No Privately-owned mobile devices and desktop computers do not Applicable where the CSP allows Not applicable as it is assumed Not applicable as it is assumed
Mobility devices and desktop access SECRET and TOP SECRET systems or data. privately-owned mobile devices there are no mobile devices in there are no mobile devices in
computers to access customer data the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Enterprise mobility Organisation-owned ISM-1482 8 Dec-24 No Yes Yes Yes Yes No No No Personnel accessing systems or data using an organisation-owned Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility mobile devices and mobile device or desktop computer have enforced separation of (including laptops) can be used there are no mobile devices in there are no mobile devices in
desktop computers classified data from personal data. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Enterprise mobility Connecting mobile ISM-0874 6 Sep-23 Yes Yes Yes Yes Yes No No No Mobile devices and desktop computers access the internet via a Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility devices and desktop VPN connection to an organisation’s internet gateway rather than (including laptops) can be used there are no mobile devices in there are no mobile devices in
computers to the via a direct connection to the internet. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
internet environment environment

Guidelines for Enterprise Enterprise mobility Connecting mobile ISM-0705 4 Dec-21 Yes Yes Yes Yes Yes No No No When accessing an organisation’s network via a VPN connection, Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility devices and desktop split tunnelling is disabled. (including laptops) can be used there are no mobile devices in there are no mobile devices in
computers to the the cloud production the cloud production Not Assessed Not Assessed Not Assessed
internet environment environment

Guidelines for Enterprise Mobile device Mobile device ISM-1533 3 Dec-22 Yes Yes Yes Yes Yes No No No A mobile device management policy is developed, implemented Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management management policy and maintained. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device Mobile device ISM-1195 2 Sep-23 Yes Yes Yes Yes Yes No No No Mobile Device Management solutions that have completed a Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management management policy Common Criteria evaluation against the Protection Profile for (including laptops) can be used there are no mobile devices in there are no mobile devices in
Mobile Device Management, version 4.0 or later, are used to the cloud production the cloud production Not Assessed Not Assessed Not Assessed
enforce mobile device management policy. environment environment

Guidelines for Enterprise Mobile device Approved mobile ISM-1867 1 Mar-24 No Yes Yes No No No No No Mobile devices that access OFFICIAL: Sensitive or PROTECTED Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management platforms systems or data use mobile platforms that have completed a (including laptops) can be used there are no mobile devices in there are no mobile devices in
Common Criteria evaluation against the Protection Profile for the cloud production the cloud production
Mobile Device Fundamentals, version 3.3 or later, and are environment environment Not Assessed Not Assessed Not Assessed
operated in accordance with the latest version of their associated
ASD security configuration guide.

Guidelines for Enterprise Mobile device Approved mobile ISM-0687 10 Sep-23 No No No Yes Yes No No No Mobile devices that access SECRET or TOP SECRET systems or data Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management platforms use mobile platforms that have been issued an Approval for Use by (including laptops) can be used there are no mobile devices in there are no mobile devices in
ASD and are operated in accordance with the latest version of their the cloud production the cloud production
associated Australian Communications Security Instruction. environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Enterprise Mobile device Data storage ISM-0869 5 Dec-21 Yes Yes Yes Yes Yes No No No Mobile devices encrypt their internal storage and any removable Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management media. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device Data storage ISM-1868 0 Sep-23 No No No Yes Yes No No No SECRET and TOP SECRET mobile devices do not use removable Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management media unless approved beforehand by ASD. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device Data communications ISM-1085 4 Dec-21 Yes Yes Yes Yes Yes No No No Mobile devices encrypt all sensitive or classified data Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management communicated over public network infrastructure. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device Maintaining mobile ISM-1886 0 Dec-23 Yes Yes Yes Yes Yes No No No Mobile devices are configured to operate in a supervised (or Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management device security equivalent) mode. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device Maintaining mobile ISM-1887 0 Dec-23 Yes Yes Yes Yes Yes No No No Mobile devices are configured with remote locate and wipe Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management device security functionality. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device Maintaining mobile ISM-1888 0 Dec-23 Yes Yes Yes Yes Yes No No No Mobile devices are configured with secure lock screens. Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management device security (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device Maintaining mobile ISM-0863 5 Dec-23 Yes Yes Yes Yes Yes No No No Mobile devices prevent personnel from installing non-approved Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management device security applications once provisioned. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device Maintaining mobile ISM-0864 4 Dec-21 Yes Yes Yes Yes Yes No No No Mobile devices prevent personnel from disabling or modifying Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management device security security functionality once provisioned. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device Maintaining mobile ISM-1366 2 Dec-21 Yes Yes Yes Yes Yes No No No Security updates are applied to mobile devices as soon as they Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility management device security become available. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Mobile device usage ISM-1082 3 Dec-22 Yes Yes Yes Yes Yes No No No A mobile device usage policy is developed, implemented and Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility policy maintained. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Personnel awareness ISM-1083 2 Sep-18 Yes Yes Yes Yes Yes No No No Personnel are advised of the sensitivity or classification permitted Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility for voice and data communications when using mobile devices. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage
Mobility
Personnel awareness ISM-1299 4 Sep-23 Yes Yes Yes Yes Yes No No No Personnel are advised to take the following precautions when Applicable where mobile devices Not applicable as it relates to the Not applicable as it relates to the
using mobile devices: (including laptops) can be used administration environment administration environment
• never leave mobile devices or removable media unattended,
including by placing them in checked-in luggage or leaving them in
hotel safes
• never store credentials with mobile devices that they grant
access to, such as in laptop computer bags
• never lend mobile devices or removable media to untrusted
people, even if briefly
• never allow untrusted people to connect their mobile devices or
removable media to your mobile devices, including for charging
• never connect mobile devices to designated charging stations or
wall outlet charging ports
• never use gifted or unauthorised peripherals, chargers or
removable media with mobile devices
• never use removable media for data transfers or backups that
have not been checked for malicious code beforehand
• avoid reuse of removable media once used with other parties’
systems or mobile devices
• avoid connecting mobile devices to open or untrusted Wi-Fi Not Assessed Not Assessed Not Assessed
networks
• consider disabling any communications capabilities of mobile
devices when not in use, such as Wi-Fi, Bluetooth, Near Field
Communication and ultra-wideband
• consider periodically rebooting mobile devices
• consider using a VPN connection to encrypt all cellular and
wireless communications
• consider using encrypted email or messaging apps for all
communications.

Guidelines for Enterprise Mobile device usage Using paging, message ISM-0240 7 Dec-21 Yes Yes Yes Yes Yes No No No Paging, Multimedia Message Service, Short Message Service and Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility services and messaging messaging apps are not used to communicate sensitive or classified (including laptops) can be used there are no mobile devices in there are no mobile devices in
apps data. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Using Bluetooth ISM-1196 4 Dec-24 Yes Yes Yes No No No No No Non-classified, OFFICIAL: Sensitive and PROTECTED mobile devices Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility functionality are configured to remain undiscoverable to other Bluetooth (including laptops) can be used there are no mobile devices in there are no mobile devices in
devices except during Bluetooth pairing. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment
Guidelines for Enterprise Mobile device usage Using Bluetooth ISM-1200 7 Dec-24 Yes Yes Yes No No No No No Bluetooth pairing for non-classified, OFFICIAL: Sensitive and Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility functionality PROTECTED mobile devices is performed using Secure Connections, (including laptops) can be used there are no mobile devices in there are no mobile devices in
preferably with Numeric Comparison if supported. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Using Bluetooth ISM-1198 4 Dec-24 Yes Yes Yes No No No No No Bluetooth pairing for non-classified, OFFICIAL: Sensitive and Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility functionality PROTECTED mobile devices is performed in a manner such that (including laptops) can be used there are no mobile devices in there are no mobile devices in
connections are only made between intended Bluetooth devices. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Using Bluetooth ISM-1199 5 Dec-24 Yes Yes Yes No No No No No Bluetooth pairings for non-classified, OFFICIAL: Sensitive and Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility functionality PROTECTED mobile devices are removed when there is no longer a (including laptops) can be used there are no mobile devices in there are no mobile devices in
requirement for their use. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Using Bluetooth ISM-0682 5 Dec-21 No No No Yes Yes No No No Bluetooth functionality is not enabled on SECRET and TOP SECRET Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility functionality mobile devices. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Using mobile devices in ISM-0866 5 Jun-21 Yes Yes Yes Yes Yes No No No Sensitive or classified data is not viewed or communicated in public Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility public spaces locations unless care is taken to reduce the chance of the screen of (including laptops) can be used there are no mobile devices in there are no mobile devices in
a mobile device being observed. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Using mobile devices in ISM-1145 4 Dec-21 No No No Yes Yes No No No Privacy filters are applied to the screens of SECRET and TOP SECRET Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility public spaces mobile devices. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Using mobile devices in ISM-1644 0 Jun-21 Yes Yes Yes Yes Yes No No No Sensitive or classified phone calls are not conducted in public Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility public spaces locations unless care is taken to reduce the chance of (including laptops) can be used there are no mobile devices in there are no mobile devices in
conversations being overheard. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Maintaining control of ISM-0871 3 Apr-19 Yes Yes Yes Yes Yes No No No Mobile devices are kept under continual direct supervision when Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility mobile devices being actively used. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Maintaining control of ISM-0870 3 Apr-19 Yes Yes Yes Yes Yes No No No Mobile devices are carried or stored in a secured state when not Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility mobile devices being actively used. (including laptops) can be used there are no mobile devices in there are no mobile devices in
the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Maintaining control of ISM-1084 4 Dec-21 Yes Yes Yes Yes Yes No No No If unable to carry or store mobile devices in a secured state, they Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility mobile devices are physically transferred in a security briefcase or an approved (including laptops) can be used there are no mobile devices in there are no mobile devices in
multi-use satchel, pouch or transit bag. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Mobile device emergency ISM-0701 6 Dec-22 Yes Yes Yes Yes Yes No No No Mobile device emergency sanitisation processes, and supporting Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility sanitisation processes mobile device emergency sanitisation procedures, are developed, (including laptops) can be used there are no mobile devices in there are no mobile devices in
and procedures implemented and maintained. the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Enterprise Mobile device usage Mobile device emergency ISM-0702 5 Dec-21 No No No Yes Yes No No No If a cryptographic zeroise or sanitise function is provided for Applicable where mobile devices Not applicable as it is assumed Not applicable as it is assumed
Mobility sanitisation processes cryptographic keys on a SECRET or TOP SECRET mobile device, the (including laptops) can be used there are no mobile devices in there are no mobile devices in
and procedures function is used as part of mobile device emergency sanitisation the cloud production the cloud production Not Assessed Not Assessed Not Assessed
processes and procedures. environment environment

Guidelines for Enterprise Mobile device usage Before travelling ISM-1298 2 Oct-19 Yes Yes Yes Yes Yes No No No Personnel are advised of privacy and security risks when travelling Applicable where mobile devices Not applicable as it relates to the Not applicable as it relates to the
Mobility overseas with mobile overseas with mobile devices. (including laptops) can be used administration environment administration environment Not Assessed Not Assessed Not Assessed
devices
Guidelines for Enterprise Mobile device usage Before travelling ISM-1554 2 Dec-24 Yes Yes Yes Yes Yes No No No If travelling overseas with mobile devices to high or extreme risk Applicable where mobile devices Not applicable as it relates to the Not applicable as it relates to the
Mobility overseas with mobile countries, personnel are: (including laptops) can be used administration environment administration environment
devices • issued with newly provisioned user accounts, mobile devices and
removable media from a pool of dedicated travel devices which are
used solely for work-related activities
• advised on how to apply and inspect tamper seals to key areas of
mobile devices Not Assessed Not Assessed Not Assessed
• advised to avoid taking any personal mobile devices, especially if
rooted or jailbroken.

Guidelines for Enterprise Mobile device usage Before travelling ISM-1555 3 Dec-24 Yes Yes Yes Yes Yes No No No Before travelling overseas with mobile devices, personnel take the Applicable where mobile devices Not applicable as it relates to the Not applicable as it relates to the
Mobility overseas with mobile following actions: (including laptops) can be used administration environment administration environment
devices • record all details of the mobile devices being taken, such as
product types, serial numbers and International Mobile Equipment
Identity numbers
• update all operating systems and applications Not Assessed Not Assessed Not Assessed
• remove all non-essential data, applications and user accounts
• backup all remaining data, applications and settings.

Guidelines for Enterprise Mobile device usage While travelling overseas ISM-1088 6 Sep-23 Yes Yes Yes Yes Yes No No No Personnel report the potential compromise of mobile devices, Applicable where mobile devices Not applicable as it relates to the Not applicable as it relates to the
Mobility with mobile devices removable media or credentials to their organisation as soon as (including laptops) can be used administration environment administration environment
possible, especially if they:
• provide credentials to foreign government officials
• decrypt mobile devices for foreign government officials
• have mobile devices taken out of sight by foreign government
officials
• have mobile devices or removable media stolen, including if later Not Assessed Not Assessed Not Assessed
returned
• lose mobile devices or removable media, including if later found
• observe unusual behaviour of mobile devices.

Guidelines for Enterprise Mobile device usage After travelling overseas ISM-1300 6 Dec-22 Yes Yes Yes Yes Yes No No No Upon returning from travelling overseas with mobile devices, Applicable where mobile devices Not applicable as it relates to the Not applicable as it relates to the
Mobility with mobile devices personnel take the following actions: (including laptops) can be used administration environment administration environment
• sanitise and reset mobile devices, including all removable media
• decommission any credentials that left their possession during
their travel
• report if significant doubt exists as to the integrity of any mobile Not Assessed Not Assessed Not Assessed
devices or removable media.

Guidelines for Enterprise Mobile device usage After travelling overseas ISM-1556 3 Dec-24 Yes Yes Yes Yes Yes No No No If returning from travelling overseas with mobile devices to high or Applicable where mobile devices Not applicable as it relates to the Not applicable as it relates to the
Mobility with mobile devices extreme risk countries, personnel take the following additional (including laptops) can be used administration environment administration environment
actions:
• reset credentials used with mobile devices, including those used
for remote access to their organisation’s systems Not Assessed Not Assessed Not Assessed
• monitor user accounts for any indicators of compromise, such as
failed logon attempts.

Guidelines for Evaluated Evaluated product Evaluated product ISM-0280 8 Mar-23 Yes Yes Yes Yes Yes No No No If procuring an evaluated product, a product that has completed a Applicable where evaluated Applicable where evaluated Applicable if different per system
Products procurement selection PP-based evaluation, including against all applicable PP modules, is products are used products are used or service
selected in preference to one that has completed an EAL-based Not Assessed Not Assessed Not Assessed
evaluation.

Guidelines for Evaluated Evaluated product Delivery of evaluated ISM-0285 1 Sep-18 Yes Yes Yes Yes Yes No No No Evaluated products are delivered in a manner consistent with any Applicable where evaluated Applicable where evaluated Applicable if different per system
Products procurement products delivery procedures defined in associated evaluation products are used products are used or service Not Assessed Not Assessed Not Assessed
documentation.
Guidelines for Evaluated Evaluated product Delivery of evaluated ISM-0286 8 Jun-24 No No No Yes Yes No No No When procuring high assurance information technology (IT) Applicable where evaluated Applicable where evaluated Applicable if different per system
Products procurement products equipment, ASD is contacted for any equipment-specific delivery products are used products are used or service Not Assessed Not Assessed Not Assessed
procedures.
Guidelines for Evaluated Evaluated product usage Using evaluated products ISM-0289 3 Jun-23 Yes Yes Yes Yes Yes No No No Evaluated products are installed, configured, administered and Applicable where evaluated Applicable where evaluated Applicable if different per system
Products operated in an evaluated configuration and in accordance with products are used products are used or service Not Assessed Not Assessed Not Assessed
vendor guidance.
Guidelines for Evaluated Evaluated product usage Using evaluated products ISM-0290 9 Jun-24 No No No Yes Yes No No No High assurance IT equipment is installed, configured, administered Applicable where evaluated Applicable where evaluated Applicable if different per system
Products and operated in an evaluated configuration and in accordance with products are used products are used or service Not Assessed Not Assessed Not Assessed
ASD guidance.
Guidelines for IT equipment usage IT equipment ISM-1551 2 Jun-24 Yes Yes Yes Yes Yes No No No An IT equipment management policy is developed, implemented Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology management policy and maintained. governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment usage IT equipment selection ISM-1857 1 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment is chosen from vendors that have demonstrated a Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology commitment to secure-by-design and secure-by-default principles, governance of the CSP and the CSP common infrastructure is used
Equipment use of memory-safe programming languages where possible, should be captured by the across different services
secure programming practices, and maintaining the security of common controls Not Assessed Not Assessed Not Assessed
their products.

Guidelines for IT equipment usage Hardening IT equipment ISM-1913 1 Jun-24 Yes Yes Yes Yes Yes No No No Approved configurations for IT equipment are developed, Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology configurations implemented and maintained. governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls
Guidelines for IT equipment usage Hardening IT equipment ISM-1858 3 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment is hardened using ASD and vendor hardening Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology configurations guidance, with the most restrictive guidance taking precedence governance of the CSP and the CSP common infrastructure is used
Equipment when conflicts occur. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment usage IT equipment registers ISM-0336 9 Jun-24 Yes Yes Yes Yes Yes No No No A networked IT equipment register is developed, implemented, Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology maintained and verified on a regular basis. governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment usage IT equipment registers ISM-1869 1 Jun-24 Yes Yes Yes Yes Yes No No No A non-networked IT equipment register is developed, Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology implemented, maintained and verified on a regular basis. governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment usage Labelling IT equipment ISM-0294 5 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment, with the exception of high assurance IT equipment, Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology is labelled with protective markings reflecting its sensitivity or governance of the CSP and the CSP common infrastructure is used
Equipment classification. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment usage Labelling high assurance ISM-0296 7 Jun-24 No No No Yes Yes No No No ASD’s approval is sought before applying labels to external surfaces Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology IT equipment of high assurance IT equipment. governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment usage Classifying IT equipment ISM-0293 6 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment is classified based on the highest sensitivity or Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology classification of data that it is approved for processing, storing or governance of the CSP and the CSP common infrastructure is used
Equipment communicating. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment usage Handling IT equipment ISM-1599 1 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment is handled in a manner suitable for its sensitivity or Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology classification. governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment Maintenance and repairs ISM-1079 7 Jun-24 No No No Yes Yes No No No ASD’s approval is sought before undertaking any maintenance or Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology maintenance and repairs of high assurance IT repairs to high assurance IT equipment. governance of the CSP and the CSP common infrastructure is used
Equipment equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment On-site maintenance and ISM-0305 7 Jun-24 Yes Yes Yes Yes Yes No No No Maintenance and repairs of IT equipment is carried out on site by Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology maintenance and repairs repairs an appropriately cleared technician. governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment On-site maintenance and ISM-0307 4 Jun-24 Yes Yes Yes Yes Yes No No No If an appropriately cleared technician is not used to undertake Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology maintenance and repairs repairs maintenance or repairs of IT equipment, the IT equipment and governance of the CSP and the CSP common infrastructure is used
Equipment associated media is sanitised before maintenance or repair work is should be captured by the across different services Not Assessed Not Assessed Not Assessed
undertaken. common controls

Guidelines for IT equipment On-site maintenance and ISM-0306 7 Jun-24 Yes Yes Yes Yes Yes No No No If an appropriately cleared technician is not used to undertake Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology maintenance and repairs repairs maintenance or repairs of IT equipment, the technician is escorted governance of the CSP and the CSP common infrastructure is used
Equipment by someone who: should be captured by the across different services
• is appropriately cleared and briefed common controls
• takes due care to ensure that data is not disclosed
• takes all responsible measures to ensure the integrity of the IT
equipment Not Assessed Not Assessed Not Assessed
• has the authority to direct the technician
• is sufficiently familiar with the IT equipment to understand the
work being performed.

Guidelines for IT equipment Off-site maintenance and ISM-0310 8 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment maintained or repaired off site is done so at facilities Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology maintenance and repairs repairs approved for handling the sensitivity or classification of the IT governance of the CSP and the CSP common infrastructure is used
Equipment equipment. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment Inspection of IT ISM-1598 1 Jun-24 Yes Yes Yes Yes Yes No No No Following maintenance or repair activities for IT equipment, the IT Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology maintenance and repairs equipment following equipment is inspected to confirm it retains its approved software governance of the CSP and the CSP common infrastructure is used
Equipment maintenance and repairs configuration and that no unauthorised modifications have taken should be captured by the across different services Not Assessed Not Assessed Not Assessed
place. common controls

Guidelines for IT equipment sanitisation IT equipment sanitisation ISM-0313 7 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment sanitisation processes, and supporting IT equipment Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology and destruction processes and sanitisation procedures, are developed, implemented and governance of the CSP and the CSP common infrastructure is used
Equipment procedures maintained. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment sanitisation IT equipment destruction ISM-1741 2 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment destruction processes, and supporting IT equipment Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology and destruction processes and destruction procedures, are developed, implemented and governance of the CSP and the CSP common infrastructure is used
Equipment procedures maintained. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment sanitisation Sanitising IT equipment ISM-0311 7 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment containing media is sanitised by removing the media Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology and destruction from the IT equipment or by sanitising the media in situ. governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment sanitisation Sanitising IT equipment ISM-1742 1 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment that cannot be sanitised is destroyed. Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology and destruction governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment sanitisation Sanitising highly sensitive ISM-1218 5 Jun-24 No No No Yes Yes No No No IT equipment, including associated media, that is located overseas Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology and destruction IT equipment and has processed, stored or communicated AUSTEO or AGAO governance of the CSP and the CSP common infrastructure is used
Equipment data, is sanitised in situ. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment sanitisation Sanitising highly sensitive ISM-0312 7 Jun-24 No No No Yes Yes No No No IT equipment, including associated media, that is located overseas Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology and destruction IT equipment and has processed, stored or communicated AUSTEO or AGAO data governance of the CSP and the CSP common infrastructure is used
Equipment that cannot be sanitised in situ, is returned to Australia for should be captured by the across different services Not Assessed Not Assessed Not Assessed
destruction. common controls

Guidelines for IT equipment sanitisation Destroying high ISM-0315 9 Jun-24 No No No Yes Yes No No No High assurance IT equipment is destroyed prior to its disposal. Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology and destruction assurance IT equipment governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment sanitisation Sanitising printers and ISM-0317 3 Sep-18 Yes Yes Yes Yes Yes No No No At least three pages of random text with no blank areas are printed Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Information Technology and destruction multifunction devices on each colour printer cartridge or MFD print drum. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
Equipment segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for IT equipment sanitisation Sanitising printers and ISM-1219 2 Dec-21 Yes Yes Yes Yes Yes No No No MFD print drums and image transfer rollers are inspected and Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Information Technology and destruction multifunction devices destroyed if there is remnant toner which cannot be removed or a machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
Equipment print is visible on the image transfer roller. segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for IT equipment sanitisation Sanitising printers and ISM-1220 2 Dec-21 Yes Yes Yes Yes Yes No No No Printer and MFD platens are inspected and destroyed if any text or Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Information Technology and destruction multifunction devices images are retained on the platen. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
Equipment segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for IT equipment sanitisation Sanitising printers and ISM-1221 1 Sep-18 Yes Yes Yes Yes Yes No No No Printers and MFDs are checked to ensure no pages are trapped in Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Information Technology and destruction multifunction devices the paper path due to a paper jam. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
Equipment segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for IT equipment sanitisation Sanitising printers and ISM-0318 3 Sep-18 Yes Yes Yes Yes Yes No No No When unable to sanitise printer cartridges or MFD print drums, Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Information Technology and destruction multifunction devices they are destroyed as per electrostatic memory devices. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
Equipment segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for IT equipment sanitisation Sanitising printers and ISM-1534 0 Sep-18 Yes Yes Yes Yes Yes No No No Printer ribbons in printers and MFDs are removed and destroyed. Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Information Technology and destruction multifunction devices machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
Equipment segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for IT equipment sanitisation Sanitising televisions and ISM-1076 2 Sep-18 Yes Yes Yes Yes Yes No No No Televisions and computer monitors with minor burn-in or image Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology and destruction computer monitors persistence are sanitised by displaying a solid white image on the governance of the CSP and the CSP common infrastructure is used
Equipment screen for an extended period of time. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment sanitisation Sanitising televisions and ISM-1222 1 Sep-18 Yes Yes Yes Yes Yes No No No Televisions and computer monitors that cannot be sanitised are Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology and destruction computer monitors destroyed. governance of the CSP and the CSP common infrastructure is used
Equipment should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls
Guidelines for IT equipment sanitisation Sanitising network ISM-1223 6 Dec-21 Yes Yes Yes Yes Yes No No No Memory in network devices is sanitised using the following Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology and destruction devices processes, in order of preference: governance of the CSP and the CSP common infrastructure is used
Equipment • following device-specific guidance provided in evaluation should be captured by the across different services
documentation common controls
• following vendor sanitisation guidance Not Assessed Not Assessed Not Assessed
• loading a dummy configuration file, performing a factory reset
and then reinstalling firmware.

Guidelines for IT equipment sanitisation Sanitising fax machines ISM-1225 2 Sep-18 Yes Yes Yes Yes Yes No No No The paper tray of the fax machine is removed, and a fax message Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Information Technology and destruction with a minimum length of four pages is transmitted, before the machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
Equipment paper tray is re-installed to allow a fax summary page to be segregated from administrative in the cloud production in the cloud production
printed. endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for IT equipment sanitisation Sanitising fax machines ISM-1226 2 Sep-18 Yes Yes Yes Yes Yes No No No Fax machines are checked to ensure no pages are trapped in the Not applicable unless MFDs/fax Not applicable as it is assumed Not applicable as it is assumed
Information Technology and destruction paper path due to a paper jam. machines are not adequately there are no MFDs/fax machines there are no MFDs/fax machines
Equipment segregated from administrative in the cloud production in the cloud production
endpoints and customer data environment environment Not Assessed Not Assessed Not Assessed

Guidelines for IT equipment disposal IT equipment disposal ISM-1550 3 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment disposal processes, and supporting IT equipment Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology processes and disposal procedures, are developed, implemented and maintained. governance of the CSP and the CSP common infrastructure is used
Equipment procedures should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment disposal Disposal of IT equipment ISM-1217 3 Jun-24 Yes Yes Yes Yes Yes No No No Labels and markings indicating the owner, sensitivity, classification Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology or any other marking that can associate IT equipment with its prior governance of the CSP and the CSP common infrastructure is used
Equipment use are removed prior to its disposal. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment disposal Disposal of IT equipment ISM-0321 6 Jun-24 No No No Yes Yes No No No When disposing of IT equipment that has been designed or Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology modified to meet emanation security standards, ASD is contacted governance of the CSP and the CSP common infrastructure is used
Equipment for requirements relating to its disposal. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for IT equipment disposal Disposal of IT equipment ISM-0316 4 Jun-24 Yes Yes Yes Yes Yes No No No Following sanitisation, destruction or declassification, a formal Not applicable as it relates to the Applicable to the governance of Not applicable as it is highly likely
Information Technology administrative decision is made to release IT equipment, or its governance of the CSP and the CSP common infrastructure is used
Equipment waste, into the public domain. should be captured by the across different services Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Media Media usage Media management ISM-1549 1 Dec-22 Yes Yes Yes Yes Yes No No No A media management policy is developed, implemented and Applicable to administrative Applicable Not applicable as it is highly likely
policy maintained. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Removable media usage ISM-1359 4 Dec-22 Yes Yes Yes Yes Yes No No No A removable media usage policy is developed, implemented and Applicable to administrative Applicable Not applicable as it is highly likely
policy maintained. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Removable media ISM-1713 2 Dec-22 Yes Yes Yes Yes Yes No No No A removable media register is developed, implemented, Applicable to administrative Applicable Not applicable as it is highly likely
register maintained and verified on a regular basis. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Labelling media ISM-0332 5 Jun-24 Yes Yes Yes Yes Yes No No No Media, with the exception of internally mounted fixed media Applicable to administrative Applicable Not applicable as it is highly likely
within information technology equipment, is labelled with endpoints common infrastructure is used
protective markings reflecting its sensitivity or classification. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Classifying media ISM-0323 8 Dec-21 Yes Yes Yes Yes Yes No No No Media is classified to the highest sensitivity or classification of data Applicable to administrative Applicable Not applicable as it is highly likely
it stores, unless the media has been classified to a higher sensitivity endpoints common infrastructure is used
or classification. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Classifying media ISM-0337 6 Dec-21 Yes Yes Yes Yes Yes No No No Media is only used with systems that are authorised to process, Applicable to administrative Applicable Not applicable as it is highly likely
store or communicate its sensitivity or classification. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Reclassifying media ISM-0325 6 Apr-21 Yes Yes Yes Yes Yes No No No Any media connected to a system with a higher sensitivity or Applicable to administrative Applicable Not applicable as it is highly likely
classification than the media is reclassified to the higher sensitivity endpoints common infrastructure is used
or classification, unless the media is read-only or the system has a across different services
mechanism through which read-only access can be ensured. Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Reclassifying media ISM-0330 7 Mar-22 Yes Yes Yes Yes Yes No No No Before reclassifying media to a lower sensitivity or classification, Applicable to administrative Applicable Not applicable as it is highly likely
the media is sanitised or destroyed, and a formal administrative endpoints common infrastructure is used
decision is made to reclassify it. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Handling media ISM-0831 5 Sep-18 Yes Yes Yes Yes Yes No No No Media is handled in a manner suitable for its sensitivity or Applicable to administrative Applicable Not applicable as it is highly likely
classification. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Handling media ISM-1059 4 Dec-21 Yes Yes Yes Yes Yes No No No All data stored on media is encrypted. Applicable to administrative Applicable Not applicable as it is highly likely
endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Sanitising media before ISM-1600 1 Apr-21 Yes Yes Yes Yes Yes No No No Media is sanitised before it is used for the first time. Applicable to administrative Applicable Not applicable as it is highly likely
first use endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Sanitising media before ISM-1642 0 Apr-21 Yes Yes Yes Yes Yes No No No Media is sanitised before it is reused in a different security domain. Applicable to administrative Applicable Not applicable as it is highly likely
first use endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media usage Using media for data ISM-0347 5 Apr-21 Yes Yes Yes Yes Yes No No No When transferring data manually between two systems belonging Applicable to administrative Applicable Not applicable as it is highly likely
transfers to different security domains, write-once media is used unless the endpoints common infrastructure is used
destination system has a mechanism through which read-only across different services Not Assessed Not Assessed Not Assessed
access can be ensured.

Guidelines for Media Media usage Using media for data ISM-0947 6 Apr-21 Yes Yes Yes Yes Yes No No No When transferring data manually between two systems belonging Applicable to administrative Applicable Not applicable as it is highly likely
transfers to different security domains, rewritable media is sanitised after endpoints common infrastructure is used
each data transfer. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Media sanitisation ISM-0348 5 Dec-22 Yes Yes Yes Yes Yes No No No Media sanitisation processes, and supporting media sanitisation Applicable to administrative Applicable Not applicable as it is highly likely
processes and procedures, are developed, implemented and maintained. endpoints common infrastructure is used
procedures across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Volatile media ISM-0351 6 Dec-21 Yes Yes Yes Yes Yes No No No Volatile media is sanitised by removing its power for at least 10 Applicable to administrative Applicable Not applicable as it is highly likely
sanitisation minutes. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Volatile media ISM-0352 4 Dec-21 No No No Yes Yes No No No SECRET and TOP SECRET volatile media is sanitised by overwriting it Applicable to administrative Applicable Not applicable as it is highly likely
sanitisation at least once in its entirety with a random pattern followed by a endpoints common infrastructure is used
read back for verification. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Treatment of volatile ISM-0835 4 Dec-21 No No No No Yes No No No Following sanitisation, TOP SECRET volatile media retains its Applicable to administrative Applicable Not applicable as it is highly likely
media following classification if it stored static data for an extended period of time, endpoints common infrastructure is used
sanitisation or had data repeatedly stored on or written to the same memory across different services Not Assessed Not Assessed Not Assessed
location for an extended period of time.

Guidelines for Media Media sanitisation Non-volatile magnetic ISM-0354 6 Dec-21 Yes Yes Yes Yes Yes No No No Non-volatile magnetic media is sanitised by overwriting it at least Applicable to administrative Applicable Not applicable as it is highly likely
media sanitisation once (or three times if pre-2001 or under 15 GB) in its entirety with endpoints common infrastructure is used
a random pattern followed by a read back for verification. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Non-volatile magnetic ISM-1065 3 Dec-21 Yes Yes Yes Yes Yes No No No The host-protected area and device configuration overlay table are Applicable to administrative Applicable Not applicable as it is highly likely
media sanitisation reset prior to the sanitisation of non-volatile magnetic hard drives. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Non-volatile magnetic ISM-1067 4 Dec-21 Yes Yes Yes Yes Yes No No No The ATA secure erase command is used, in addition to block Applicable to administrative Applicable Not applicable as it is highly likely
media sanitisation overwriting software, to ensure the growth defects table of non- endpoints common infrastructure is used
volatile magnetic hard drives is overwritten. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Treatment of non-volatile ISM-0356 6 Dec-21 No No No Yes Yes No No No Following sanitisation, SECRET and TOP SECRET non-volatile Applicable to administrative Applicable Not applicable as it is highly likely
magnetic media following magnetic media retains its classification. endpoints common infrastructure is used
sanitisation across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Non-volatile erasable ISM-0357 5 Dec-21 Yes Yes Yes Yes Yes No No No Non-volatile EPROM media is sanitised by applying three times the Applicable to administrative Applicable Not applicable as it is highly likely
programmable read-only manufacturer’s specified ultraviolet erasure time and then endpoints common infrastructure is used
memory media overwriting it at least once in its entirety with a random pattern across different services Not Assessed Not Assessed Not Assessed
sanitisation followed by a read back for verification.
Guidelines for Media Media sanitisation Non-volatile electrically ISM-0836 3 Dec-21 Yes Yes Yes Yes Yes No No No Non-volatile EEPROM media is sanitised by overwriting it at least Applicable to administrative Applicable Not applicable as it is highly likely
erasable programmable once in its entirety with a random pattern followed by a read back endpoints common infrastructure is used
read-only memory media for verification. across different services
sanitisation Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Treatment of non-volatile ISM-0358 6 Dec-21 No No No Yes Yes No No No Following sanitisation, SECRET and TOP SECRET non-volatile Applicable to administrative Applicable Not applicable as it is highly likely
erasable and electrically EPROM and EEPROM media retains its classification. endpoints common infrastructure is used
erasable programmable across different services
read-only memory media Not Assessed Not Assessed Not Assessed
following sanitisation

Guidelines for Media Media sanitisation Non-volatile flash ISM-0359 4 Dec-21 Yes Yes Yes Yes Yes No No No Non-volatile flash memory media is sanitised by overwriting it at Applicable to administrative Applicable Not applicable as it is highly likely
memory media least twice in its entirety with a random pattern followed by a read endpoints common infrastructure is used
sanitisation back for verification. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Treatment of non-volatile ISM-0360 6 Dec-21 No No No Yes Yes No No No Following sanitisation, SECRET and TOP SECRET non-volatile flash Applicable to administrative Applicable Not applicable as it is highly likely
flash memory media memory media retains its classification. endpoints common infrastructure is used
following sanitisation across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media sanitisation Media that cannot be ISM-1735 1 Sep-24 Yes Yes Yes Yes Yes No No No Media that cannot be successfully sanitised is destroyed prior to its Applicable to administrative Applicable Not applicable as it is highly likely
successfully sanitised disposal. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Media destruction ISM-0363 4 Dec-22 Yes Yes Yes Yes Yes No No No Media destruction processes, and supporting media destruction Applicable to administrative Applicable Not applicable as it is highly likely
processes and procedures, are developed, implemented and maintained. endpoints common infrastructure is used
procedures across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Media that cannot be ISM-0350 5 Dec-21 Yes Yes Yes Yes Yes No No No The following media types are destroyed prior to their disposal: Applicable to administrative Applicable Not applicable as it is highly likely
sanitised • microfiche and microfilm endpoints common infrastructure is used
• optical discs across different services
• programmable read-only memory
• read-only memory Not Assessed Not Assessed Not Assessed
• other types of media that cannot be sanitised.

Guidelines for Media Media destruction Media destruction ISM-1361 3 Jun-22 Yes Yes Yes Yes Yes No No No Security Construction and Equipment Committee-approved Applicable to administrative Applicable Not applicable as it is highly likely
equipment equipment or ASIO-approved equipment is used when destroying endpoints common infrastructure is used
media. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Media destruction ISM-1160 2 Aug-20 Yes Yes Yes Yes Yes No No No If using degaussers to destroy media, degaussers evaluated by the Applicable to administrative Applicable Not applicable as it is highly likely
equipment United States’ National Security Agency are used. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Media destruction ISM-1517 0 Sep-18 Yes Yes Yes Yes Yes No No No Equipment that is capable of reducing microform to a fine powder, Applicable to administrative Applicable Not applicable as it is highly likely
methods with resultant particles not showing more than five consecutive endpoints common infrastructure is used
characters per particle upon microscopic inspection, is used to across different services Not Assessed Not Assessed Not Assessed
destroy microfiche and microfilm.

Guidelines for Media Media destruction Media destruction ISM-1722 1 Mar-22 Yes Yes Yes Yes Yes No No No Electrostatic memory devices are destroyed using a Applicable to administrative Applicable Not applicable as it is highly likely
methods furnace/incinerator, hammer mill, disintegrator or grinder/sander. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Media destruction ISM-1723 1 Mar-22 Yes Yes Yes Yes Yes No No No Magnetic floppy disks are destroyed using a furnace/incinerator, Applicable to administrative Applicable Not applicable as it is highly likely
methods hammer mill, disintegrator, degausser or by cutting. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Media destruction ISM-1724 1 Mar-22 Yes Yes Yes Yes Yes No No No Magnetic hard disks are destroyed using a furnace/incinerator, Applicable to administrative Applicable Not applicable as it is highly likely
methods hammer mill, disintegrator, grinder/sander or degausser. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Media destruction ISM-1725 1 Mar-22 Yes Yes Yes Yes Yes No No No Magnetic tapes are destroyed using a furnace/incinerator, hammer Applicable to administrative Applicable Not applicable as it is highly likely
methods mill, disintegrator, degausser or by cutting. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Media destruction ISM-1726 1 Mar-22 Yes Yes Yes Yes Yes No No No Optical disks are destroyed using a furnace/incinerator, hammer Applicable to administrative Applicable Not applicable as it is highly likely
methods mill, disintegrator, grinder/sander or by cutting. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Media destruction ISM-1727 1 Mar-22 Yes Yes Yes Yes Yes No No No Semiconductor memory is destroyed using a furnace/incinerator, Applicable to administrative Applicable Not applicable as it is highly likely
methods hammer mill or disintegrator. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Media destruction ISM-0368 8 Mar-22 Yes Yes Yes Yes Yes No No No Media destroyed using a hammer mill, disintegrator, Applicable to administrative Applicable Not applicable as it is highly likely
methods grinder/sander or by cutting results in media waste particles no endpoints common infrastructure is used
larger than 9 mm. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Treatment of media ISM-1728 0 Dec-21 No No No Yes No No No No The resulting media waste particles from the destruction of SECRET Applicable to administrative Applicable Not applicable as it is highly likely
waste particles media is stored and handled as OFFICIAL if less than or equal to 3 endpoints common infrastructure is used
mm, PROTECTED if greater than 3 mm and less than or equal to 6 across different services
mm, or SECRET if greater than 6 mm and less than or equal to 9 Not Assessed Not Assessed Not Assessed
mm.

Guidelines for Media Media destruction Treatment of media ISM-1729 0 Dec-21 No No No No Yes No No No The resulting media waste particles from the destruction of TOP Applicable to administrative Applicable Not applicable as it is highly likely
waste particles SECRET media is stored and handled as OFFICIAL if less than or endpoints common infrastructure is used
equal to 3 mm, or SECRET if greater than 3 mm and less than or across different services Not Assessed Not Assessed Not Assessed
equal to 9 mm.

Guidelines for Media Media destruction Degaussing magnetic ISM-0361 4 Dec-21 Yes Yes Yes Yes Yes No No No Magnetic media is destroyed using a degausser with a suitable Applicable to administrative Applicable Not applicable as it is highly likely
media magnetic field strength and magnetic orientation. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Degaussing magnetic ISM-0362 4 Mar-22 Yes Yes Yes Yes Yes No No No Product-specific directions provided by degausser manufacturers Applicable to administrative Applicable Not applicable as it is highly likely
media are followed. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Degaussing magnetic ISM-1641 2 Mar-22 Yes Yes Yes Yes Yes No No No Following the use of a degausser, magnetic media is physically Applicable to administrative Applicable Not applicable as it is highly likely
media damaged by deforming any internal platters. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Supervision of ISM-0370 6 Sep-23 Yes Yes Yes Yes Yes No No No The destruction of media is performed under the supervision of at Applicable to administrative Applicable Not applicable as it is highly likely
destruction least one cleared person. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Supervision of ISM-0371 4 Dec-21 Yes Yes Yes Yes Yes No No No Personnel supervising the destruction of media supervise its Applicable to administrative Applicable Not applicable as it is highly likely
destruction handling to the point of destruction and ensure that the endpoints common infrastructure is used
destruction is completed successfully. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Supervision of ISM-0372 6 Sep-23 Yes Yes Yes Yes Yes No No No The destruction of media storing accountable material is Applicable to administrative Applicable Not applicable as it is highly likely
accountable material performed under the supervision of at least two cleared personnel. endpoints common infrastructure is used
destruction across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Supervision of ISM-0373 4 Dec-21 Yes Yes Yes Yes Yes No No No Personnel supervising the destruction of media storing accountable Applicable to administrative Applicable Not applicable as it is highly likely
accountable material material supervise its handling to the point of destruction, ensure endpoints common infrastructure is used
destruction that the destruction is completed successfully and sign a across different services Not Assessed Not Assessed Not Assessed
destruction certificate afterwards.

Guidelines for Media Media destruction Outsourcing media ISM-0839 3 Dec-21 No Yes Yes Yes Yes No No No The destruction of media storing accountable material is not Applicable to administrative Applicable Not applicable as it is highly likely
destruction outsourced. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media destruction Outsourcing media ISM-0840 4 Jun-22 No Yes Yes Yes No No No No When outsourcing the destruction of media storing non- Applicable to administrative Applicable Not applicable as it is highly likely
destruction accountable material, a National Association for Information endpoints common infrastructure is used
Destruction AAA certified destruction service with endorsements, across different services
as specified in ASIO’s Protective Security Circular-167, is used. Not Assessed Not Assessed Not Assessed

Guidelines for Media Media disposal Media disposal processes ISM-0374 4 Dec-22 Yes Yes Yes Yes Yes No No No Media disposal processes, and supporting media disposal Applicable to administrative Applicable Not applicable as it is highly likely
and procedures procedures, are developed, implemented and maintained. endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed
Guidelines for Media Media disposal Disposal of media ISM-0378 4 Dec-21 Yes Yes Yes Yes Yes No No No Labels and markings indicating the owner, sensitivity, classification Applicable to administrative Applicable Not applicable as it is highly likely
or any other marking that can associate media with its prior use are endpoints common infrastructure is used
removed prior to its disposal. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Media Media disposal Disposal of media ISM-0375 6 Dec-21 Yes Yes Yes Yes Yes No No No Following sanitisation, destruction or declassification, a formal Applicable to administrative Applicable Not applicable as it is highly likely
administrative decision is made to release media, or its waste, into endpoints common infrastructure is used
the public domain. across different services Not Assessed Not Assessed Not Assessed

Guidelines for System Operating system Operating system ISM-1743 1 Mar-23 Yes Yes Yes Yes Yes No No No Operating systems are chosen from vendors that have Applicable to administrative Applicable Not applicable as it is highly likely
Hardening hardening selection demonstrated a commitment to secure-by-design and secure-by- endpoints common infrastructure is used
default principles, use of memory-safe programming languages across different services
where possible, secure programming practices, and maintaining Not Assessed Not Assessed Not Assessed
the security of their products.

Guidelines for System Operating system Operating system ISM-1407 5 Dec-22 Yes Yes Yes Yes Yes No No Yes The latest release, or the previous release, of operating systems Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening releases and versions are used. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Operating system ISM-1408 5 Dec-22 Yes Yes Yes Yes Yes No No No Where supported, 64-bit versions of operating systems are used. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening releases and versions endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Standard Operating ISM-1406 2 Aug-20 Yes Yes Yes Yes Yes No No No SOEs are used for workstations and servers. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Environments endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Standard Operating ISM-1608 1 Mar-22 Yes Yes Yes Yes Yes No No No SOEs provided by third parties are scanned for malicious code and Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Environments configurations. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Standard Operating ISM-1588 0 Aug-20 Yes Yes Yes Yes Yes No No No SOEs are reviewed and updated at least annually. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Environments endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Hardening operating ISM-1914 0 Mar-24 Yes Yes Yes Yes Yes No No No Approved configurations for operating systems are developed, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening system configurations implemented and maintained. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Hardening operating ISM-1409 4 Dec-23 Yes Yes Yes Yes Yes No No No Operating systems are hardened using ASD and vendor hardening Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening system configurations guidance, with the most restrictive guidance taking precedence endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
when conflicts occur. as customer systems
Guidelines for System Operating system Hardening operating ISM-0380 10 Dec-24 Yes Yes Yes Yes Yes No No No Unneeded user accounts, components, services and functionality Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening system configurations of operating systems are disabled or removed. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Hardening operating ISM-0383 9 Dec-24 Yes Yes Yes Yes Yes No No No Default user accounts or credentials for operating systems, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening system configurations including for any pre-configured user accounts, are changed. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Hardening operating ISM-0341 4 Dec-21 Yes Yes Yes Yes Yes No No No Automatic execution features for removable media are disabled. Applicable to administrative Applicable Not applicable as it is highly likely
Hardening hardening system configurations endpoints common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for System Operating system Hardening operating ISM-1654 0 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Internet Explorer 11 is disabled or removed. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening system configurations endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Hardening operating ISM-1655 0 Sep-21 Yes Yes Yes Yes Yes No No Yes .NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening system configurations removed. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Hardening operating ISM-1492 2 Mar-22 Yes Yes Yes Yes Yes No No No Operating system exploit protection functionality is enabled. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening system configurations endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Hardening operating ISM-1745 0 Mar-22 Yes Yes Yes Yes Yes No No No Early Launch Antimalware, Secure Boot, Trusted Boot and Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening system configurations Measured Boot functionality is enabled. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Hardening operating ISM-1584 1 Sep-21 Yes Yes Yes Yes Yes No No No Unprivileged users are prevented from bypassing, disabling or Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening system configurations modifying security functionality of operating systems. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Hardening operating ISM-1491 3 Mar-22 Yes Yes Yes Yes Yes No No No Unprivileged users are prevented from running script execution Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening system configurations engines, including: endpoints production environments as well or service
• Windows Script Host (cscript.exe and wscript.exe) as customer systems
• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)
• Command Prompt (cmd.exe)
• Windows Management Instrumentation (wmic.exe) Not Assessed Not Assessed Not Assessed
• Microsoft Hypertext Markup Language (HTML) Application Host
(mshta.exe).

Guidelines for System Operating system Application management ISM-1592 1 Mar-22 Yes Yes Yes Yes Yes No No No Unprivileged users do not have the ability to install unapproved Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening software. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application management ISM-0382 7 Mar-22 Yes Yes Yes Yes Yes No No No Unprivileged users do not have the ability to uninstall or disable Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening approved software. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-0843 9 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Application control is implemented on workstations. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-1490 3 Sep-21 Yes Yes Yes Yes Yes No Yes Yes Application control is implemented on internet-facing servers. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-1656 0 Sep-21 Yes Yes Yes Yes Yes No No Yes Application control is implemented on non-internet-facing servers. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-1870 0 Sep-23 Yes Yes Yes Yes Yes Yes Yes Yes Application control is applied to user profiles and temporary Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening folders used by operating systems, web browsers and email clients. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-1871 0 Sep-23 Yes Yes Yes Yes Yes No Yes Yes Application control is applied to all locations other than user Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening profiles and temporary folders used by operating systems, web endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
browsers and email clients. as customer systems
Guidelines for System Operating system Application control ISM-1657 0 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Application control restricts the execution of executables, software Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening libraries, scripts, installers, compiled HTML, HTML applications and endpoints production environments as well or service
control panel applets to an organisation-approved set. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Operating system Application control ISM-1658 0 Sep-21 Yes Yes Yes Yes Yes No No Yes Application control restricts the execution of drivers to an Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening organisation-approved set. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-0955 6 Apr-20 Yes Yes Yes Yes Yes No No No Application control is implemented using cryptographic hash rules, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening publisher certificate rules or path rules. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-1471 3 Jun-24 Yes Yes Yes Yes Yes No No No When implementing application control using publisher certificate Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening rules, publisher names and product names are used. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-1392 4 Mar-23 Yes Yes Yes Yes Yes No No No When implementing application control using path rules, only Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening approved users can modify approved files and write to approved endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
folders. as customer systems
Guidelines for System Operating system Application control ISM-1746 1 Mar-23 Yes Yes Yes Yes Yes No No No When implementing application control using path rules, only Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening approved users can change file system permissions for approved endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
files and folders. as customer systems
Guidelines for System Operating system Application control ISM-1544 3 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Microsoft’s recommended application blocklist is implemented. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-1659 1 Dec-23 Yes Yes Yes Yes Yes No No Yes Microsoft’s vulnerable driver blocklist is implemented. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-1582 1 Sep-21 Yes Yes Yes Yes Yes No Yes Yes Application control rulesets are validated on an annual or more Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening frequent basis. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Application control ISM-0846 8 Mar-22 Yes Yes Yes Yes Yes No No No All users (with the exception of local administrator accounts and Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening break glass accounts) cannot disable, bypass or be exempted from endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
application control. as customer systems
Guidelines for System Operating system Application control ISM-1660 2 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Allowed and blocked application control events are centrally Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening logged. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Command Shell ISM-1889 0 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Command line process creation events are centrally logged. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system PowerShell ISM-1621 1 Sep-21 Yes Yes Yes Yes Yes No No Yes Windows PowerShell 2.0 is disabled or removed. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system PowerShell ISM-1622 0 Oct-20 Yes Yes Yes Yes Yes No No Yes PowerShell is configured to use Constrained Language Mode. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system PowerShell ISM-1623 1 Dec-23 Yes Yes Yes Yes Yes No Yes Yes PowerShell module logging, script block logging and transcription Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening events are centrally logged. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system PowerShell ISM-1624 0 Oct-20 Yes Yes Yes Yes Yes No No No PowerShell script block logs are protected by Protected Event Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Logging functionality. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Host-based Intrusion ISM-1341 2 Sep-18 Yes Yes Yes Yes Yes No No No A HIPS is implemented on workstations. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Prevention System endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Host-based Intrusion ISM-1034 7 Mar-22 Yes Yes Yes Yes Yes No No No A HIPS is implemented on critical servers and high-value servers. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Prevention System endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Software firewall ISM-1416 3 Mar-22 Yes Yes Yes Yes Yes No No No A software firewall is implemented on workstations and servers to Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening restrict inbound and outbound network connections to an endpoints production environments as well or service
organisation-approved set of applications and services. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Operating system Antivirus software ISM-1417 4 Mar-22 Yes Yes Yes Yes Yes No No No Antivirus software is implemented on workstations and servers Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening with: endpoints production environments as well or service
• signature-based detection functionality enabled and set to a high as customer systems
level
• heuristic-based detection functionality enabled and set to a high
level
• reputation rating functionality enabled
• ransomware protection functionality enabled Not Assessed Not Assessed Not Assessed
• detection signatures configured to update on at least a daily basis
• regular scanning configured for all fixed disks and removable
media.

Guidelines for System Operating system Device access control ISM-1418 4 Mar-22 Yes Yes Yes Yes Yes No No No If there is no business requirement for reading from removable Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening software media and devices, such functionality is disabled via the use of endpoints production environments as well or service
device access control software or by disabling external as customer systems Not Assessed Not Assessed Not Assessed
communication interfaces.

Guidelines for System Operating system Device access control ISM-0343 6 Mar-22 Yes Yes Yes Yes Yes No No No If there is no business requirement for writing to removable media Applicable to administrative Applicable Not applicable as it is highly likely
Hardening hardening software and devices, such functionality is disabled via the use of device endpoints common infrastructure is used
access control software or by disabling external communication across different services Not Assessed Not Assessed Not Assessed
interfaces.

Guidelines for System Operating system Device access control ISM-0345 6 Dec-21 Yes Yes Yes Yes Yes No No No External communication interfaces that allow DMA are disabled. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening software endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Operating system Operating system event ISM-1976 0 Dec-24 Yes Yes Yes Yes Yes No No No Security-relevant events for Apple macOS operating systems are Not applicable as the context of Applicable to common cloud Applicable if different per system
Hardening hardening logging centrally logged. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Operating system Operating system event ISM-1977 0 Dec-24 Yes Yes Yes Yes Yes No No No Security-relevant events for Linux operating systems are centrally Not applicable as the context of Applicable to common cloud Applicable if different per system
Hardening hardening logging logged. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Operating system Operating system event ISM-0582 10 Dec-24 Yes Yes Yes Yes Yes No No No Security-relevant events for Microsoft Windows operating systems Not applicable as the context of Applicable to common cloud Applicable if different per system
Hardening hardening logging are centrally logged. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System User application User application selection ISM-0938 6 Mar-23 Yes Yes Yes Yes Yes No No No User applications are chosen from vendors that have Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening demonstrated a commitment to secure-by-design and secure-by- endpoints production environments as well or service
default principles, use of memory-safe programming languages as customer systems
where possible, secure programming practices, and maintaining Not Assessed Not Assessed Not Assessed
the security of their products.

Guidelines for System User application User application releases ISM-1467 3 Mar-22 Yes Yes Yes Yes Yes No No No The latest release of office productivity suites, web browsers and Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening their extensions, email clients, PDF software, and security products endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
are used. as customer systems
Guidelines for System User application Hardening user ISM-1915 0 Mar-24 Yes Yes Yes Yes Yes No No No Approved configurations for user applications are developed, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application implemented and maintained. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1806 2 Dec-24 Yes Yes Yes Yes Yes No No No Default user accounts or credentials for user applications, including Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application for any pre-configured user accounts, are changed. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1470 5 Mar-22 Yes Yes Yes Yes Yes No No No Unneeded components, services and functionality of office Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application productivity suites, web browsers, email clients, PDF software and endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations security products are disabled or removed. as customer systems
Guidelines for System User application Hardening user ISM-1235 4 Mar-22 Yes Yes Yes Yes Yes No No No Add-ons, extensions and plug-ins for office productivity suites, web Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application browsers, email clients, PDF software and security products are endpoints production environments as well or service
configurations restricted to an organisation-approved set. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System User application Hardening user ISM-1667 0 Sep-21 Yes Yes Yes Yes Yes No Yes Yes Microsoft Office is blocked from creating child processes. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1668 0 Sep-21 Yes Yes Yes Yes Yes No Yes Yes Microsoft Office is blocked from creating executable content. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1669 0 Sep-21 Yes Yes Yes Yes Yes No Yes Yes Microsoft Office is blocked from injecting code into other Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application processes. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1542 0 Jan-19 Yes Yes Yes Yes Yes No Yes Yes Microsoft Office is configured to prevent activation of Object Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application Linking and Embedding packages. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1859 2 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Office productivity suites are hardened using ASD and vendor Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application hardening guidance, with the most restrictive guidance taking endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations precedence when conflicts occur. as customer systems
Guidelines for System User application Hardening user ISM-1823 0 Mar-23 Yes Yes Yes Yes Yes No Yes Yes Office productivity suite security settings cannot be changed by Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application users. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1486 1 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Web browsers do not process Java from the internet. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1485 1 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Web browsers do not process web advertisements from the Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application internet. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1412 6 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Web browsers are hardened using ASD and vendor hardening Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application guidance, with the most restrictive guidance taking precedence endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations when conflicts occur. as customer systems
Guidelines for System User application Hardening user ISM-1585 2 Mar-23 Yes Yes Yes Yes Yes Yes Yes Yes Web browser security settings cannot be changed by users. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1670 0 Sep-21 Yes Yes Yes Yes Yes No Yes Yes PDF software is blocked from creating child processes. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1860 2 Dec-23 Yes Yes Yes Yes Yes No Yes Yes PDF software is hardened using ASD and vendor hardening Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application guidance, with the most restrictive guidance taking precedence endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations when conflicts occur. as customer systems
Guidelines for System User application Hardening user ISM-1824 0 Mar-23 Yes Yes Yes Yes Yes No Yes Yes PDF software security settings cannot be changed by users. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1601 1 Mar-22 Yes Yes Yes Yes Yes No No No Microsoft’s attack surface reduction rules are implemented. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1748 1 Mar-23 Yes Yes Yes Yes Yes No No No Email client security settings cannot be changed by users. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Hardening user ISM-1825 0 Mar-23 Yes Yes Yes Yes Yes No No No Security product security settings cannot be changed by users. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System User application Microsoft Office macros ISM-1671 0 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Microsoft Office macros are disabled for users that do not have a Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening demonstrated business requirement. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System User application Microsoft Office macros ISM-1488 1 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Microsoft Office macros in files originating from the internet are Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening blocked. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System User application Microsoft Office macros ISM-1672 0 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Microsoft Office macro antivirus scanning is enabled. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System User application Microsoft Office macros ISM-1673 0 Sep-21 Yes Yes Yes Yes Yes No Yes Yes Microsoft Office macros are blocked from making Win32 API calls. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System User application Microsoft Office macros ISM-1674 0 Sep-21 Yes Yes Yes Yes Yes No No Yes Only Microsoft Office macros running from within a sandboxed Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening environment, a Trusted Location or that are digitally signed by a endpoints production environments as well or service
trusted publisher are allowed to execute. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System User application Microsoft Office macros ISM-1890 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Microsoft Office macros are checked to ensure they are free of Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening malicious code before being digitally signed or placed within endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
Trusted Locations. as customer systems
Guidelines for System User application Microsoft Office macros ISM-1487 2 Dec-23 Yes Yes Yes Yes Yes No No Yes Only privileged users responsible for checking that Microsoft Office Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening macros are free of malicious code can write to and modify content endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
within Trusted Locations. as customer systems
Guidelines for System User application Microsoft Office macros ISM-1675 0 Sep-21 Yes Yes Yes Yes Yes No No Yes Microsoft Office macros digitally signed by an untrusted publisher Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening cannot be enabled via the Message Bar or Backstage View. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System User application Microsoft Office macros ISM-1891 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Microsoft Office macros digitally signed by signatures other than Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening V3 signatures cannot be enabled via the Message Bar or Backstage endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
View. as customer systems
Guidelines for System User application Microsoft Office macros ISM-1676 0 Sep-21 Yes Yes Yes Yes Yes No No Yes Microsoft Office’s list of trusted publishers is validated on an Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening annual or more frequent basis. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System User application Microsoft Office macros ISM-1489 0 Sep-18 Yes Yes Yes Yes Yes Yes Yes Yes Microsoft Office macro security settings cannot be changed by Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening users. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Server application Server application ISM-1826 0 Mar-23 Yes Yes Yes Yes Yes No No No Server applications are chosen from vendors that have Applicable Applicable to common cloud Applicable if different per system
Hardening hardening selection demonstrated a commitment to secure-by-design and secure-by- production environments as well or service
default principles, use of memory-safe programming languages as customer systems
where possible, secure programming practices, and maintaining Not Assessed Not Assessed Not Assessed
the security of their products.

Guidelines for System Server application Server application ISM-1483 2 Mar-23 Yes Yes Yes Yes Yes No No No The latest release of internet-facing server applications are used. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening releases endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Server application Hardening server ISM-1916 0 Mar-24 Yes Yes Yes Yes Yes No No No Approved configurations for server applications are developed, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application implemented and maintained. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System Server application Hardening server ISM-1246 6 Dec-23 Yes Yes Yes Yes Yes No No No Server applications are hardened using ASD and vendor hardening Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application guidance, with the most restrictive guidance taking precedence endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations when conflicts occur. as customer systems
Guidelines for System Server application Hardening server ISM-1260 5 Dec-24 Yes Yes Yes Yes Yes No No No Default user accounts or credentials for server applications, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application including for any pre-configured user accounts, are changed. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System Server application Hardening server ISM-1247 5 Dec-24 Yes Yes Yes Yes Yes No No No Unneeded user accounts, components, services and functionality Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application of server applications are disabled or removed. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations as customer systems
Guidelines for System Server application Hardening server ISM-1245 3 Mar-23 Yes Yes Yes Yes Yes No No No All temporary installation files and logs created during server Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening application application installation processes are removed after server endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
configurations applications have been installed. as customer systems
Guidelines for System Server application Restricting privileges for ISM-1249 4 Dec-24 Yes Yes Yes Yes Yes No No No Server applications are configured to run as a separate user Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening server applications account with the minimum privileges needed to perform their endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
functions. as customer systems
Guidelines for System Server application Restricting privileges for ISM-1250 3 Dec-24 Yes Yes Yes Yes Yes No No No The user accounts under which server applications run have limited Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening server applications access to their underlying server’s file system. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Server application Microsoft Active ISM-1926 0 Sep-24 Yes Yes Yes Yes Yes No No No Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory services Microsoft AD FS servers and Microsoft Entra Connect servers are endpoints production environments as well or service
only used for their designed role and no other applications or as customer systems
services are installed, unless they are security related. Not Assessed Not Assessed Not Assessed

Guidelines for System Server application Microsoft Active ISM-1927 0 Sep-24 Yes Yes Yes Yes Yes No No No Access to Microsoft AD DS domain controllers, Microsoft AD CS CA Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory services servers, Microsoft AD FS servers and Microsoft Entra Connect endpoints production environments as well or service
servers is limited to privileged users that require access. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Server application Microsoft Active ISM-1928 0 Sep-24 Yes Yes Yes Yes Yes No No No Backups of Microsoft AD DS domain controllers, Microsoft AD CS Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory services CA servers, Microsoft AD FS servers and Microsoft Entra Connect endpoints production environments as well or service
servers are encrypted, stored securely and only accessible to as customer systems Not Assessed Not Assessed Not Assessed
backup administrator accounts.

Guidelines for System Server application Microsoft Active ISM-1830 2 Sep-24 Yes Yes Yes Yes Yes No No No Security-relevant events for Microsoft AD DS domain controllers, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory services Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft endpoints production environments as well or service
Entra Connect servers are centrally logged. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Server application Microsoft Active ISM-1827 0 Mar-23 Yes Yes Yes Yes Yes No No No Microsoft AD DS domain controllers are administered using Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain dedicated domain administrator user accounts that are not used to endpoints production environments as well or service
Services domain administer other systems. as customer systems Not Assessed Not Assessed Not Assessed
controllers

Guidelines for System Server application Microsoft Active ISM-1929 0 Sep-24 Yes Yes Yes Yes Yes No No No Lightweight Directory Access Protocol signing is enabled on Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain Microsoft AD DS domain controllers. endpoints production environments as well or service
Services domain as customer systems Not Assessed Not Assessed Not Assessed
controllers

Guidelines for System Server application Microsoft Active ISM-1828 0 Mar-23 Yes Yes Yes Yes Yes No No No The Print Spooler service is disabled on Microsoft AD DS domain Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain controllers. endpoints production environments as well or service
Services domain as customer systems Not Assessed Not Assessed Not Assessed
controllers

Guidelines for System Server application Microsoft Active ISM-1829 1 Sep-24 Yes Yes Yes Yes Yes No No No Passwords are not stored in Group Policy Preferences. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain endpoints production environments as well or service
Services domain as customer systems Not Assessed Not Assessed Not Assessed
controllers

Guidelines for System Server application Microsoft Active ISM-1930 0 Sep-24 Yes Yes Yes Yes Yes No No No Passwords are prevented from being stored in Group Policy Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain Preferences. endpoints production environments as well or service
Services domain as customer systems Not Assessed Not Assessed Not Assessed
controllers

Guidelines for System Server application Microsoft Active ISM-1931 0 Sep-24 Yes Yes Yes Yes Yes No No No SID Filtering is enabled for domain and forest trusts. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain endpoints production environments as well or service
Services domain as customer systems Not Assessed Not Assessed Not Assessed
controllers

Guidelines for System Server application Microsoft Active ISM-1832 0 Mar-23 Yes Yes Yes Yes Yes No No No Only service accounts and computer accounts are configured with Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain Service Principal Names (SPNs). endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1932 0 Sep-24 Yes Yes Yes Yes Yes No No No The number of service accounts configured with an SPN is Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain minimised. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1933 0 Sep-24 Yes Yes Yes Yes Yes No No No Service accounts configured with an SPN do not have DCSync Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain permissions. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1834 0 Mar-23 Yes Yes Yes Yes Yes No No No Duplicate SPNs do not exist within the domain. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1833 1 Sep-24 Yes Yes Yes Yes Yes No No No User accounts are provisioned with the minimum privileges Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain required. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening
Guidelines for System Server application Microsoft Active ISM-1934 0 Sep-24 Yes Yes Yes Yes Yes No No No User accounts with DCSync permissions are reviewed at least Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain annually, and those without an ongoing requirement for the endpoints production environments as well or service
Services account permissions have them removed. as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1835 0 Mar-23 Yes Yes Yes Yes Yes No No No Privileged user accounts are configured as sensitive and cannot be Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain delegated. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1935 0 Sep-24 Yes Yes Yes Yes Yes No No No Computer accounts are not configured for unconstrained Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain delegation. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1836 0 Mar-23 Yes Yes Yes Yes Yes No No No User accounts require Kerberos pre-authentication. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1837 0 Mar-23 Yes Yes Yes Yes Yes No No No User accounts are not configured with password never expires or Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain password not required. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1838 0 Mar-23 Yes Yes Yes Yes Yes No No No The UserPassword attribute for user accounts is not used. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1936 0 Sep-24 Yes Yes Yes Yes Yes No No No The sIDHistory attribute for user accounts is not used. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1937 0 Sep-24 Yes Yes Yes Yes Yes No No No User accounts are checked at least weekly for the presence of the Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain sIDHistory attribute. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1839 0 Mar-23 Yes Yes Yes Yes Yes No No No Account properties accessible by unprivileged users are not used to Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain store passwords. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1840 0 Mar-23 Yes Yes Yes Yes Yes No No No User account passwords do not use reversible encryption. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1841 0 Mar-23 Yes Yes Yes Yes Yes No No No Unprivileged user accounts cannot add machines to the domain. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1842 1 Sep-24 Yes Yes Yes Yes Yes No No No Dedicated privileged service accounts are used to add machines to Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain the domain. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1843 1 Sep-24 Yes Yes Yes Yes Yes No No No User accounts with unconstrained delegation are reviewed at least Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain annually, and those without an SPN or demonstrated business endpoints production environments as well or service
Services account requirement are removed. as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1844 0 Mar-23 Yes Yes Yes Yes Yes No No No Computer accounts that are not Microsoft AD DS domain Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain controllers are not trusted for delegation to services. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1938 0 Sep-24 Yes Yes Yes Yes Yes No No No The Domain Computers security group does not have write or Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain modify permissions to any Microsoft Active Directory objects. endpoints production environments as well or service
Services account as customer systems Not Assessed Not Assessed Not Assessed
hardening

Guidelines for System Server application Microsoft Active ISM-1620 1 Mar-23 Yes Yes Yes Yes Yes No No No Privileged user accounts are members of the Protected Users Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain security group. endpoints production environments as well or service
Services security group as customer systems Not Assessed Not Assessed Not Assessed
memberships

Guidelines for System Server application Microsoft Active ISM-1939 0 Sep-24 Yes Yes Yes Yes Yes No No No The number of user accounts that are members of the Domain Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain Admins, Enterprise Admins or other highly-privileged security endpoints production environments as well or service
Services security group groups is minimised. as customer systems Not Assessed Not Assessed Not Assessed
memberships

Guidelines for System Server application Microsoft Active ISM-1940 0 Sep-24 Yes Yes Yes Yes Yes No No No Service accounts are not members of the Domain Admins, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain Enterprise Admins or other highly-privileged security groups. endpoints production environments as well or service
Services security group as customer systems Not Assessed Not Assessed Not Assessed
memberships

Guidelines for System Server application Microsoft Active ISM-1941 0 Sep-24 Yes Yes Yes Yes Yes No No No Computer accounts are not members of the Domain Admins, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain Enterprise Admins or other highly-privileged security groups. endpoints production environments as well or service
Services security group as customer systems Not Assessed Not Assessed Not Assessed
memberships

Guidelines for System Server application Microsoft Active ISM-1942 0 Sep-24 Yes Yes Yes Yes Yes No No No The Domain Computers security group is not a member of any Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain privileged or highly-privileged security groups. endpoints production environments as well or service
Services security group as customer systems Not Assessed Not Assessed Not Assessed
memberships

Guidelines for System Server application Microsoft Active ISM-1845 0 Mar-23 Yes Yes Yes Yes Yes No No No When a user account is disabled, it is removed from all security Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain group memberships. endpoints production environments as well or service
Services security group as customer systems Not Assessed Not Assessed Not Assessed
memberships

Guidelines for System Server application Microsoft Active ISM-1846 0 Mar-23 Yes Yes Yes Yes Yes No No No The Pre-Windows 2000 Compatible Access security group does not Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Domain contain user accounts. endpoints production environments as well or service
Services security group as customer systems Not Assessed Not Assessed Not Assessed
memberships

Guidelines for System Server application Microsoft Active ISM-1943 0 Sep-24 Yes Yes Yes Yes Yes No No No Strong mapping between certificates and users is enforced. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Certificate endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
Services as customer systems
Guidelines for System Server application Microsoft Active ISM-1944 0 Sep-24 Yes Yes Yes Yes Yes No No No The EDITF_ATTRIBUTESUBJECTALTNAME2 flag is removed from Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Certificate Microsoft AD CS CA configurations. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
Services as customer systems
Guidelines for System Server application Microsoft Active ISM-1945 0 Sep-24 Yes Yes Yes Yes Yes No No No The CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is removed from Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Certificate certificate templates. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
Services as customer systems
Guidelines for System Server application Microsoft Active ISM-1946 0 Sep-24 Yes Yes Yes Yes Yes No No No Unprivileged user accounts do not have write access to certificate Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Certificate templates. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
Services as customer systems
Guidelines for System Server application Microsoft Active ISM-1947 0 Sep-24 Yes Yes Yes Yes Yes No No No Extended Key Usages that enable user authentication are removed. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Certificate endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
Services as customer systems
Guidelines for System Server application Microsoft Active ISM-1948 0 Sep-24 Yes Yes Yes Yes Yes No No No CA Certificate Manager approval is required for certificate Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Certificate templates that allow a Subject Alternative Name to be supplied. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
Services as customer systems
Guidelines for System Server application Microsoft Active ISM-1949 0 Sep-24 Yes Yes Yes Yes Yes No No No Microsoft AD FS servers are administered using a dedicated service Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening Directory Federation account that is not used to administer other systems. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
Services as customer systems
Guidelines for System Server application Microsoft Entra Connect ISM-1950 0 Sep-24 Yes Yes Yes Yes Yes No No No Soft matching between Microsoft AD DS and Microsoft Entra ID is Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening disabled following initial synchronisation activities. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Server application Microsoft Entra Connect ISM-1951 0 Sep-24 Yes Yes Yes Yes Yes No No No Hard match takeover is disabled for Microsoft Entra Connect Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening servers. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Server application Microsoft Entra Connect ISM-1952 0 Sep-24 Yes Yes Yes Yes Yes No No No Privileged user accounts are not synchronised between Microsoft Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening AD DS and Microsoft Entra ID. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Server application Server application event ISM-1978 0 Dec-24 Yes Yes Yes Yes Yes No No No Security-relevant events for server applications on internet-facing Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening logging servers are centrally logged. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Server application Server application event ISM-1979 0 Dec-24 Yes Yes Yes Yes Yes No No No Security-relevant events for server applications on non-internet- Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardening logging facing servers are centrally logged. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Authenticating to ISM-1546 0 Aug-19 Yes Yes Yes Yes Yes No No No Users are authenticated before they are granted access to a system Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening systems and its resources. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Insecure authentication ISM-1603 0 Aug-20 Yes Yes Yes Yes Yes No No No Authentication methods susceptible to replay attacks are disabled. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening methods endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Insecure authentication ISM-1055 4 Oct-20 Yes Yes Yes Yes Yes No No No LAN Manager and NT LAN Manager authentication methods are Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening methods disabled. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1504 3 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Multi-factor authentication is used to authenticate users to their Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication organisation’s online services that process, store or communicate endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
their organisation’s sensitive data. as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1679 1 Sep-23 Yes Yes Yes Yes Yes Yes Yes Yes Multi-factor authentication is used to authenticate users to third- Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication party online services that process, store or communicate their endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
organisation’s sensitive data. as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1680 1 Sep-23 Yes Yes Yes Yes Yes Yes Yes Yes Multi-factor authentication (where available) is used to Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication authenticate users to third-party online services that process, store endpoints production environments as well or service
or communicate their organisation’s non-sensitive data. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Authentication hardening Multi-factor ISM-1892 0 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Multi-factor authentication is used to authenticate users to their Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication organisation’s online customer services that process, store or endpoints production environments as well or service
communicate their organisation’s sensitive customer data. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Authentication hardening Multi-factor ISM-1893 0 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Multi-factor authentication is used to authenticate users to third- Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication party online customer services that process, store or communicate endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
their organisation’s sensitive customer data. as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1681 3 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Multi-factor authentication is used to authenticate customers to Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication online customer services that process, store or communicate endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
sensitive customer data. as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1919 0 Jun-24 Yes Yes Yes Yes Yes No No No When multi-factor authentication is used to authenticate users or Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication customers to online services or online customer services, all other endpoints production environments as well or service
authentication protocols that do not support multi-factor as customer systems Not Assessed Not Assessed Not Assessed
authentication are disabled.

Guidelines for System Authentication hardening Multi-factor ISM-1173 4 Sep-21 Yes Yes Yes Yes Yes No Yes Yes Multi-factor authentication is used to authenticate privileged users Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication of systems. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-0974 6 Sep-21 Yes Yes Yes Yes Yes No Yes Yes Multi-factor authentication is used to authenticate unprivileged Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication users of systems. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1505 3 Dec-23 Yes Yes Yes Yes Yes No No Yes Multi-factor authentication is used to authenticate users of data Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication repositories. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1401 5 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Multi-factor authentication uses either: something users have and Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication something users know, or something users have that is unlocked by endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
something users know or are. as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1872 1 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Multi-factor authentication used for authenticating users of online Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication services is phishing-resistant. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1873 1 Dec-23 Yes Yes Yes Yes Yes No Yes No Multi-factor authentication used for authenticating customers of Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication online customer services provides a phishing-resistant option. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1874 1 Dec-23 Yes Yes Yes Yes Yes No No Yes Multi-factor authentication used for authenticating customers of Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication online customer services is phishing-resistant. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1682 3 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Multi-factor authentication used for authenticating users of Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication systems is phishing-resistant. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1894 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Multi-factor authentication used for authenticating users of data Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication repositories is phishing-resistant. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1559 3 Dec-24 Yes Yes Yes No No No No No Memorised secrets used for multi-factor authentication on non- Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication classified, OFFICIAL: Sensitive and PROTECTED systems are a endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
minimum of 6 characters. as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1560 2 Mar-22 No No No Yes No No No No Memorised secrets used for multi-factor authentication on SECRET Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication systems are a minimum of 8 characters. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1561 2 Mar-22 No No No No Yes No No No Memorised secrets used for multi-factor authentication on TOP Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication SECRET systems are a minimum of 10 characters. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Multi-factor ISM-1920 0 Jun-24 Yes Yes Yes Yes Yes No No No When multi-factor authentication is used to authenticate users to Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication online services, online customer services, systems or data endpoints production environments as well or service
repositories – that process, store or communicate their as customer systems
organisation’s sensitive data or sensitive customer data – users are Not Assessed Not Assessed Not Assessed
prevented from self-enrolling into multi-factor authentication from
untrustworthy devices.

Guidelines for System Authentication hardening Multi-factor ISM-1683 2 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Successful and unsuccessful multi-factor authentication events are Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication centrally logged. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Single-factor ISM-0417 5 Oct-19 Yes Yes Yes Yes Yes No No No When systems cannot support multi-factor authentication, single- Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication factor authentication using passphrases is implemented instead. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Single-factor ISM-0421 10 Dec-24 Yes Yes Yes No No No No No Passphrases used for single-factor authentication on non-classified, Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication OFFICIAL: Sensitive and PROTECTED systems are at least 4 random endpoints production environments as well or service
words with a total minimum length of 15 characters. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Authentication hardening Single-factor ISM-1557 2 Dec-21 No No No Yes No No No No Passphrases used for single-factor authentication on SECRET Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication systems are at least 5 random words with a total minimum length endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
of 17 characters. as customer systems
Guidelines for System Authentication hardening Single-factor ISM-0422 8 Dec-21 No No No No Yes No No No Passphrases used for single-factor authentication on TOP SECRET Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication systems are at least 6 random words with a total minimum length endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
of 20 characters. as customer systems
Guidelines for System Authentication hardening Single-factor ISM-1558 2 Mar-22 Yes Yes Yes Yes Yes No No No Passphrases used for single-factor authentication are not a list of Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication categorised words; do not form a real sentence in a natural endpoints production environments as well or service
language; and are not constructed from song lyrics, movies, as customer systems Not Assessed Not Assessed Not Assessed
literature or any other publicly available material.

Guidelines for System Authentication hardening Single-factor ISM-1895 0 Dec-23 Yes Yes Yes Yes Yes No No No Successful and unsuccessful single-factor authentication events are Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening authentication centrally logged. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Setting credentials for ISM-1593 1 Mar-22 Yes Yes Yes Yes Yes No No No Users provide sufficient evidence to verify their identity when Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening user accounts requesting new credentials. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Setting credentials for ISM-1227 5 Mar-22 Yes Yes Yes Yes Yes No No No Credentials set for user accounts are randomly generated. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening user accounts endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Setting credentials for ISM-1594 1 Mar-22 Yes Yes Yes Yes Yes No No No Credentials are provided to users via a secure communications Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening user accounts channel or, if not possible, split into two parts with one part endpoints production environments as well or service
provided to users and the other part provided to supervisors. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Authentication hardening Setting credentials for ISM-1595 1 Mar-22 Yes Yes Yes Yes Yes No No No Credentials provided to users are changed on first use. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening user accounts endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Setting credentials for ISM-1596 2 Dec-22 Yes Yes Yes Yes Yes No No No Credentials, in the form of memorised secrets, are not reused by Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening user accounts users across different systems. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Setting credentials for ISM-1953 0 Sep-24 Yes Yes Yes Yes Yes No No No Credentials for the built-in Administrator account in each domain Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening built-in Administrator are long, unique, unpredictable and managed. endpoints production environments as well or service
accounts, break glass as customer systems
accounts, local
administrator accounts Not Assessed Not Assessed Not Assessed
and service accounts

Guidelines for System Authentication hardening Setting credentials for ISM-1685 2 Jun-23 Yes Yes Yes Yes Yes No Yes Yes Credentials for break glass accounts, local administrator accounts Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening built-in Administrator and service accounts are long, unique, unpredictable and endpoints production environments as well or service
accounts, break glass managed. as customer systems
accounts, local
administrator accounts Not Assessed Not Assessed Not Assessed
and service accounts
Guidelines for System Authentication hardening Setting credentials for ISM-1795 2 Sep-24 Yes Yes Yes Yes Yes No No No Credentials for built-in Administrator accounts, break glass Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening built-in Administrator accounts, local administrator accounts and service accounts are a endpoints production environments as well or service
accounts, break glass minimum of 30 characters. as customer systems
accounts, local
administrator accounts Not Assessed Not Assessed Not Assessed
and service accounts

Guidelines for System Authentication hardening Setting credentials for ISM-1954 0 Sep-24 Yes Yes Yes Yes Yes No No No Credentials for built-in Administrator accounts, break glass Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening built-in Administrator accounts, local administrator accounts and service accounts are endpoints production environments as well or service
accounts, break glass randomly generated. as customer systems
accounts, local
administrator accounts Not Assessed Not Assessed Not Assessed
and service accounts

Guidelines for System Authentication hardening Setting credentials for ISM-1619 0 Oct-20 Yes Yes Yes Yes Yes No No No Service accounts are created as group Managed Service Accounts. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening built-in Administrator endpoints production environments as well or service
accounts, break glass as customer systems
accounts, local
administrator accounts Not Assessed Not Assessed Not Assessed
and service accounts

Guidelines for System Authentication hardening Changing credentials ISM-1590 3 Sep-24 Yes Yes Yes Yes Yes No No No Credentials for user accounts are changed if: Applicable Applicable to common cloud Applicable if different per system
Hardening • they are compromised production environments as well or service
• they are suspected of being compromised as customer systems
• they are discovered stored on networks in the clear
• they are discovered being transferred across networks in the
clear Not Assessed Not Assessed Not Assessed
• membership of a shared user account changes
• they have not been changed in the past 12 months.

Guidelines for System Authentication hardening Changing credentials ISM-1955 0 Sep-24 Yes Yes Yes Yes Yes No No No Credentials for computer accounts are changed if: Applicable Applicable to common cloud Applicable if different per system
Hardening • they are compromised production environments as well or service
• they are suspected of being compromised as customer systems Not Assessed Not Assessed Not Assessed
• they have not been changed in the past 30 days.

Guidelines for System Authentication hardening Changing credentials ISM-1847 0 Mar-23 Yes Yes Yes Yes Yes No No No Credentials for the Kerberos Key Distribution Center’s service Applicable Applicable to common cloud Applicable if different per system
Hardening account (KRBTGT) are changed twice, allowing for replication to all production environments as well or service
Microsoft AD DS domain controllers in-between each change, if: as customer systems
• the domain has been directly compromised
• the domain is suspected of being compromised Not Assessed Not Assessed Not Assessed
• they have not been changed in the past 12 months.

Guidelines for System Authentication hardening Changing credentials ISM-1956 0 Sep-24 Yes Yes Yes Yes Yes No No No Microsoft AD FS token-signing and encryption certificates are Applicable Applicable to common cloud Applicable if different per system
Hardening changed twice in quick succession if: production environments as well or service
• they are compromised as customer systems
• they are suspected of being compromised Not Assessed Not Assessed Not Assessed
• they have not been changed in the past 12 months.

Guidelines for System Authentication hardening Protecting credentials ISM-1597 0 Aug-20 Yes Yes Yes Yes Yes No No No Credentials are obscured as they are entered into systems. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Protecting credentials ISM-1980 0 Dec-24 Yes Yes Yes Yes Yes No No No Credential hint functionality is not used for systems. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Protecting credentials ISM-0418 7 Dec-24 Yes Yes Yes Yes Yes No No No Physical credentials are kept separate from systems they are used Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening to authenticate to, except for when performing authentication endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
activities. as customer systems
Guidelines for System Authentication hardening Protecting credentials ISM-1402 6 Mar-22 Yes Yes Yes Yes Yes No No No Credentials stored on systems are protected by a password Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening manager; a hardware security module; or by salting, hashing and endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
stretching them before storage within a database. as customer systems
Guidelines for System Authentication hardening Protecting credentials ISM-1957 0 Sep-24 Yes Yes Yes Yes Yes No No No Private keys for Microsoft AD CS CA servers are protected by a Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening hardware security module. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Protecting credentials ISM-1896 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Memory integrity functionality is enabled. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Protecting credentials ISM-1861 2 Dec-23 Yes Yes Yes Yes Yes No No Yes Local Security Authority protection functionality is enabled. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Protecting credentials ISM-1686 1 Dec-23 Yes Yes Yes Yes Yes No No Yes Credential Guard functionality is enabled. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Protecting credentials ISM-1897 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Remote Credential Guard functionality is enabled. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Protecting credentials ISM-1749 0 Mar-22 Yes Yes Yes Yes Yes No No No Cached credentials are limited to one previous logon. Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Protecting credentials ISM-1875 0 Sep-23 Yes Yes Yes Yes Yes No No No Networks are scanned at least monthly to identify any credentials Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening that are being stored in the clear. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening User account lockouts ISM-1403 4 Dec-24 Yes Yes Yes Yes Yes No No No User accounts, except for break glass accounts, are locked out after Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening a maximum of five failed logon attempts. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Authentication hardening Session termination ISM-0853 3 Sep-22 Yes Yes Yes Yes Yes No No No On a daily basis, outside of business hours and after an appropriate Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening period of inactivity, user sessions are terminated and workstations endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
are restarted. as customer systems
Guidelines for System Authentication hardening Session and screen ISM-0428 9 Dec-22 Yes Yes Yes Yes Yes No No No Systems are configured with a session or screen lock that: Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening locking • activates after a maximum of 15 minutes of user inactivity, or if endpoints production environments as well or service
manually activated by users as customer systems
• conceals all session content on the screen
• ensures that the screen does not enter a power saving state
before the session or screen lock is activated Not Assessed Not Assessed Not Assessed
• requires users to authenticate to unlock the session
• denies users the ability to disable the session or screen locking
mechanism.

Guidelines for System Authentication hardening Logon banner ISM-0408 5 Sep-23 Yes Yes Yes Yes Yes No No No Systems have a logon banner that reminds users of their security Applicable to administrative Applicable to common cloud Applicable if different per system
Hardening responsibilities when accessing the system and its resources. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System Virtualisation hardening Functional separation ISM-1460 4 Mar-23 Yes Yes Yes Yes Yes No No No When using a software-based isolation mechanism to share a Applicable Applicable to common cloud Applicable if different per system
Hardening between computing physical server’s hardware, the isolation mechanism is from a production environments as well or service
environments vendor that has demonstrated a commitment to secure-by-design as customer systems
and secure-by-default principles, use of memory-safe programming
languages where possible, secure programming practices, and Not Assessed Not Assessed Not Assessed
maintaining the security of their products.

Guidelines for System Virtualisation hardening Functional separation ISM-1604 0 Aug-20 Yes Yes Yes Yes Yes No No No When using a software-based isolation mechanism to share a Applicable Applicable to common cloud Applicable if different per system
Hardening between computing physical server’s hardware, the configuration of the isolation production environments as well or service
environments mechanism is hardened by removing unneeded functionality and as customer systems
restricting access to the administrative interface used to manage Not Assessed Not Assessed Not Assessed
the isolation mechanism.

Guidelines for System Virtualisation hardening Functional separation ISM-1605 1 Mar-22 Yes Yes Yes Yes Yes No No No When using a software-based isolation mechanism to share a Applicable Applicable to common cloud Applicable if different per system
Hardening between computing physical server’s hardware, the underlying operating system is production environments as well or service Not Assessed Not Assessed Not Assessed
environments hardened. as customer systems
Guidelines for System Virtualisation hardening Functional separation ISM-1606 2 Sep-23 Yes Yes Yes Yes Yes No No No When using a software-based isolation mechanism to share a Applicable Applicable to common cloud Applicable if different per system
Hardening between computing physical server’s hardware, patches, updates or vendor mitigations production environments as well or service
environments for vulnerabilities are applied to the isolation mechanism and as customer systems
underlying operating system in a timely manner. Not Assessed Not Assessed Not Assessed

Guidelines for System Virtualisation hardening Functional separation ISM-1848 0 Mar-23 Yes Yes Yes Yes Yes No No No When using a software-based isolation mechanism to share a Applicable Applicable to common cloud Applicable if different per system
Hardening between computing physical server’s hardware, the isolation mechanism or underlying production environments as well or service
environments operating system is replaced when it is no longer supported by a as customer systems Not Assessed Not Assessed Not Assessed
vendor.

Guidelines for System Virtualisation hardening Functional separation ISM-1607 1 Dec-24 Yes Yes Yes Yes Yes No No No When using a software-based isolation mechanism to share a Applicable Applicable to common cloud Applicable if different per system
Hardening between computing physical server’s hardware, integrity monitoring and centralised production environments as well or service
environments event logging is performed for the isolation mechanism and as customer systems Not Assessed Not Assessed Not Assessed
underlying operating system.
Guidelines for System Virtualisation hardening Functional separation ISM-1461 5 Mar-22 No No No Yes Yes No No No When using a software-based isolation mechanism to share a Applicable Applicable to common cloud Applicable if different per system
Hardening between computing physical server’s hardware for SECRET or TOP SECRET computing production environments as well or service
environments environments, the physical server and all computing environments as customer systems
are of the same classification and belong to the same security Not Assessed Not Assessed Not Assessed
domain.

Guidelines for System System administration System administration ISM-0042 6 Dec-22 Yes Yes Yes Yes Yes No No No System administration processes, and supporting system Applicable to administrative Applicable to common cloud Applicable if different per system
Management processes and administration procedures, are developed, implemented and endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
procedures maintained. as customer systems
Guidelines for System System administration System administration ISM-1211 5 Mar-22 Yes Yes Yes Yes Yes No No No System administrators document requirements for administrative Not applicable as the context of Applicable to common cloud Applicable if different per system
Management processes and activities, consider potential security impacts, obtain any necessary the control is changes in cloud production environments as well or service
procedures approvals, notify users of any disruptions or outages, and maintain infrastructure as customer systems
system and security documentation. Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Separate privileged ISM-1898 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Secure Admin Workstations are used in the performance of Applicable to administrative Not applicable as it relates to the Applicable if different per system
Management operating environments administrative activities. endpoints administration environment or service Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Separate privileged ISM-1380 5 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Privileged users use separate privileged and unprivileged operating Applicable to administrative Not applicable as it relates to the Applicable if different per system
Management operating environments environments. endpoints administration environment or service Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Separate privileged ISM-1687 0 Sep-21 Yes Yes Yes Yes Yes No Yes Yes Privileged operating environments are not virtualised within Applicable to administrative Not applicable as it relates to the Applicable if different per system
Management operating environments unprivileged operating environments. endpoints administration environment or service Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Separate privileged ISM-1688 1 Sep-24 Yes Yes Yes Yes Yes Yes Yes Yes Unprivileged user accounts cannot logon to privileged operating Applicable to administrative Not applicable as it relates to the Applicable if different per system
Management operating environments environments. endpoints administration environment or service Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Separate privileged ISM-1689 1 Sep-24 Yes Yes Yes Yes Yes Yes Yes Yes Privileged user accounts (excluding local administrator accounts) Applicable to administrative Not applicable as it relates to the Applicable if different per system
Management operating environments cannot logon to unprivileged operating environments. endpoints administration environment or service Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Separate privileged ISM-1958 0 Sep-24 Yes Yes Yes Yes Yes No No No User accounts with DCSync permissions cannot logon to Applicable to administrative Not applicable as it relates to the Applicable if different per system
Management operating environments unprivileged operating environments. endpoints administration environment or service Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Administrative ISM-1385 4 Jun-23 Yes Yes Yes Yes Yes No No No Administrative infrastructure is segregated from the wider network Applicable to administrative Not applicable as it relates to the Applicable if different per system
Management infrastructure and the internet. endpoints administration environment or service Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Administrative ISM-1750 0 Mar-22 Yes Yes Yes Yes Yes No No No Administrative infrastructure for critical servers, high-value servers Applicable to administrative Not applicable as it relates to the Applicable if different per system
Management infrastructure and regular servers is segregated from each other. endpoints administration environment or service Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Administrative ISM-1386 5 Mar-22 Yes Yes Yes Yes Yes No No No Network management traffic can only originate from Not applicable as it is covered by Applicable to jump server Applicable if different per system
Management infrastructure administrative infrastructure. jump server configurations configurations or service Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Administrative ISM-1387 2 Sep-21 Yes Yes Yes Yes Yes No Yes Yes Administrative activities are conducted through jump servers. Not applicable as it is covered by Applicable to jump server Applicable if different per system
Management infrastructure jump server configurations configurations or service Not Assessed Not Assessed Not Assessed

Guidelines for System System administration Administrative ISM-1899 0 Dec-23 Yes Yes Yes Yes Yes No No No Network devices that do not belong to administrative Not applicable as it is covered by Applicable to jump server Applicable if different per system
Management infrastructure infrastructure cannot initiate connections with administrative jump server configurations configurations or service Not Assessed Not Assessed Not Assessed
infrastructure.
Guidelines for System System patching Patch management ISM-1143 9 Dec-22 Yes Yes Yes Yes Yes No No No Patch management processes, and supporting patch management Applicable to administrative Applicable to common cloud Applicable if different per system
Management processes and procedures, are developed, implemented and maintained. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
procedures as customer systems
Guidelines for System System patching Patch management ISM-0298 8 Mar-22 Yes Yes Yes Yes Yes No No No A centralised and managed approach that maintains the integrity Applicable to administrative Applicable to common cloud Applicable if different per system
Management processes and of patches or updates, and confirms that they have been applied endpoints production environments as well or service
procedures successfully, is used to patch or update applications, operating as customer systems Not Assessed Not Assessed Not Assessed
systems, drivers and firmware.

Guidelines for System System patching Software register ISM-1493 6 Dec-24 Yes Yes Yes Yes Yes No No No Software registers for workstations, servers, network devices and Applicable to administrative Applicable to common cloud Applicable if different per system
Management networked IT equipment are developed, implemented, maintained endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
and verified on a regular basis. as customer systems
Guidelines for System System patching Software register ISM-1643 0 Jun-21 Yes Yes Yes Yes Yes No No No Software registers contain versions and patch histories of Applicable to administrative Applicable to common cloud Applicable if different per system
Management applications, drivers, operating systems and firmware. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Scanning for unmitigated ISM-1807 0 Dec-22 Yes Yes Yes Yes Yes Yes Yes Yes An automated method of asset discovery is used at least fortnightly Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities to support the detection of assets for subsequent vulnerability endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
scanning activities. as customer systems
Guidelines for System System patching Scanning for unmitigated ISM-1808 0 Dec-22 Yes Yes Yes Yes Yes Yes Yes Yes A vulnerability scanner with an up-to-date vulnerability database is Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities used for vulnerability scanning activities. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Scanning for unmitigated ISM-1698 1 Sep-23 Yes Yes Yes Yes Yes Yes Yes Yes A vulnerability scanner is used at least daily to identify missing Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities patches or updates for vulnerabilities in online services. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Scanning for unmitigated ISM-1699 1 Sep-23 Yes Yes Yes Yes Yes Yes Yes Yes A vulnerability scanner is used at least weekly to identify missing Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities patches or updates for vulnerabilities in office productivity suites, endpoints production environments as well or service
web browsers and their extensions, email clients, PDF software, as customer systems Not Assessed Not Assessed Not Assessed
and security products.

Guidelines for System System patching Scanning for unmitigated ISM-1700 2 Sep-23 Yes Yes Yes Yes Yes No Yes Yes A vulnerability scanner is used at least fortnightly to identify Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities missing patches or updates for vulnerabilities in applications other endpoints production environments as well or service
than office productivity suites, web browsers and their extensions, as customer systems
email clients, PDF software, and security products. Not Assessed Not Assessed Not Assessed

Guidelines for System System patching Scanning for unmitigated ISM-1701 1 Sep-23 Yes Yes Yes Yes Yes Yes Yes Yes A vulnerability scanner is used at least daily to identify missing Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities patches or updates for vulnerabilities in operating systems of endpoints production environments as well or service
internet-facing servers and internet-facing network devices. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System System patching Scanning for unmitigated ISM-1702 2 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes A vulnerability scanner is used at least fortnightly to identify Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities missing patches or updates for vulnerabilities in operating systems endpoints production environments as well or service
of workstations, non-internet-facing servers and non-internet- as customer systems Not Assessed Not Assessed Not Assessed
facing network devices.

Guidelines for System System patching Scanning for unmitigated ISM-1752 4 Jun-24 Yes Yes Yes Yes Yes No No No A vulnerability scanner is used at least fortnightly to identify Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities missing patches or updates for vulnerabilities in operating systems endpoints production environments as well or service
of IT equipment other than workstations, servers and network as customer systems Not Assessed Not Assessed Not Assessed
devices.

Guidelines for System System patching Scanning for unmitigated ISM-1703 2 Dec-23 Yes Yes Yes Yes Yes No No Yes A vulnerability scanner is used at least fortnightly to identify Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities missing patches or updates for vulnerabilities in drivers. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Scanning for unmitigated ISM-1900 0 Dec-23 Yes Yes Yes Yes Yes No No Yes A vulnerability scanner is used at least fortnightly to identify Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities missing patches or updates for vulnerabilities in firmware. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Scanning for unmitigated ISM-1921 0 Jun-24 Yes Yes Yes Yes Yes No No No The likelihood of system compromise is frequently assessed when Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities working exploits exist for unmitigated vulnerabilities. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Mitigating known ISM-1876 0 Sep-23 Yes Yes Yes Yes Yes Yes Yes Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities online services are applied within 48 hours of release when endpoints production environments as well or service
vulnerabilities are assessed as critical by vendors or when working as customer systems Not Assessed Not Assessed Not Assessed
exploits exist.

Guidelines for System System patching Mitigating known ISM-1690 2 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities online services are applied within two weeks of release when endpoints production environments as well or service
vulnerabilities are assessed as non-critical by vendors and no as customer systems Not Assessed Not Assessed Not Assessed
working exploits exist.

Guidelines for System System patching Mitigating known ISM-1691 1 Sep-23 Yes Yes Yes Yes Yes Yes Yes No Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities office productivity suites, web browsers and their extensions, email endpoints production environments as well or service
clients, PDF software, and security products are applied within two as customer systems Not Assessed Not Assessed Not Assessed
weeks of release.

Guidelines for System System patching Mitigating known ISM-1692 1 Sep-23 Yes Yes Yes Yes Yes No No Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities office productivity suites, web browsers and their extensions, email endpoints production environments as well or service
clients, PDF software, and security products are applied within 48 as customer systems
hours of release when vulnerabilities are assessed as critical by Not Assessed Not Assessed Not Assessed
vendors or when working exploits exist.

Guidelines for System System patching Mitigating known ISM-1901 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities office productivity suites, web browsers and their extensions, email endpoints production environments as well or service
clients, PDF software, and security products are applied within two as customer systems
weeks of release when vulnerabilities are assessed as non-critical Not Assessed Not Assessed Not Assessed
by vendors and no working exploits exist.

Guidelines for System System patching Mitigating known ISM-1693 2 Sep-23 Yes Yes Yes Yes Yes No Yes Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities applications other than office productivity suites, web browsers endpoints production environments as well or service
and their extensions, email clients, PDF software, and security as customer systems
products are applied within one month of release. Not Assessed Not Assessed Not Assessed
Guidelines for System System patching Mitigating known ISM-1877 0 Sep-23 Yes Yes Yes Yes Yes Yes Yes Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities operating systems of internet-facing servers and internet-facing endpoints production environments as well or service
network devices are applied within 48 hours of release when as customer systems
vulnerabilities are assessed as critical by vendors or when working Not Assessed Not Assessed Not Assessed
exploits exist.

Guidelines for System System patching Mitigating known ISM-1694 2 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities operating systems of internet-facing servers and internet-facing endpoints production environments as well or service
network devices are applied within two weeks of release when as customer systems
vulnerabilities are assessed as non-critical by vendors and no Not Assessed Not Assessed Not Assessed
working exploits exist.

Guidelines for System System patching Mitigating known ISM-1695 2 Dec-23 Yes Yes Yes Yes Yes Yes Yes No Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities operating systems of workstations, non-internet-facing servers and endpoints production environments as well or service
non-internet-facing network devices are applied within one month as customer systems Not Assessed Not Assessed Not Assessed
of release.

Guidelines for System System patching Mitigating known ISM-1696 1 Sep-23 Yes Yes Yes Yes Yes No No Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities operating systems of workstations, non-internet-facing servers and endpoints production environments as well or service
non-internet-facing network devices are applied within 48 hours of as customer systems
release when vulnerabilities are assessed as critical by vendors or Not Assessed Not Assessed Not Assessed
when working exploits exist.

Guidelines for System System patching Mitigating known ISM-1902 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities operating systems of workstations, non-internet-facing servers and endpoints production environments as well or service
non-internet-facing network devices are applied within one month as customer systems
of release when vulnerabilities are assessed as non-critical by Not Assessed Not Assessed Not Assessed
vendors and no working exploits exist.

Guidelines for System System patching Mitigating known ISM-1878 1 Jun-24 Yes Yes Yes Yes Yes No No No Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities operating systems of IT equipment other than workstations, endpoints production environments as well or service
servers and network devices are applied within 48 hours of release as customer systems
when vulnerabilities are assessed as critical by vendors or when Not Assessed Not Assessed Not Assessed
working exploits exist.

Guidelines for System System patching Mitigating known ISM-1751 4 Jun-24 Yes Yes Yes Yes Yes No No No Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities operating systems of IT equipment other than workstations, endpoints production environments as well or service
servers and network devices are applied within one month of as customer systems
release when vulnerabilities are assessed as non-critical by vendors Not Assessed Not Assessed Not Assessed
and no working exploits exist.

Guidelines for System System patching Mitigating known ISM-1879 1 Dec-23 Yes Yes Yes Yes Yes No No Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities drivers are applied within 48 hours of release when vulnerabilities endpoints production environments as well or service
are assessed as critical by vendors or when working exploits exist. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System System patching Mitigating known ISM-1697 2 Dec-23 Yes Yes Yes Yes Yes No No Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities drivers are applied within one month of release when endpoints production environments as well or service
vulnerabilities are assessed as non-critical by vendors and no as customer systems Not Assessed Not Assessed Not Assessed
working exploits exist.

Guidelines for System System patching Mitigating known ISM-1903 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities firmware are applied within 48 hours of release when endpoints production environments as well or service
vulnerabilities are assessed as critical by vendors or when working as customer systems Not Assessed Not Assessed Not Assessed
exploits exist.

Guidelines for System System patching Mitigating known ISM-1904 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities firmware are applied within one month of release when endpoints production environments as well or service
vulnerabilities are assessed as non-critical by vendors and no as customer systems Not Assessed Not Assessed Not Assessed
working exploits exist.

Guidelines for System System patching Mitigating known ISM-0300 10 Jun-24 No No No Yes Yes No No No Patches, updates or other vendor mitigations for vulnerabilities in Applicable to administrative Applicable to common cloud Applicable if different per system
Management vulnerabilities high assurance IT equipment are applied only when approved by endpoints production environments as well or service
ASD, and in doing so, using methods and timeframes prescribed by as customer systems Not Assessed Not Assessed Not Assessed
ASD.

Guidelines for System System patching Cessation of support ISM-1905 0 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Online services that are no longer supported by vendors are Applicable to administrative Applicable to common cloud Applicable if different per system
Management removed. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Cessation of support ISM-1704 2 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Office productivity suites, web browsers and their extensions, Applicable to administrative Applicable to common cloud Applicable if different per system
Management email clients, PDF software, Adobe Flash Player, and security endpoints production environments as well or service
products that are no longer supported by vendors are removed. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System System patching Cessation of support ISM-0304 7 Dec-23 Yes Yes Yes Yes Yes No No Yes Applications other than office productivity suites, web browsers Applicable to administrative Applicable to common cloud Applicable if different per system
Management and their extensions, email clients, PDF software, Adobe Flash endpoints production environments as well or service
Player, and security products that are no longer supported by as customer systems Not Assessed Not Assessed Not Assessed
vendors are removed.

Guidelines for System System patching Cessation of support ISM-1501 1 Sep-21 Yes Yes Yes Yes Yes Yes Yes Yes Operating systems that are no longer supported by vendors are Applicable to administrative Applicable to common cloud Applicable if different per system
Management replaced. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Cessation of support ISM-1753 2 Dec-24 Yes Yes Yes Yes Yes No No No Internet-facing network devices that are no longer supported by Applicable to administrative Applicable to common cloud Applicable if different per system
Management vendors are replaced. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Cessation of support ISM-1981 0 Dec-24 Yes Yes Yes Yes Yes No No No Non-internet-facing network devices that are no longer supported Applicable to administrative Applicable to common cloud Applicable if different per system
Management by vendors are replaced. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Cessation of support ISM-1982 0 Dec-24 Yes Yes Yes Yes Yes No No No Networked IT equipment that is no longer supported by vendors is Applicable to administrative Applicable to common cloud Applicable if different per system
Management replaced. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for System System patching Cessation of support ISM-1809 2 Dec-24 Yes Yes Yes Yes Yes No No No When applications, operating systems, network devices or Applicable to administrative Applicable to common cloud Applicable if different per system
Management networked IT equipment that are no longer supported by vendors endpoints production environments as well or service
cannot be immediately removed or replaced, compensating as customer systems
controls are implemented until such time that they can be Not Assessed Not Assessed Not Assessed
removed or replaced.

Guidelines for System Data backup and Digital preservation ISM-1510 2 Dec-22 Yes Yes Yes Yes Yes No No No A digital preservation policy is developed, implemented and Not applicable as it is a Not applicable as it is a Not applicable as it is a
Management restoration policy maintained. Government responsibility Government responsibility Government responsibility Not Assessed Not Assessed Not Assessed
Guidelines for System Data backup and Data backup and ISM-1547 2 Dec-22 Yes Yes Yes Yes Yes No No No Data backup processes, and supporting data backup procedures, Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration restoration processes and are developed, implemented and maintained. the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
procedures cloud infrastructure as customer systems
Guidelines for System Data backup and Data backup and ISM-1548 2 Dec-22 Yes Yes Yes Yes Yes No No No Data restoration processes, and supporting data restoration Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration restoration processes and procedures, are developed, implemented and maintained. the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
procedures cloud infrastructure as customer systems
Guidelines for System Data backup and Performing and retaining ISM-1511 4 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Backups of data, applications and settings are performed and Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration backups retained in accordance with business criticality and business the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
continuity requirements. cloud infrastructure as customer systems
Guidelines for System Data backup and Performing and retaining ISM-1810 1 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Backups of data, applications and settings are synchronised to Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration backups enable restoration to a common point in time. the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
cloud infrastructure as customer systems
Guidelines for System Data backup and Performing and retaining ISM-1811 1 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Backups of data, applications and settings are retained in a secure Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration backups and resilient manner. the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
cloud infrastructure as customer systems
Guidelines for System Data backup and Backup access ISM-1812 1 Sep-24 Yes Yes Yes Yes Yes Yes Yes Yes Unprivileged user accounts cannot access backups belonging to Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration other user accounts. the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
cloud infrastructure as customer systems
Guidelines for System Data backup and Backup access ISM-1813 1 Sep-24 Yes Yes Yes Yes Yes No No Yes Unprivileged user accounts cannot access their own backups. Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
cloud infrastructure as customer systems
Guidelines for System Data backup and Backup access ISM-1705 2 Sep-24 Yes Yes Yes Yes Yes No Yes Yes Privileged user accounts (excluding backup administrator accounts) Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration cannot access backups belonging to other user accounts. the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
cloud infrastructure as customer systems
Guidelines for System Data backup and Backup access ISM-1706 2 Sep-24 Yes Yes Yes Yes Yes No No Yes Privileged user accounts (excluding backup administrator accounts) Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration cannot access their own backups. the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
cloud infrastructure as customer systems
Guidelines for System Data backup and Backup modification and ISM-1814 1 Sep-24 Yes Yes Yes Yes Yes Yes Yes Yes Unprivileged user accounts are prevented from modifying and Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration deletion deleting backups. the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
cloud infrastructure as customer systems
Guidelines for System Data backup and Backup modification and ISM-1707 2 Sep-24 Yes Yes Yes Yes Yes No Yes Yes Privileged user accounts (excluding backup administrator accounts) Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration deletion are prevented from modifying and deleting backups. the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
cloud infrastructure as customer systems
Guidelines for System Data backup and Backup modification and ISM-1708 2 Dec-23 Yes Yes Yes Yes Yes No No Yes Backup administrator accounts are prevented from modifying and Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration deletion deleting backups during their retention period. the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
cloud infrastructure as customer systems
Guidelines for System Data backup and Testing restoration of ISM-1515 4 Dec-23 Yes Yes Yes Yes Yes Yes Yes Yes Restoration of data, applications and settings from backups to a Not applicable as the context of Applicable to common cloud Applicable if different per system
Management restoration backups common point in time is tested as part of disaster recovery the control is critical data in production environments as well or service Not Assessed Not Assessed Not Assessed
exercises. cloud infrastructure as customer systems
Guidelines for System Event logging and Event logging policy ISM-0580 7 Dec-22 Yes Yes Yes Yes Yes No No No An event logging policy is developed, implemented and maintained. Not applicable as the context of Applicable to the governance of Applicable if different per system
Monitoring monitoring the control is customer logging in the CSP or service
cloud infrastructure Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Centralised event logging ISM-1405 4 Dec-24 Yes Yes Yes Yes Yes No No No A centralised event logging facility is implemented. Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring facility the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Centralised event logging ISM-1983 0 Dec-24 Yes Yes Yes Yes Yes No No No Event logs sent to a centralised event logging facility are done so as Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring facility soon as possible after they occur. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Centralised event logging ISM-1984 0 Dec-24 Yes Yes Yes Yes Yes No No No Event logs sent to a centralised event logging facility are encrypted Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring facility in transit. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Centralised event logging ISM-1985 0 Dec-24 Yes Yes Yes Yes Yes No No No Event logs are protected from unauthorised access. Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring facility the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Centralised event logging ISM-1815 1 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Event logs are protected from unauthorised modification and Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring facility deletion. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Centralised event logging ISM-0988 7 Sep-24 Yes Yes Yes Yes Yes No No No An accurate and consistent time source is used for event logging. Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring facility the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log details ISM-0585 6 Jun-24 Yes Yes Yes Yes Yes No No No For each event logged, the date and time of the event, the relevant Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring user or process, the relevant filename, the event description, and the control is customer logging in production environments as well or service
the information technology equipment involved are recorded. cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log details ISM-1959 0 Sep-24 Yes Yes Yes Yes Yes No No No To the extent possible, event logs are captured and stored in a Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring consistent and structured format. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log monitoring ISM-1986 0 Dec-24 Yes Yes Yes Yes Yes No No No Event logs from critical servers are analysed in a timely manner to Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring detect cyber security events. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log monitoring ISM-1906 0 Dec-23 Yes Yes Yes Yes Yes No Yes Yes Event logs from internet-facing servers are analysed in a timely Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring manner to detect cyber security events. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log monitoring ISM-1907 0 Dec-23 Yes Yes Yes Yes Yes No No Yes Event logs from non-internet-facing servers are analysed in a Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring timely manner to detect cyber security events. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log monitoring ISM-0109 9 Dec-23 Yes Yes Yes Yes Yes No No Yes Event logs from workstations are analysed in a timely manner to Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring detect cyber security events. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log monitoring ISM-1987 0 Dec-24 Yes Yes Yes Yes Yes No No No Event logs from security products are analysed in a timely manner Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring to detect cyber security events. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log monitoring ISM-1960 0 Sep-24 Yes Yes Yes Yes Yes No No No Event logs from internet-facing network devices are analysed in a Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring timely manner to detect cyber security events. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log monitoring ISM-1961 0 Sep-24 Yes Yes Yes Yes Yes No No No Event logs from non-internet-facing network devices are analysed Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring in a timely manner to detect cyber security events. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log monitoring ISM-1228 3 Mar-22 Yes Yes Yes Yes Yes No Yes Yes Cyber security events are analysed in a timely manner to identify Not applicable as the context of Applicable to common cloud Applicable if different per system
Monitoring monitoring cyber security incidents. the control is customer logging in production environments as well or service
cloud infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log retention ISM-1988 0 Dec-24 Yes Yes Yes Yes Yes No No No Event logs are retained in a searchable manner for at least 12 Not applicable as the context of Not applicable as it relates to Applicable if different per system
Monitoring monitoring months. the control is customer logging in customer systems or service
cloud infrastructure Not Assessed Not Assessed Not Assessed

Guidelines for System Event logging and Event log retention ISM-1989 0 Dec-24 Yes Yes Yes Yes Yes No No No Event logs are retained as per minimum retention requirements for Not applicable as the context of Not applicable as it relates to Applicable if different per system
Monitoring monitoring various classes of records as set out by the National Archives of the control is customer logging in customer systems or service
Australia’s Administrative Functions Disposal Authority Express cloud infrastructure
(AFDA Express) Version 2 publication. Not Assessed Not Assessed Not Assessed

Guidelines for Software Application development Development, testing and ISM-0400 5 Aug-20 Yes Yes Yes Yes Yes No No No Development, testing and production environments are Applicable Applicable to common cloud Applicable if different per system
Development production environments segregated. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Development, testing and ISM-1419 1 Sep-18 Yes Yes Yes Yes Yes No No No Development and modification of software only takes place in Applicable Applicable to common cloud Applicable if different per system
Development production environments development environments. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Development, testing and ISM-1420 4 Mar-22 Yes Yes Yes Yes Yes No No No Data from production environments is not used in a development Applicable Applicable to common cloud Applicable if different per system
Development production environments or testing environment unless the environment is secured to the production environments as well or service Not Assessed Not Assessed Not Assessed
same level as the production environment. as customer systems
Guidelines for Software Application development Development, testing and ISM-1422 3 Sep-18 Yes Yes Yes Yes Yes No No No Unauthorised access to the authoritative source for software is Applicable Applicable to common cloud Applicable if different per system
Development production environments prevented. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Development, testing and ISM-1816 0 Dec-22 Yes Yes Yes Yes Yes No No No Unauthorised modification of the authoritative source for software Applicable Applicable to common cloud Applicable if different per system
Development production environments is prevented. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Secure software design ISM-0401 6 Mar-23 Yes Yes Yes Yes Yes No No No Secure-by-design and secure-by-default principles, use of memory- Applicable Applicable to common cloud Applicable if different per system
Development and development safe programming languages where possible, and secure production environments as well or service
programming practices are used as part of application as customer systems Not Assessed Not Assessed Not Assessed
development.

Guidelines for Software Application development Secure software design ISM-1780 0 Jun-22 Yes Yes Yes Yes Yes No No No SecDevOps practices are used for application development. Applicable Applicable to common cloud Applicable if different per system
Development and development production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Secure software design ISM-1238 4 Mar-22 Yes Yes Yes Yes Yes No No No Threat modelling is used in support of application development. Applicable Applicable to common cloud Applicable if different per system
Development and development production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Secure software design ISM-1922 0 Jun-24 Yes Yes Yes Yes Yes No No No The Open Worldwide Application Security Project (OWASP) Mobile Not applicable as the context of Applicable to common cloud Applicable if different per system
Development and development Application Security Verification Standard is used in the the control is mobile application production environments as well or service
development of mobile applications. frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Application development Secure software design ISM-1923 0 Jun-24 Yes Yes Yes Yes Yes No No No The OWASP Top 10 for Large Language Model Applications are Not applicable as the context of Applicable to common cloud Applicable if different per system
Development and development mitigated in the development of large language model the control is large language production environments as well or service
applications. model application frameworks in as customer systems
cloud infrastructure Not Assessed Not Assessed Not Assessed

Guidelines for Software Application development Secure software design ISM-1924 0 Jun-24 Yes Yes Yes Yes Yes No No No Large language model applications evaluate the sentence Not applicable as the context of Applicable to common cloud Applicable if different per system
Development and development perplexity of user prompts to detect and mitigate adversarial the control is large language production environments as well or service
suffixes designed to assist in the generation of sensitive or harmful model application frameworks in as customer systems
content. cloud infrastructure Not Assessed Not Assessed Not Assessed

Guidelines for Software Application development Secure software design ISM-1796 0 Sep-22 Yes Yes Yes Yes Yes No No No Files containing executable content are digitally signed as part of Applicable Applicable to common cloud Applicable if different per system
Development and development application development. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Secure software design ISM-1797 0 Sep-22 Yes Yes Yes Yes Yes No No No Installers, patches and updates are digitally signed or provided with Applicable Applicable to common cloud Applicable if different per system
Development and development cryptographic checksums as part of application development. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Secure software design ISM-1798 0 Sep-22 Yes Yes Yes Yes Yes No No No Secure configuration guidance is produced as part of application Applicable Applicable to common cloud Applicable if different per system
Development and development development. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Software bill of materials ISM-1730 0 Dec-21 Yes Yes Yes Yes Yes No No No A software bill of materials is produced and made available to Applicable Applicable to common cloud Applicable if different per system
Development consumers of software. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Application security ISM-0402 7 Jun-24 Yes Yes Yes Yes Yes No No No Applications are comprehensively tested for vulnerabilities, using Applicable Applicable to common cloud Applicable if different per system
Development testing static application security testing and dynamic application security production environments as well or service
testing, prior to their initial release and any subsequent releases. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Software Application development Vulnerability disclosure ISM-1616 0 Aug-20 Yes Yes Yes Yes Yes No No No A vulnerability disclosure program is implemented to assist with Applicable Applicable to common cloud Applicable if different per system
Development program the secure development and maintenance of products and production environments as well or service Not Assessed Not Assessed Not Assessed
services. as customer systems
Guidelines for Software Application development Vulnerability disclosure ISM-1755 1 Dec-22 Yes Yes Yes Yes Yes No No No A vulnerability disclosure policy is developed, implemented and Applicable Applicable to common cloud Applicable if different per system
Development program maintained. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Vulnerability disclosure ISM-1756 1 Dec-22 Yes Yes Yes Yes Yes No No No Vulnerability disclosure processes, and supporting vulnerability Applicable Applicable to common cloud Applicable if different per system
Development program disclosure procedures, are developed, implemented and production environments as well or service Not Assessed Not Assessed Not Assessed
maintained. as customer systems
Guidelines for Software Application development Vulnerability disclosure ISM-1717 3 Sep-24 Yes Yes Yes Yes Yes No No No A ‘security.txt’ file is hosted for each of an organisation’s internet- Applicable Applicable to common cloud Applicable if different per system
Development program facing website domains to assist in the responsible disclosure of production environments as well or service
vulnerabilities in the organisation’s products and services. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Software Application development Reporting and resolving ISM-1908 0 Dec-23 Yes Yes Yes Yes Yes No No No Vulnerabilities identified in applications are publicly disclosed Applicable Applicable to common cloud Applicable if different per system
Development vulnerabilities (where appropriate to do so) by software developers in a timely production environments as well or service Not Assessed Not Assessed Not Assessed
manner. as customer systems
Guidelines for Software Application development Reporting and resolving ISM-1754 2 Sep-23 Yes Yes Yes Yes Yes No No No Vulnerabilities identified in applications are resolved by software Applicable Applicable to common cloud Applicable if different per system
Development vulnerabilities developers in a timely manner. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Software Application development Reporting and resolving ISM-1909 0 Dec-23 Yes Yes Yes Yes Yes No No No In resolving vulnerabilities, software developers perform root Applicable Applicable to common cloud Applicable if different per system
Development vulnerabilities cause analysis and, to the greatest extent possible, seek to production environments as well or service Not Assessed Not Assessed Not Assessed
remediate entire vulnerability classes. as customer systems
Guidelines for Software Web application Secure web application ISM-0971 8 Mar-23 Yes Yes Yes Yes Yes No No No The OWASP Application Security Verification Standard is used in Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development design and development the development of web applications. the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Secure web application ISM-1849 0 Mar-23 Yes Yes Yes Yes Yes No No No The OWASP Top 10 Proactive Controls are used in the Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development design and development development of web applications. the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Secure web application ISM-1850 0 Mar-23 Yes Yes Yes Yes Yes No No No The OWASP Top 10 are mitigated in the development of web Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development design and development applications. the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application ISM-1239 4 Mar-22 Yes Yes Yes Yes Yes No No No Robust web application frameworks are used in the development Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development frameworks of web applications. the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application ISM-1552 0 Oct-19 Yes Yes Yes Yes Yes No No No All web application content is offered exclusively using HTTPS. Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development interactions the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application ISM-1851 0 Mar-23 Yes Yes Yes Yes Yes No No No The OWASP API Security Top 10 are mitigated in the development Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development programming interfaces of web APIs. the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application ISM-1818 1 Mar-23 Yes Yes Yes Yes Yes No No No Authentication and authorisation of clients is performed when Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development programming interfaces clients call web APIs that facilitate modification of data. the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application ISM-1817 1 Mar-23 Yes Yes Yes Yes Yes No No No Authentication and authorisation of clients is performed when Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development programming interfaces clients call web APIs that facilitate access to data not authorised for the control is web application production environments as well or service
release into the public domain. frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application ISM-1910 0 Dec-23 Yes Yes Yes Yes Yes No No No Web API calls that facilitate modification of data, or access to data Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development programming interfaces not authorised for release into the public domain, are centrally the control is web application production environments as well or service
logged. frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application input ISM-1240 3 Mar-22 Yes Yes Yes Yes Yes No No No Validation or sanitisation is performed on all input handled by web Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development handling applications. the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application output ISM-1241 4 Mar-22 Yes Yes Yes Yes Yes No No No Output encoding is performed on all output produced by web Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development encoding applications. the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web browser-based ISM-1424 4 Mar-22 Yes Yes Yes Yes Yes No No No Web applications implement Content-Security-Policy, HSTS and X- Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development controls Frame-Options via security policy in response headers. the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application firewalls ISM-1862 0 Jun-23 Yes Yes Yes Yes Yes No No No If using a WAF, disclosing the IP addresses of web servers under an Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development organisation’s control (referred to as origin servers) is avoided and the control is web application production environments as well or service
access to the origin servers is restricted to the WAF and authorised frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
management networks. infrastructure

Guidelines for Software Web application Web application ISM-1275 1 Sep-18 Yes Yes Yes Yes Yes No No No All queries to databases from web applications are filtered for Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development interaction with legitimate content and correct syntax. the control is web application production environments as well or service
databases frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application ISM-1276 4 Dec-23 Yes Yes Yes Yes Yes No No No Parameterised queries or stored procedures, instead of Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development interaction with dynamically generated queries, are used by web applications for the control is web application production environments as well or service
databases database interactions. frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application ISM-1278 4 Mar-23 Yes Yes Yes Yes Yes No No No Web applications are designed or configured to provide as little Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development interaction with error information as possible about the structure of databases. the control is web application production environments as well or service
databases frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application ISM-1536 2 Dec-23 Yes Yes Yes Yes Yes No No No All queries to databases from web applications that are initiated by Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development interaction with users, and any resulting crash or error messages, are centrally the control is web application production environments as well or service
databases logged. frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Software Web application Web application event ISM-1911 0 Dec-23 Yes Yes Yes Yes Yes No No No Web application crashes and error messages are centrally logged. Not applicable as the context of Applicable to common cloud Applicable if different per system
Development development logging the control is web application production environments as well or service
frameworks in cloud as customer systems Not Assessed Not Assessed Not Assessed
infrastructure

Guidelines for Database Database servers Functional separation ISM-1269 3 Mar-22 Yes Yes Yes Yes Yes No No No Database servers and web servers are functionally separated. Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems between database there are no databases on production environments as well or service
servers and web servers administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Database servers Communications ISM-1277 4 Mar-22 Yes Yes Yes Yes Yes No No No Data communicated between database servers and web servers is Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems between database encrypted. there are no databases on production environments as well or service
servers and web servers administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Database servers Network environment ISM-1270 3 Mar-22 Yes Yes Yes Yes Yes No No No Database servers are placed on a different network segment to Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems user workstations. there are no databases on production environments as well or service
administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Database servers Network environment ISM-1271 2 Jan-20 Yes Yes Yes Yes Yes No No No Network access controls are implemented to restrict database Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems server communications to strictly defined network resources, such there are no databases on production environments as well or service
as web servers, application servers and storage area networks. administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Database servers Network environment ISM-1272 1 Sep-18 Yes Yes Yes Yes Yes No No No If only local access to a database is required, networking Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems functionality of database management system software is disabled there are no databases on production environments as well or service
or directed to listen solely to the localhost interface. administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Database servers Separation of ISM-1273 3 Mar-22 Yes Yes Yes Yes Yes No No No Development and testing environments do not use the same Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems development, testing and database servers as production environments. there are no databases on production environments as well or service
production database administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed
servers
Guidelines for Database Databases Database register ISM-1243 6 Dec-22 Yes Yes Yes Yes Yes No No No A database register is developed, implemented, maintained and Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems verified on a regular basis. there are no databases on production environments as well or service
administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Databases Protecting databases ISM-1256 3 Sep-18 Yes Yes Yes Yes Yes No No No File-based access controls are applied to database files. Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems there are no databases on production environments as well or service
administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Databases Protecting database ISM-0393 8 Jun-21 Yes Yes Yes Yes Yes No No No Databases and their contents are classified based on the sensitivity Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems contents or classification of data that they contain. there are no databases on production environments as well or service
administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Databases Protecting database ISM-1255 4 Mar-22 Yes Yes Yes Yes Yes No No No Database users’ ability to access, insert, modify and remove Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems contents database contents is restricted based on their work duties. there are no databases on production environments as well or service
administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Databases Protecting database ISM-1268 1 Sep-18 Yes Yes Yes Yes Yes No No No The need-to-know principle is enforced for database contents Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems contents through the application of minimum privileges, database views and there are no databases on production environments as well or service
database roles. administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Databases Separation of ISM-1274 6 Mar-22 Yes Yes Yes Yes Yes No No No Database contents from production environments are not used in Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems development, testing and development or testing environments unless the environment is there are no databases on production environments as well or service
production databases secured to the same level as the production environment. administrative endpoints as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Database Databases Database event logging ISM-1537 5 Sep-24 Yes Yes Yes Yes Yes No No No Security-relevant events for databases are centrally logged, Not applicable as it is assumed Applicable to common cloud Applicable if different per system
Systems including: there are no databases on production environments as well or service
• access or modification of particularly important content administrative endpoints as customer systems
• addition of new users, especially privileged users
• changes to user roles or privileges
• attempts to elevate user privileges
• queries containing comments
• queries containing multiple embedded queries
• database and query alerts or failures Not Assessed Not Assessed Not Assessed
• database structure changes
• database administrator actions
• use of executable commands
• database logons and logoffs.

Guidelines for Email Email usage Email usage policy ISM-0264 4 Dec-22 Yes Yes Yes Yes Yes No No No An email usage policy is developed, implemented and maintained. Not applicable as it is a Applicable to common cloud Applicable if different per system
Government responsibility production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Email Email usage Webmail services ISM-0267 7 Mar-19 Yes Yes Yes Yes Yes No No No Access to non-approved webmail services is blocked. Not applicable as it is a Applicable to common cloud Applicable if different per system
Government responsibility production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Email Email usage Protective markings for ISM-0270 6 Jun-21 Yes Yes Yes Yes Yes No No No Protective markings are applied to emails and reflect the highest Not applicable as it is a Applicable to common cloud Applicable if different per system
emails sensitivity or classification of the subject, body and attachments. Government responsibility production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Email Email usage Protective marking tools ISM-0271 3 Mar-19 Yes Yes Yes Yes Yes No No No Protective marking tools do not automatically insert protective Not applicable as it is a Applicable to common cloud Applicable if different per system
markings into emails. Government responsibility production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Email Email usage Protective marking tools ISM-0272 4 Mar-19 Yes Yes Yes Yes Yes No No No Protective marking tools do not allow users to select protective Not applicable as it is a Applicable to common cloud Applicable if different per system
markings that a system has not been authorised to process, store Government responsibility production environments as well or service Not Assessed Not Assessed Not Assessed
or communicate. as customer systems
Guidelines for Email Email usage Protective marking tools ISM-1089 5 Mar-22 Yes Yes Yes Yes Yes No No No Protective marking tools do not allow users replying to or Not applicable as it is a Applicable to common cloud Applicable if different per system
forwarding emails to select protective markings lower than Government responsibility production environments as well or service Not Assessed Not Assessed Not Assessed
previously used. as customer systems
Guidelines for Email Email usage Handling emails with ISM-0565 4 Mar-19 Yes Yes Yes Yes Yes No No No Email servers are configured to block, log and report emails with Not applicable as it is a Applicable to common cloud Applicable if different per system
inappropriate, invalid or inappropriate protective markings. Government responsibility production environments as well or service
missing protective as customer systems Not Assessed Not Assessed Not Assessed
markings

Guidelines for Email Email usage Handling emails with ISM-1023 6 Mar-22 Yes Yes Yes Yes Yes No No No The intended recipients of blocked inbound emails, and the Not applicable as it is a Applicable to common cloud Applicable if different per system
inappropriate, invalid or senders of blocked outbound emails, are notified. Government responsibility production environments as well or service
missing protective as customer systems Not Assessed Not Assessed Not Assessed
markings

Guidelines for Email Email usage Email distribution lists ISM-0269 5 Mar-22 No No No Yes Yes No No No Emails containing Australian Eyes Only, Australian Government Not applicable as it is a Applicable to common cloud Applicable if different per system
Access Only or Releasable To data are not sent to email distribution Government responsibility production environments as well or service
lists unless the nationality of all members of email distribution lists as customer systems Not Assessed Not Assessed Not Assessed
can be confirmed.

Guidelines for Email Email gateways and Centralised email ISM-0569 5 Jun-22 Yes Yes Yes Yes Yes No No No Emails are routed via centralised email gateways. Applicable where administrative Applicable to common cloud Applicable if different per system
servers gateways endpoints have email access production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Email Email gateways and Centralised email ISM-0571 7 Jun-22 Yes Yes Yes Yes Yes No No No When users send or receive emails, an authenticated and Applicable where administrative Applicable to common cloud Applicable if different per system
servers gateways encrypted channel is used to route emails via their organisation’s endpoints have email access production environments as well or service Not Assessed Not Assessed Not Assessed
centralised email gateways. as customer systems
Guidelines for Email Email gateways and Email gateway ISM-0570 4 Sep-18 Yes Yes Yes Yes Yes No No No Where backup or alternative email gateways are in place, they are Applicable where administrative Applicable to common cloud Applicable if different per system
servers maintenance activities maintained at the same standard as the primary email gateway. endpoints have email access production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Email Email gateways and Open relay email servers ISM-0567 5 Sep-22 Yes Yes Yes Yes Yes No No No Email servers only relay emails destined for or originating from Applicable where mail relays Applicable to common cloud Applicable if different per system
servers their domains (including subdomains). send and receive emails between production environments as well or service
the CSP and their customers as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and Email server transport ISM-0572 4 Sep-21 Yes Yes Yes Yes Yes No No No Opportunistic TLS encryption is enabled on email servers that make Applicable where mail relays Applicable to common cloud Applicable if different per system
servers encryption incoming or outgoing email connections over public network send and receive emails between production environments as well or service
infrastructure. the CSP and their customers as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and Email server transport ISM-1589 3 Jun-24 Yes Yes Yes Yes Yes No No No MTA-STS is enabled to prevent the unencrypted transfer of emails Applicable where mail relays Applicable to common cloud Applicable if different per system
servers encryption between email servers. send and receive emails between production environments as well or service
the CSP and their customers as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and Sender Policy Framework ISM-0574 7 Jun-23 Yes Yes Yes Yes Yes No No No SPF is used to specify authorised email servers (or lack thereof) for Applicable where mail relays Applicable to common cloud Applicable if different per system
servers an organisation’s domains (including subdomains). send and receive emails between production environments as well or service
the CSP and their customers as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and Sender Policy Framework ISM-1183 3 Jun-23 Yes Yes Yes Yes Yes No No No A hard fail SPF record is used when specifying authorised email Applicable where mail relays Applicable to common cloud Applicable if different per system
servers servers (or lack thereof) for an organisation’s domains (including send and receive emails between production environments as well or service
subdomains). the CSP and their customers as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and Sender Policy Framework ISM-1151 3 Oct-19 Yes Yes Yes Yes Yes No No No SPF is used to verify the authenticity of incoming emails. Applicable where mail relays Applicable to common cloud Applicable if different per system
servers send and receive emails between production environments as well or service
the CSP and their customers as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and DomainKeys Identified ISM-0861 3 Sep-22 Yes Yes Yes Yes Yes No No No DKIM signing is enabled on emails originating from an Applicable where mail relays Applicable to common cloud Applicable if different per system
servers Mail organisation’s domains (including subdomains). send and receive emails between production environments as well or service
the CSP and their customers as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and DomainKeys Identified ISM-1026 6 Jun-23 Yes Yes Yes Yes Yes No No No DKIM signatures on incoming emails are verified. Applicable where mail relays Applicable to common cloud Applicable if different per system
servers Mail send and receive emails between production environments as well or service
the CSP and their customers as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and DomainKeys Identified ISM-1027 4 Sep-18 Yes Yes Yes Yes Yes No No No Email distribution list software used by external senders is Applicable where mail relays Applicable to common cloud Applicable if different per system
servers Mail configured such that it does not break the validity of the sender’s send and receive emails between production environments as well or service
DKIM signature. the CSP and their customers as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and Domain-based Message ISM-1540 3 Jun-23 Yes Yes Yes Yes Yes No No No DMARC records are configured for an organisation’s domains Applicable where mail relays Applicable to common cloud Applicable if different per system
servers Authentication, Reporting (including subdomains) such that emails are rejected if they do not send and receive emails between production environments as well or service
and Conformance pass DMARC checks. the CSP and their customers as customer systems
Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and Domain-based Message ISM-1799 0 Sep-22 Yes Yes Yes Yes Yes No No No Incoming emails are rejected if they do not pass DMARC checks. Applicable where mail relays Applicable to common cloud Applicable if different per system
servers Authentication, Reporting send and receive emails between production environments as well or service
and Conformance the CSP and their customers as customer systems
Not Assessed Not Assessed Not Assessed

Guidelines for Email Email gateways and Email content filtering ISM-1234 5 Dec-22 Yes Yes Yes Yes Yes No No No Email content filtering is implemented to filter potentially harmful Applicable where administrative Applicable to common cloud Applicable if different per system
servers content in email bodies and attachments. endpoints have email access production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Email Email gateways and Blocking suspicious ISM-1502 2 Sep-22 Yes Yes Yes Yes Yes No No No Emails arriving via an external connection where the email source Applicable where administrative Applicable to common cloud Applicable if different per system
servers emails address uses an internal domain, or internal subdomain, are endpoints have email access production environments as well or service Not Assessed Not Assessed Not Assessed
blocked at the email gateway. as customer systems
Guidelines for Email Email gateways and Notifications of ISM-1024 5 Mar-22 Yes Yes Yes Yes Yes No No No Notifications of undeliverable emails are only sent to senders that Applicable where administrative Applicable to common cloud Applicable if different per system
servers undeliverable emails can be verified via SPF or other trusted means. endpoints have email access production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Network design and Network documentation ISM-0518 6 Dec-23 Yes Yes Yes Yes Yes No No No Network documentation is developed, implemented and Applicable Applicable to common cloud Applicable if different per system
Networking configuration maintained. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Network design and Network documentation ISM-0516 5 Mar-22 Yes Yes Yes Yes Yes No No No Network documentation includes high-level network diagrams Applicable Applicable to common cloud Applicable if different per system
Networking configuration showing all connections into networks and logical network production environments as well or service
diagrams showing all critical servers, high-value servers, network as customer systems Not Assessed Not Assessed Not Assessed
devices and network security appliances.

Guidelines for Network design and Network documentation ISM-1912 0 Dec-23 Yes Yes Yes Yes Yes No No No Network documentation includes device settings for all critical Applicable Applicable to common cloud Applicable if different per system
Networking configuration servers, high-value servers, network devices and network security production environments as well or service Not Assessed Not Assessed Not Assessed
appliances. as customer systems
Guidelines for Network design and Network documentation ISM-1178 3 Sep-18 Yes Yes Yes Yes Yes No No No Network documentation provided to a third party, or published in Not applicable as it relates to the Applicable Applicable if different per system
Networking configuration public tender documentation, only contains details necessary for governance of the CSP and or service
other parties to undertake contractual services. should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Network design and Network encryption ISM-1781 0 Jun-22 Yes Yes Yes Yes Yes No No No All data communicated over network infrastructure is encrypted. Applicable Applicable Not applicable as it is highly likely
Networking configuration common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Network segmentation ISM-1181 5 Mar-22 Yes Yes Yes Yes Yes No No No Networks are segregated into multiple network zones according to Applicable Applicable Not applicable as it is highly likely
Networking configuration and segregation the criticality of servers, services and data. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Network segmentation ISM-1577 1 Mar-22 Yes Yes Yes Yes Yes No No No An organisation’s networks are segregated from their service Applicable Applicable Not applicable as it is highly likely
Networking configuration and segregation providers’ networks. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Virtual Local Area ISM-1532 3 Mar-22 Yes Yes Yes Yes Yes No No No VLANs are not used to separate network traffic between an Applicable Applicable Not applicable as it is highly likely
Networking configuration Networks organisation’s networks and public network infrastructure. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Virtual Local Area ISM-0529 6 Dec-21 Yes Yes Yes Yes Yes No No No VLANs are not used to separate network traffic between networks Applicable Applicable Not applicable as it is highly likely
Networking configuration Networks belonging to different security domains. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Virtual Local Area ISM-0530 6 Dec-21 Yes Yes Yes Yes Yes No No No Network devices managing VLANs are administered from the most Applicable Applicable Not applicable as it is highly likely
Networking configuration Networks trusted security domain. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Virtual Local Area ISM-0535 6 Dec-21 Yes Yes Yes Yes Yes No No No Network devices managing VLANs belonging to different security Applicable Applicable Not applicable as it is highly likely
Networking configuration Networks domains do not share VLAN trunks. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Virtual Local Area ISM-1364 3 Dec-21 Yes Yes Yes Yes Yes No No No Network devices managing VLANs terminate VLANs belonging to Applicable Applicable Not applicable as it is highly likely
Networking configuration Networks different security domains on separate physical network interfaces. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Internet Protocol ISM-0521 6 Mar-22 Yes Yes Yes Yes Yes No No No IPv6 functionality is disabled in dual-stack network devices unless it Applicable Applicable Not applicable as it is highly likely
Networking configuration version 6 is being used. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Internet Protocol ISM-1186 4 Mar-22 Yes Yes Yes Yes Yes No No No IPv6 capable network security appliances are used on IPv6 and Applicable Applicable Not applicable as it is highly likely
Networking configuration version 6 dual-stack networks. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Internet Protocol ISM-1428 2 Mar-22 Yes Yes Yes Yes Yes No No No Unless explicitly required, IPv6 tunnelling is disabled on all network Applicable Applicable Not applicable as it is highly likely
Networking configuration version 6 devices. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Internet Protocol ISM-1429 3 Mar-22 Yes Yes Yes Yes Yes No No No IPv6 tunnelling is blocked by network security appliances at Applicable Applicable Not applicable as it is highly likely
Networking configuration version 6 externally-connected network boundaries. common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Internet Protocol ISM-1430 3 Mar-22 Yes Yes Yes Yes Yes No No No Dynamically assigned IPv6 addresses are configured with Dynamic Applicable Applicable Not applicable as it is highly likely
Networking configuration version 6 Host Configuration Protocol version 6 in a stateful manner with common infrastructure is used
lease data stored in a centralised event logging facility. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Network access controls ISM-0520 9 Dec-24 Yes Yes Yes Yes Yes No No No Network access controls are implemented on networks to prevent Applicable Applicable Not applicable as it is highly likely
Networking configuration the connection of unauthorised network devices and networked IT common infrastructure is used
equipment. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Network access controls ISM-1182 5 Sep-23 Yes Yes Yes Yes Yes No No No Network access controls are implemented to limit the flow of Applicable Applicable Not applicable as it is highly likely
Networking configuration network traffic within and between network segments to only that common infrastructure is used
required for business purposes. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Functional separation ISM-0385 6 Sep-18 Yes Yes Yes Yes Yes No No No Servers maintain effective functional separation with other servers Applicable Applicable to common cloud Applicable if different per system
Networking configuration between servers allowing them to operate independently. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Network design and Functional separation ISM-1479 1 Jun-24 Yes Yes Yes Yes Yes No No No Servers minimise communications with other servers at the Applicable Applicable to common cloud Applicable if different per system
Networking configuration between servers network and file system level. production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Network design and Networked management ISM-1863 1 Jun-24 Yes Yes Yes Yes Yes No No No Networked management interfaces for IT equipment are not Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration interfaces directly exposed to the internet. endpoints are connected to the production environments as well or service
corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Network management ISM-1006 6 Sep-18 Yes Yes Yes Yes Yes No No No Security measures are implemented to prevent unauthorised Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration traffic access to network management traffic. endpoints are connected to the production environments as well or service
corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using the Server Message ISM-1962 0 Sep-24 Yes Yes Yes Yes Yes No No No SMB version 1 is not used on networks. Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration Block protocol endpoints are connected to the production environments as well or service
corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using the Simple ISM-1311 3 Dec-22 Yes Yes Yes Yes Yes No No No SNMP version 1 and SNMP version 2 are not used on networks. Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration Network Management endpoints are connected to the production environments as well or service
Protocol corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using the Simple ISM-1312 3 Mar-22 Yes Yes Yes Yes Yes No No No All default SNMP community strings on network devices are Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration Network Management changed and write access is disabled. endpoints are connected to the production environments as well or service
Protocol corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Network-based ISM-1028 8 Mar-22 Yes Yes Yes Yes Yes No No No A NIDS or NIPS is deployed in gateways between an organisation’s Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration Intrusion Detection and networks and other networks they do not manage. endpoints are connected to the production environments as well or service
Prevention Systems corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Using Network-based ISM-1030 8 Mar-22 Yes Yes Yes Yes Yes No No No A NIDS or NIPS is located immediately inside the outermost firewall Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration Intrusion Detection and for gateways and configured to generate event logs and alerts for endpoints are connected to the production environments as well or service
Prevention Systems network traffic that contravenes any rule in a firewall ruleset. corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Blocking anonymity ISM-1627 1 Sep-23 Yes Yes Yes Yes Yes No No No Inbound network connections from anonymity networks are Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration network traffic blocked. endpoints are connected to the production environments as well or service
corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Blocking anonymity ISM-1628 0 Nov-20 Yes Yes Yes Yes Yes No No No Outbound network connections to anonymity networks are Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration network traffic blocked. endpoints are connected to the production environments as well or service
corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Protective Domain Name ISM-1782 1 Dec-22 Yes Yes Yes Yes Yes No No No A protective DNS service is used to block access to known malicious Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration System Services domain names. endpoints are connected to the production environments as well or service
corporate network as customer systems Not Assessed Not Assessed Not Assessed
Guidelines for Network design and Flashing network devices ISM-1800 0 Sep-22 Yes Yes Yes Yes Yes No No No Network devices are flashed with trusted firmware before they are Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration with trusted firmware used for the first time. endpoints are connected to the production environments as well or service
before first use corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Default user accounts ISM-1304 5 Dec-24 Yes Yes Yes Yes Yes No No No Default user accounts or credentials for network devices, including Applicable to administrative Applicable to common cloud Applicable if different per system
Networking configuration and credentials for for any pre-configured user accounts, are changed. endpoint accounts production environments as well or service Not Assessed Not Assessed Not Assessed
network devices as customer systems
Guidelines for Network design and Disabling unused physical ISM-0534 2 Sep-18 Yes Yes Yes Yes Yes No No No Unused physical ports on network devices are disabled. Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration ports on network devices endpoints are connected to the production environments as well or service
corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Regularly restarting ISM-1801 0 Sep-22 Yes Yes Yes Yes Yes No No No Network devices are restarted on at least a monthly basis. Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration network devices endpoints are connected to the production environments as well or service
corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Network device event ISM-1963 0 Sep-24 Yes Yes Yes Yes Yes No No No Security-relevant events for internet-facing network devices are Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration logging centrally logged. endpoints are connected to the production environments as well or service
corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Network design and Network device event ISM-1964 0 Sep-24 Yes Yes Yes Yes Yes No No No Security-relevant events for non-internet-facing network devices Applicable where administrative Applicable to common cloud Applicable if different per system
Networking configuration logging are centrally logged. endpoints are connected to the production environments as well or service
corporate network as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Wireless networks Choosing wireless devices ISM-1314 2 Sep-21 Yes Yes Yes Yes Yes No No No All wireless devices are Wi-Fi Alliance certified. Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Public wireless networks ISM-0536 7 Mar-22 Yes Yes Yes Yes Yes No No No Public wireless networks provided for general public use are Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking segregated from all other organisation networks. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Administrative interfaces ISM-1315 2 Sep-18 Yes Yes Yes Yes Yes No No No The administrative interface on wireless access points is disabled Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking for wireless access points for wireless network connections. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Default settings ISM-1710 2 Dec-23 Yes Yes Yes Yes Yes No No No Settings for wireless access points are hardened. Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Default settings ISM-1316 3 Mar-22 Yes Yes Yes Yes Yes No No No Default SSIDs of wireless access points are changed. Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Default settings ISM-1317 3 Mar-22 Yes Yes Yes Yes Yes No No No SSIDs of non-public wireless networks are not readily associated Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking with an organisation, the location of their premises or the endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
functionality of wireless networks. connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Default settings ISM-1318 3 Mar-22 Yes Yes Yes Yes Yes No No No SSID broadcasting is not disabled on wireless access points. Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Media Access Control ISM-1320 2 Sep-18 Yes Yes Yes Yes Yes No No No MAC address filtering is not used to restrict which devices can Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking address filtering connect to wireless networks. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Static addressing ISM-1319 2 Sep-18 Yes Yes Yes Yes Yes No No No Static addressing is not used for assigning IP addresses on wireless Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking networks. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Confidentiality and ISM-1332 3 Sep-21 Yes Yes Yes Yes Yes No No No WPA3-Enterprise 192-bit mode is used to protect the Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking integrity of wireless confidentiality and integrity of all wireless network traffic. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
network traffic connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks 802.1X authentication ISM-1321 2 Sep-21 Yes Yes Yes Yes Yes No No No 802.1X authentication with EAP-TLS, using X.509 certificates, is Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking used for mutual authentication; with all other EAP methods endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
disabled on supplicants and authentication servers. connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks 802.1X authentication ISM-1711 0 Sep-21 Yes Yes Yes Yes Yes No No No User identity confidentiality is used if available with EAP-TLS Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking implementations. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Evaluation of 802.1X ISM-1322 4 Sep-21 Yes Yes Yes Yes Yes No No No Evaluated supplicants, authenticators, wireless access points and Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking authentication authentication servers are used in wireless networks. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
implementation connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Generating and issuing ISM-1324 4 Mar-22 Yes Yes Yes Yes Yes No No No Certificates are generated using an evaluated certificate authority Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking certificates for or hardware security module. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
authentication connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Generating and issuing ISM-1323 4 Jun-24 Yes Yes Yes Yes Yes No No No Certificates are required for devices and users accessing wireless Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking certificates for networks. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
authentication connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Generating and issuing ISM-1327 3 Jun-24 Yes Yes Yes Yes Yes No No No Certificates are protected by logical and physical access controls, Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking certificates for encryption, and user authentication. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
authentication connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Caching 802.1X ISM-1330 1 Sep-18 Yes Yes Yes Yes Yes No No No The PMK caching period is not set to greater than 1440 minutes (24 Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking authentication outcomes hours). endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Fast Basic Service Set ISM-1712 1 Mar-22 Yes Yes Yes Yes Yes No No No The use of FT (802.11r) is disabled unless authenticator-to- Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking Transition authenticator communications are secured by an ASD-Approved endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
Cryptographic Protocol. connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Remote Authentication ISM-1454 2 Sep-21 Yes Yes Yes Yes Yes No No No Communications between authenticators and a RADIUS server are Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking Dial-In User Service encapsulated with an additional layer of encryption using RADIUS endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
authentication over Internet Protocol Security or RADIUS over Transport Layer connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
Security. environment environment

Guidelines for Wireless networks Interference between ISM-1334 2 Sep-18 Yes Yes Yes Yes Yes No No No Wireless networks implement sufficient frequency separation from Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking wireless networks other wireless networks. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Protecting management ISM-1335 1 Sep-18 Yes Yes Yes Yes Yes No No No Wireless access points enable the use of the 802.11w amendment Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking frames on wireless to protect management frames. endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
networks connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
environment environment

Guidelines for Wireless networks Wireless network ISM-1338 2 Mar-22 Yes Yes Yes Yes Yes No No No Instead of deploying a small number of wireless access points that Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking footprint broadcast on high power, a greater number of wireless access endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
points that use less broadcast power are deployed to achieve the connectivity the cloud production the cloud production
desired footprint for wireless networks. environment environment Not Assessed Not Assessed Not Assessed

Guidelines for Wireless networks Wireless network ISM-1013 6 Dec-21 No No No Yes Yes No No No The effective range of wireless communications outside an Applicable where administrative Not applicable as it is assumed Not applicable as it is assumed
Networking footprint organisation’s area of control is limited by implementing RF endpoints have Wi-Fi there is no Wi-Fi connectivity in there is no Wi-Fi connectivity in
shielding on facilities in which SECRET or TOP SECRET wireless connectivity the cloud production the cloud production Not Assessed Not Assessed Not Assessed
networks are used. environment environment

Guidelines for Service continuity for Cloud-based hosting of ISM-1437 5 Mar-22 Yes Yes Yes Yes Yes No No No Cloud service providers are used for hosting online services. Not applicable as it is a customer Not applicable as it is a customer Not applicable as it is a customer
Networking online services online services responsibility responsibility responsibility Not Assessed Not Assessed Not Assessed
Guidelines for Service continuity for Capacity and availability ISM-1579 2 Jun-23 Yes Yes Yes Yes Yes No No No Cloud service providers’ ability to dynamically scale resources in Not applicable as the context of Applicable to common cloud Applicable if different per system
Networking online services planning and monitoring response to a genuine spike in demand is discussed and verified as the control is availability in cloud production environments as well or service
for online services part of capacity and availability planning for online services. infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Service continuity for Capacity and availability ISM-1580 1 Dec-21 Yes Yes Yes Yes Yes No No No Where a high availability requirement exists for online services, the Not applicable as the context of Applicable to common cloud Applicable if different per system
Networking online services planning and monitoring services are architected to automatically transition between the control is availability in cloud production environments as well or service
for online services availability zones. infrastructure as customer systems Not Assessed Not Assessed Not Assessed
Guidelines for Service continuity for Capacity and availability ISM-1581 3 Jun-23 Yes Yes Yes Yes Yes No No No Continuous real-time monitoring of the capacity and availability of Not applicable as the context of Applicable to common cloud Applicable if different per system
Networking online services planning and monitoring online services is performed. the control is availability in cloud production environments as well or service
for online services infrastructure as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Service continuity for Using content delivery ISM-1438 2 Dec-21 Yes Yes Yes Yes Yes No No No Where a high availability requirement exists for website hosting, Not applicable as the context of Applicable to common cloud Applicable if different per system
Networking online services networks CDNs that cache websites are used. the control is availability in cloud production environments as well or service Not Assessed Not Assessed Not Assessed
infrastructure as customer systems
Guidelines for Service continuity for Using content delivery ISM-1439 3 Mar-22 Yes Yes Yes Yes Yes No No No If using CDNs, disclosing the IP addresses of web servers under an Not applicable as the context of Applicable to common cloud Applicable if different per system
Networking online services networks organisation’s control (referred to as origin servers) is avoided and the control is availability in cloud production environments as well or service
access to the origin servers is restricted to the CDNs and authorised infrastructure as customer systems
management networks. Not Assessed Not Assessed Not Assessed

Guidelines for Service continuity for Denial-of-service attack ISM-1431 5 Jun-23 Yes Yes Yes Yes Yes No No No Denial-of-service attack mitigation strategies are discussed with Applicable Applicable Applicable if different per system
Networking online services mitigation strategies cloud service providers, specifically: or service
• their capacity to withstand denial-of-service attacks
• costs likely to be incurred as a result of denial-of-service attacks
• availability monitoring and thresholds for notification of denial-
of-service attacks
• thresholds for turning off any online services or functionality
during denial-of-service attacks
• pre-approved actions that can be undertaken during denial-of- Not Assessed Not Assessed Not Assessed
service attacks
• any arrangements with upstream service providers to block
malicious network traffic as far upstream as possible.

Guidelines for Service continuity for Denial-of-service attack ISM-1436 3 Jun-23 Yes Yes Yes Yes Yes No No No Critical online services are segregated from other online services Not applicable as the context of Applicable to common cloud Applicable if different per system
Networking online services mitigation strategies that are more likely to be targeted as part of denial-of-service the control is availability in cloud production environments as well or service Not Assessed Not Assessed Not Assessed
attacks. infrastructure as customer systems
Guidelines for Service continuity for Denial-of-service attack ISM-1432 3 Jun-23 Yes Yes Yes Yes Yes No No No Domain names for online services are protected via registrar Applicable Applicable Applicable if different per system
Networking online services mitigation strategies locking and confirming that domain registration details are correct. or service Not Assessed Not Assessed Not Assessed

Guidelines for Cryptographic Communications security ISM-0499 11 Sep-23 No No No Yes Yes No No No Communications security doctrine produced by ASD for the Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals doctrine management and operation of HACE is complied with. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Cryptographic Approved High Assurance ISM-1802 1 Sep-23 No No No Yes Yes No No No HACE are issued an Approval for Use by ASD and operated in Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals Cryptographic Equipment accordance with the latest version of their associated Australian endpoints production environments as well or service
Communications Security Instructions. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Cryptographic Cryptographic key ISM-0507 5 Dec-22 Yes Yes Yes Yes Yes No No No Cryptographic key management processes, and supporting Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals management processes cryptographic key management procedures, are developed, endpoints production environments as well or service
and procedures implemented and maintained. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Cryptographic Encrypting data at rest ISM-1080 5 Jun-22 Yes Yes Yes Yes Yes No No No An ASD-Approved Cryptographic Algorithm (AACA) or high Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals assurance cryptographic algorithm is used when encrypting media. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Cryptographic Encrypting data at rest ISM-0457 9 Mar-22 No Yes Yes No No No No No Cryptographic equipment or software that has completed a Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals Common Criteria evaluation against a Protection Profile is used endpoints production environments as well or service
when encrypting media that contains OFFICIAL: Sensitive or as customer systems Not Assessed Not Assessed Not Assessed
PROTECTED data.

Guidelines for Cryptographic Encrypting data at rest ISM-0460 13 Sep-23 No No No Yes Yes No No No HACE is used when encrypting media that contains SECRET or TOP Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals SECRET data. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Cryptographic Encrypting data at rest ISM-0459 4 Dec-21 Yes Yes Yes Yes Yes No No No Full disk encryption, or partial encryption where access controls Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals will only allow writing to the encrypted partition, is implemented endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
when encrypting data at rest. as customer systems
Guidelines for Cryptographic Encrypting data in transit ISM-0469 6 Jun-22 Yes Yes Yes Yes Yes No No No An ASD-Approved Cryptographic Protocol (AACP) or high assurance Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals cryptographic protocol is used to protect data when communicated endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
over network infrastructure. as customer systems
Guidelines for Cryptographic Encrypting data in transit ISM-0465 9 Mar-22 No Yes Yes No No No No No Cryptographic equipment or software that has completed a Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals Common Criteria evaluation against a Protection Profile is used to endpoints production environments as well or service
protect OFFICIAL: Sensitive or PROTECTED data when as customer systems
communicated over insufficiently secure networks, outside of Not Assessed Not Assessed Not Assessed
appropriately secure areas or via public network infrastructure.

Guidelines for Cryptographic Encrypting data in transit ISM-0467 12 Sep-23 No No No Yes Yes No No No HACE is used to protect SECRET and TOP SECRET data when Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals communicated over insufficiently secure networks, outside of endpoints production environments as well or service
appropriately secure areas or via public network infrastructure. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Cryptographic Data recovery ISM-0455 3 Mar-22 Yes Yes Yes Yes Yes No No No Where practical, cryptographic equipment and software provides a Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals means of data recovery to allow for circumstances where the endpoints production environments as well or service
encryption key is unavailable due to loss, damage or failure. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Cryptographic Handling encrypted IT ISM-0462 8 Jun-24 Yes Yes Yes Yes Yes No No No When a user authenticates to the encryption functionality of IT Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals equipment and media equipment or media, it is treated in accordance with its original endpoints production environments as well or service
sensitivity or classification until the user deauthenticates from the as customer systems Not Assessed Not Assessed Not Assessed
encryption functionality.

Guidelines for Cryptographic Transporting ISM-0501 6 Mar-22 Yes Yes Yes Yes Yes No No No Keyed cryptographic equipment is transported based on the Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals cryptographic equipment sensitivity or classification of its keying material. endpoints production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Cryptographic Reporting cryptographic- ISM-0142 5 Jun-23 Yes Yes Yes Yes Yes No No No The compromise or suspected compromise of cryptographic Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals related cyber security equipment or associated keying material is reported to the Chief endpoints production environments as well or service
incidents Information Security Officer, or one of their delegates, as soon as as customer systems Not Assessed Not Assessed Not Assessed
possible after it occurs.

Guidelines for Cryptographic Reporting cryptographic- ISM-1091 6 Dec-21 Yes Yes Yes Yes Yes No No No Keying material is changed when compromised or suspected of Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography fundamentals related cyber security being compromised. endpoints production environments as well or service
incidents as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for ASD-Approved Using ASD-Approved ISM-0471 7 Dec-21 Yes Yes Yes Yes Yes No No No Only AACAs or high assurance cryptographic algorithms are used by Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Cryptographic Algorithms cryptographic equipment and software. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Asymmetric ISM-0994 7 Mar-24 Yes Yes Yes Yes Yes No No No ECDH is used in preference to DH. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms cryptographic algorithms traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Using Diffie-Hellman ISM-0472 7 Dec-24 Yes Yes Yes No No No No No When using DH for agreeing on encryption session keys, a modulus Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms of at least 2048 bits is used, preferably 3072 bits. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Using Diffie-Hellman ISM-1759 0 Mar-22 No No No Yes Yes No No No When using DH for agreeing on encryption session keys, a modulus Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms of at least 3072 bits is used, preferably 3072 bits. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Using Diffie-Hellman ISM-1629 1 Dec-21 Yes Yes Yes Yes Yes No No No When using DH for agreeing on encryption session keys, a modulus Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms and associated parameters are selected according to NIST SP 800- traffic production environments as well or service Not Assessed Not Assessed Not Assessed
56A Rev. 3. as customer systems
Guidelines for ASD-Approved Using Elliptic Curve ISM-1446 3 Mar-24 Yes Yes Yes Yes Yes No No No When using elliptic curve cryptography, a suitable curve from NIST Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Cryptography SP 800-186 is used. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Using Elliptic Curve Diffie- ISM-0474 7 Dec-24 Yes Yes Yes No No No No No When using ECDH for agreeing on encryption session keys, a base Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Hellman point order and key size of at least 224 bits is used, preferably the traffic production environments as well or service Not Assessed Not Assessed Not Assessed
NIST P-384 curve. as customer systems
Guidelines for ASD-Approved Using Elliptic Curve Diffie- ISM-1761 0 Mar-22 No No No Yes No No No No When using ECDH for agreeing on encryption session keys, NIST P- Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Hellman 256, P-384 or P-521 curves are used, preferably the NIST P-384 traffic production environments as well or service Not Assessed Not Assessed Not Assessed
curve. as customer systems
Guidelines for ASD-Approved Using Elliptic Curve Diffie- ISM-1762 0 Mar-22 No No No No Yes No No No When using ECDH for agreeing on encryption session keys, NIST P- Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Hellman 384 or P-521 curves are used, preferably the NIST P-384 curve. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Using the Elliptic Curve ISM-0475 7 Dec-24 Yes Yes Yes No No No No No When using ECDSA for digital signatures, a base point order and Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Digital Signature key size of at least 224 bits is used, preferably the P-384 curve. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
Algorithm as customer systems
Guidelines for ASD-Approved Using the Elliptic Curve ISM-1763 0 Mar-22 No No No Yes No No No No When using ECDSA for digital signatures, NIST P-256, P-384 or P- Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Digital Signature 521 curves are used, preferably the NIST P-384 curve. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
Algorithm as customer systems
Guidelines for ASD-Approved Using the Elliptic Curve ISM-1764 0 Mar-22 No No No No Yes No No No When using ECDSA for digital signatures, NIST P-384 or P-521 Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Digital Signature curves are used, preferably the NIST P-384 curve. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
Algorithm as customer systems
Guidelines for ASD-Approved Using post-quantum ISM-1990 0 Dec-24 Yes Yes Yes Yes Yes No No No When using ML-DSA and ML-KEM, as per FIPS 204 and FIPS 203 Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms cryptographic algorithms respectively, adherence to pre-requisite FIPS publications is traffic production environments as well or service Not Assessed Not Assessed Not Assessed
preferred. as customer systems
Guidelines for ASD-Approved Using the Module-Lattice- ISM-1991 0 Dec-24 Yes Yes Yes Yes Yes No No No When using ML-DSA for digital signatures, ML-DSA-65 or ML-DSA- Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Based Digital Signature 87 is used, preferably ML-DSA-87. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
Algorithm as customer systems
Guidelines for ASD-Approved Using the Module-Lattice- ISM-1992 0 Dec-24 Yes Yes Yes Yes Yes No No No When using ML-DSA for digital signatures, the hedged variant is Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Based Digital Signature used whenever possible. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
Algorithm as customer systems
Guidelines for ASD-Approved Using the Module-Lattice- ISM-1993 0 Dec-24 Yes Yes Yes Yes Yes No No No Pre-hashed variants of ML-DSA-65 and ML-DSA-87 are only used Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Based Digital Signature when the performance of default variants is unacceptable. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
Algorithm as customer systems
Guidelines for ASD-Approved Using the Module-Lattice- ISM-1994 0 Dec-24 Yes Yes Yes Yes Yes No No No When the pre-hashed variants of ML-DSA-65 and ML-DSA-87 are Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Based Digital Signature used, at least SHA-384 and SHA-512 respectively are used for pre- traffic production environments as well or service Not Assessed Not Assessed Not Assessed
Algorithm hashing. as customer systems
Guidelines for ASD-Approved Using the Module-Lattice- ISM-1995 0 Dec-24 Yes Yes Yes Yes Yes No No No When using ML-KEM for encapsulating encryption session keys Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Based Key Encapsulation (and similar keys), ML-KEM-768 or ML-KEM-1024 is used, traffic production environments as well or service
Mechanism preferably ML-KEM-1024. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for ASD-Approved Using Rivest-Shamir- ISM-0476 8 Dec-24 Yes Yes Yes No No No No No When using RSA for digital signatures, and transporting encryption Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Adleman session keys (and similar keys), a modulus of at least 2048 bits is traffic production environments as well or service Not Assessed Not Assessed Not Assessed
used, preferably 3072 bits. as customer systems
Guidelines for ASD-Approved Using Rivest-Shamir- ISM-1765 1 Dec-24 No No No Yes Yes No No No When using RSA for digital signatures, and transporting encryption Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Adleman session keys (and similar keys), a modulus of at least 3072 bits is traffic production environments as well or service Not Assessed Not Assessed Not Assessed
used, preferably 3072 bits. as customer systems
Guidelines for ASD-Approved Using Rivest-Shamir- ISM-0477 9 Dec-24 Yes Yes Yes Yes Yes No No No When using RSA for digital signatures, and for transporting Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Adleman encryption session keys (and similar keys), a different key pair is traffic production environments as well or service
used for digital signatures and transporting encryption session as customer systems Not Assessed Not Assessed Not Assessed
keys.

Guidelines for ASD-Approved Using Secure Hashing ISM-1766 1 Dec-24 Yes Yes Yes No No No No No When using SHA-2 for hashing, an output size of at least 224 bits is Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Algorithms used, preferably SHA-384 or SHA-512. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Using Secure Hashing ISM-1767 1 Dec-24 No No No Yes No No No No When using SHA-2 for hashing, an output size of at least 256 bits is Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Algorithms used, preferably SHA-384 or SHA-512. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Using Secure Hashing ISM-1768 1 Dec-24 No No No No Yes No No No When using SHA-2 for hashing, an output size of at least 384 bits is Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms Algorithms used, preferably SHA-384 or SHA-512. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Using symmetric ISM-1769 1 Dec-24 Yes Yes Yes Yes No No No No When using AES for encryption, AES-128, AES-192 or AES-256 is Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms cryptographic algorithms used, preferably AES-256. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Using symmetric ISM-1770 0 Mar-22 No No No No Yes No No No When using AES for encryption, AES-192 or AES-256 is used, Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms cryptographic algorithms preferably AES-256. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Using symmetric ISM-0479 5 Dec-21 Yes Yes Yes Yes Yes No No No Symmetric cryptographic algorithms are not used in Electronic Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms cryptographic algorithms Codebook Mode. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for ASD-Approved Transitioning to post- ISM-1917 1 Dec-24 Yes Yes Yes Yes Yes No No No The development and procurement of new cryptographic Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms quantum cryptography equipment and software ensures support for the use of ML-DSA- traffic production environments as well or service
87, ML-KEM-1024, SHA-384, SHA-512 and AES-256 by no later than as customer systems Not Assessed Not Assessed Not Assessed
2030.

Guidelines for ASD-Approved Post-quantum traditional ISM-1996 0 Dec-24 Yes Yes Yes Yes Yes No No No When a post-quantum traditional hybrid scheme is used, either the Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Algorithms hybrid schemes post-quantum cryptographic algorithm, the traditional traffic production environments as well or service Not Assessed Not Assessed Not Assessed
cryptographic algorithm or both are AACAs. as customer systems
Guidelines for ASD-Approved Using ASD-Approved ISM-0481 6 Dec-21 Yes Yes Yes Yes Yes No No No Only AACPs or high assurance cryptographic protocols are used by Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Cryptographic Protocols Cryptographic Protocols cryptographic equipment and software. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Transport Layer Security Configuring Transport ISM-1139 6 Mar-22 Yes Yes Yes Yes Yes No No No Only the latest version of TLS is used for TLS connections. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Layer Security traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Transport Layer Security Configuring Transport ISM-1369 3 Mar-22 Yes Yes Yes Yes Yes No No No AES-GCM is used for encryption of TLS connections. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Layer Security traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Transport Layer Security Configuring Transport ISM-1370 3 Mar-22 Yes Yes Yes Yes Yes No No No Only server-initiated secure renegotiation is used for TLS Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Layer Security connections. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Transport Layer Security Configuring Transport ISM-1372 3 Mar-22 Yes Yes Yes Yes Yes No No No DH or ECDH is used for key establishment of TLS connections. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Layer Security traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Transport Layer Security Configuring Transport ISM-1448 2 Mar-22 Yes Yes Yes Yes Yes No No No When using DH or ECDH for key establishment of TLS connections, Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Layer Security the ephemeral variant is used. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Transport Layer Security Configuring Transport ISM-1373 2 Mar-22 Yes Yes Yes Yes Yes No No No Anonymous DH is not used for TLS connections. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Layer Security traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Transport Layer Security Configuring Transport ISM-1374 3 Mar-22 Yes Yes Yes Yes Yes No No No SHA-2-based certificates are used for TLS connections. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Layer Security traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Transport Layer Security Configuring Transport ISM-1375 4 Mar-22 Yes Yes Yes Yes Yes No No No SHA-2 is used for the Hash-based Message Authentication Code Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Layer Security (HMAC) and pseudorandom function (PRF) for TLS connections. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Transport Layer Security Configuring Transport ISM-1553 1 Mar-22 Yes Yes Yes Yes Yes No No No TLS compression is disabled for TLS connections. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Layer Security traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Transport Layer Security Configuring Transport ISM-1453 1 Sep-18 Yes Yes Yes Yes Yes No No No Perfect Forward Secrecy (PFS) is used for TLS connections. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Layer Security traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Secure Shell Configuring Secure Shell ISM-1506 1 Mar-22 Yes Yes Yes Yes Yes No No No The use of SSH version 1 is disabled for SSH connections. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Secure Shell Configuring Secure Shell ISM-0484 6 Dec-21 Yes Yes Yes Yes Yes No No No The SSH daemon is configured to: Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography • only listen on the required interfaces (ListenAddress traffic production environments as well or service
xxx.xxx.xxx.xxx) as customer systems
• have a suitable login banner (Banner x)
• have a login authentication timeout of no more than 60 seconds
(LoginGraceTime 60)
• disable host-based authentication (HostbasedAuthentication no)
• disable rhosts-based authentication (IgnoreRhosts yes)
• disable the ability to login directly as root (PermitRootLogin no)
• disable empty passwords (PermitEmptyPasswords no) Not Assessed Not Assessed Not Assessed
• disable connection forwarding (AllowTCPForwarding no)
• disable gateway ports (GatewayPorts no)
• disable X11 forwarding (X11Forwarding no).

Guidelines for Secure Shell Authentication ISM-0485 3 Sep-18 Yes Yes Yes Yes Yes No No No Public key-based authentication is used for SSH connections. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography mechanisms traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Secure Shell Authentication ISM-1449 1 Sep-18 Yes Yes Yes Yes Yes No No No SSH private keys are protected with a passphrase or a key Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography mechanisms encryption key. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Secure Shell Automated remote ISM-0487 5 Sep-24 Yes Yes Yes Yes Yes No No No When using logins without a passphrase for SSH connections, the Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography access following are disabled: traffic production environments as well or service
• access from IP addresses that do not require access as customer systems
• port forwarding
• agent credential forwarding Not Assessed Not Assessed Not Assessed
• X11 forwarding
• console access.

Guidelines for Secure Shell Automated remote ISM-0488 4 Mar-22 Yes Yes Yes Yes Yes No No No If using remote access without the use of a passphrase for SSH Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography access connections, the ‘forced command’ option is used to specify what traffic production environments as well or service
command is executed and parameter checking is enabled. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Secure Shell SSH-agent ISM-0489 5 Mar-22 Yes Yes Yes Yes Yes No No No When SSH-agent or similar key caching programs are used, it is Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography limited to workstations and servers with screen locks and key traffic production environments as well or service
caches that are set to expire within four hours of inactivity. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Secure/Multipurpose Configuring ISM-0490 4 Mar-22 Yes Yes Yes Yes Yes No No No Versions of S/MIME earlier than S/MIME version 3.0 are not used Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography Internet Mail Extension Secure/Multipurpose for S/MIME connections. traffic production environments as well or service
Internet Mail Extension as customer systems Not Assessed Not Assessed Not Assessed
Guidelines for Internet Protocol Security Mode of operation ISM-0494 3 Sep-18 Yes Yes Yes Yes Yes No No No Tunnel mode is used for IPsec connections; however, if using Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography transport mode, an IP tunnel is used. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Internet Protocol Security Protocol selection ISM-0496 5 Mar-22 Yes Yes Yes Yes Yes No No No The ESP protocol is used for authentication and encryption of IPsec Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography connections. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Internet Protocol Security Key exchange ISM-1233 2 Mar-22 Yes Yes Yes Yes Yes No No No IKE version 2 is used for key exchange when establishing IPsec Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography connections. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Internet Protocol Security Encryption algorithms ISM-1771 0 Mar-22 Yes Yes Yes Yes Yes No No No AES is used for encrypting IPsec connections, preferably Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography ENCR_AES_GCM_16. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Internet Protocol Security Pseudorandom function ISM-1772 0 Mar-22 Yes Yes Yes Yes Yes No No No PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384 or Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography PRF_HMAC_SHA2_512 is used for IPsec connections, preferably traffic production environments as well or service Not Assessed Not Assessed Not Assessed
PRF_HMAC_SHA2_512. as customer systems
Guidelines for Internet Protocol Security Integrity algorithms ISM-0998 5 Mar-22 Yes Yes Yes Yes Yes No No No AUTH_HMAC_SHA2_256_128, AUTH_HMAC_SHA2_384_192, Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography AUTH_HMAC_SHA2_512_256 or NONE (only with AES-GCM) is traffic production environments as well or service Not Assessed Not Assessed Not Assessed
used for authenticating IPsec connections, preferably NONE. as customer systems
Guidelines for Internet Protocol Security Diffie-Hellman groups ISM-0999 6 Mar-22 Yes Yes Yes Yes Yes No No No DH or ECDH is used for key establishment of IPsec connections, Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography preferably 384-bit random ECP group, 3072-bit MODP Group or traffic production environments as well or service Not Assessed Not Assessed Not Assessed
4096-bit MODP Group. as customer systems
Guidelines for Internet Protocol Security Security association ISM-0498 4 Mar-22 Yes Yes Yes Yes Yes No No No A security association lifetime of less than four hours (14400 Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography lifetimes seconds) is used for IPsec connections. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Internet Protocol Security Perfect Forward Secrecy ISM-1000 4 Sep-18 Yes Yes Yes Yes Yes No No No PFS is used for IPsec connections. Applicable to administrative Applicable to common cloud Applicable if different per system
Cryptography traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Gateways Implementing gateways ISM-0628 6 Mar-22 Yes Yes Yes Yes Yes No No No Gateways are implemented between networks belonging to Applicable to administrative Applicable to common cloud Applicable if different per system
different security domains. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Gateways Implementing gateways ISM-0637 6 Mar-22 Yes Yes Yes Yes Yes No No No Gateways implement a demilitarised zone if external parties Applicable to administrative Applicable to common cloud Applicable if different per system
require access to an organisation’s services. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Gateways Implementing gateways ISM-0631 7 Mar-22 Yes Yes Yes Yes Yes No No No Gateways only allow explicitly authorised data flows. Applicable where there is a Applicable Applicable if different per system
defined boundary between the or service
administrative environment and Not Assessed Not Assessed Not Assessed
the corporate network

Guidelines for Gateways Gateways Implementing gateways ISM-1192 3 Mar-22 Yes Yes Yes Yes Yes No No No Gateways inspect and filter data flows at the transport and above Applicable to administrative Applicable to common cloud Applicable if different per system
network layers. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Gateways Implementing gateways ISM-1427 3 Mar-22 Yes Yes Yes Yes Yes No No No Gateways perform ingress traffic filtering to detect and prevent IP Applicable to administrative Applicable to common cloud Applicable if different per system
source address spoofing. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Gateways System administrators for ISM-1520 3 Sep-23 Yes Yes Yes Yes Yes No No No System administrators for gateways undergo appropriate Not applicable as it relates to the Applicable Applicable if different per system
gateways employment screening, and where necessary hold an appropriate governance of the CSP and or service
security clearance, based on the sensitivity or classification of should be captured by the Not Assessed Not Assessed Not Assessed
gateways. common controls

Guidelines for Gateways Gateways System administrators for ISM-0613 6 Mar-22 No No No Yes Yes No No No System administrators for gateways that connect to Australian Eyes Not applicable as it relates to the Applicable Applicable if different per system
gateways Only or Releasable To networks are Australian nationals. governance of the CSP and or service
should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Gateways Gateways System administrators for ISM-1773 0 Mar-22 No No No Yes Yes No No No System administrators for gateways that connect to Australian Not applicable as it relates to the Applicable Applicable if different per system
gateways Government Access Only networks are Australian nationals or governance of the CSP and or service
seconded foreign nationals. should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Gateways Gateways System administrators for ISM-0611 5 Mar-22 Yes Yes Yes Yes Yes No No No System administrators for gateways are assigned the minimum Applicable to administrative Applicable to common cloud Applicable if different per system
gateways privileges required to perform their duties. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Gateways System administrators for ISM-0616 5 Mar-22 Yes Yes Yes Yes Yes No No No Separation of duties is implemented in performing administrative Not applicable as it relates to the Applicable Applicable if different per system
gateways activities for gateways. governance of the CSP and or service
should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Gateways Gateways System administrators for ISM-0612 5 Mar-22 Yes Yes Yes Yes Yes No No No System administrators for gateways are formally trained on the Not applicable as it relates to the Applicable Applicable if different per system
gateways operation and management of gateways. governance of the CSP and or service
should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Gateways Gateways System administration of ISM-1774 0 Mar-22 Yes Yes Yes Yes Yes No No No Gateways are managed via a secure path isolated from all Not applicable as it relates to the Applicable Applicable if different per system
gateways connected networks. governance of the CSP and or service
should be captured by the Not Assessed Not Assessed Not Assessed
common controls

Guidelines for Gateways Gateways System administration of ISM-0629 5 Dec-23 Yes Yes Yes Yes Yes No No No For gateways between networks belonging to different security Applicable where there is a Applicable Applicable if different per system
gateways domains, any shared components are managed by system defined boundary between the or service
administrators for the higher security domain or by system administrative environment and
administrators from a mutually agreed upon third party. the corporate network Not Assessed Not Assessed Not Assessed

Guidelines for Gateways Gateways Authenticating to ISM-0619 6 Mar-22 Yes Yes Yes Yes Yes No No No Users authenticate to other networks accessed via gateways. Applicable to administrative Applicable to common cloud Applicable if different per system
networks accessed via traffic production environments as well or service Not Assessed Not Assessed Not Assessed
gateways as customer systems
Guidelines for Gateways Gateways Authenticating to ISM-0622 7 Jun-24 Yes Yes Yes Yes Yes No No No IT equipment authenticates to other networks accessed via Applicable to administrative Applicable to common cloud Applicable if different per system
networks accessed via gateways. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
gateways as customer systems
Guidelines for Gateways Gateways Border Gateway Protocol ISM-1783 0 Jun-22 Yes Yes Yes Yes Yes No No No Public IP addresses controlled by, or used by, an organisation are Applicable to administrative Applicable to common cloud Applicable if different per system
route security signed by valid ROA records. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Gateways Gateway event logging ISM-0634 11 Sep-24 Yes Yes Yes Yes Yes No No No Security-relevant events for gateways are centrally logged, Applicable where there is a Applicable Applicable if different per system
including: defined boundary between the or service
• data packets and data flows permitted through gateways administrative environment and
• data packets and data flows attempting to leave gateways the corporate network Not Assessed Not Assessed Not Assessed
• real-time alerts for attempted intrusions.

Guidelines for Gateways Gateways Assessment of gateways ISM-1037 6 Jun-22 Yes Yes Yes Yes Yes No No No Gateways undergo testing following configuration changes, and at Applicable to administrative Applicable to common cloud Applicable if different per system
regular intervals no more than six months apart, to validate they traffic production environments as well or service Not Assessed Not Assessed Not Assessed
conform to expected security configurations. as customer systems
Guidelines for Gateways Gateways Assessment of gateways ISM-0100 11 Jun-22 Yes Yes Yes Yes Yes No No No Gateways undergo a security assessment by an IRAP assessor at Applicable to administrative Applicable to common cloud Applicable if different per system
least every 24 months. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Cross Domain Solutions Implementing Cross ISM-0626 6 Mar-22 No No No Yes Yes No No No CDSs are implemented between SECRET or TOP SECRET networks Applicable to administrative Applicable to common cloud Applicable if different per system
Domain Solutions and any other networks belonging to different security domains. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Cross Domain Solutions Consultation on Cross ISM-0597 8 Sep-23 No No No Yes Yes No No No When planning, designing, implementing or introducing additional Applicable to administrative Applicable to common cloud Applicable if different per system
Domain Solutions connectivity to CDSs, ASD is consulted and any directions provided traffic production environments as well or service Not Assessed Not Assessed Not Assessed
by ASD are complied with. as customer systems
Guidelines for Gateways Cross Domain Solutions Separation of data flows ISM-0635 7 Mar-22 No No No Yes Yes No No No CDSs implement isolated upward and downward network paths. Applicable to administrative Applicable to common cloud Applicable if different per system
traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Cross Domain Solutions Separation of data flows ISM-1522 3 Mar-22 No No No Yes Yes No No No CDSs implement independent security-enforcing functions for Applicable to administrative Applicable to common cloud Applicable if different per system
upward and downward network paths. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Cross Domain Solutions Separation of data flows ISM-1521 3 Mar-22 No No No Yes Yes No No No CDSs implement protocol breaks at each network layer. Applicable to administrative Applicable to common cloud Applicable if different per system
traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Cross Domain Solutions Cross Domain Solution ISM-0670 7 Sep-24 No No No Yes Yes No No No Security-relevant events for CDSs are centrally logged. Applicable to administrative Applicable to common cloud Applicable if different per system
event logging traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Cross Domain Solutions Cross Domain Solution ISM-1523 1 Mar-22 No No No Yes Yes No No No A sample of security-relevant events relating to data transfer Applicable to administrative Applicable to common cloud Applicable if different per system
event logging policies are taken at least every three months and assessed against traffic production environments as well or service
security policies for CDSs to identify any operational failures. as customer systems Not Assessed Not Assessed Not Assessed

Guidelines for Gateways Cross Domain Solutions User training ISM-0610 8 Mar-22 No No No Yes Yes No No No Users are trained on the secure use of CDSs before access is Applicable to administrative Applicable to common cloud Applicable if different per system
granted. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Firewalls Using firewalls ISM-1528 3 Mar-22 Yes Yes Yes Yes Yes No No No Evaluated firewalls are used between an organisation’s networks Applicable to administrative Applicable to common cloud Applicable if different per system
and public network infrastructure. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Firewalls Using firewalls ISM-0639 9 Mar-22 Yes Yes Yes Yes Yes No No No Evaluated firewalls are used between networks belonging to Applicable to administrative Applicable to common cloud Applicable if different per system
different security domains. traffic production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Diodes Using diodes ISM-0643 7 Mar-22 Yes Yes Yes Yes Yes No No No Evaluated diodes are used for controlling the data flow of Applicable where diodes are Applicable where diodes are Not applicable as it is highly likely
unidirectional gateways between an organisation’s networks and used used common infrastructure is used
public network infrastructure. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Gateways Diodes Using diodes ISM-0645 7 Mar-22 No No No Yes Yes No No No Evaluated diodes used for controlling the data flow of Applicable where diodes are Applicable where diodes are Not applicable as it is highly likely
unidirectional gateways between SECRET or TOP SECRET networks used used common infrastructure is used
and public network infrastructure complete a high assurance across different services Not Assessed Not Assessed Not Assessed
evaluation.

Guidelines for Gateways Diodes Using diodes ISM-1157 5 Mar-22 Yes Yes Yes Yes Yes No No No Evaluated diodes are used for controlling the data flow of Applicable where diodes are Applicable where diodes are Not applicable as it is highly likely
unidirectional gateways between networks. used used common infrastructure is used
across different services Not Assessed Not Assessed Not Assessed

Guidelines for Gateways Diodes Using diodes ISM-1158 6 Mar-22 No No No Yes Yes No No No Evaluated diodes used for controlling the data flow of Applicable where diodes are Applicable where diodes are Not applicable as it is highly likely
unidirectional gateways between SECRET or TOP SECRET networks used used common infrastructure is used
and any other networks complete a high assurance evaluation. across different services Not Assessed Not Assessed Not Assessed

Guidelines for Gateways Web proxies Web usage policy ISM-0258 4 Dec-22 Yes Yes Yes Yes Yes No No No A web usage policy is developed, implemented and maintained. Applicable where administrative Applicable to personnel using Applicable if different per system
endpoints have web access and supporting the or service Not Assessed Not Assessed Not Assessed
administration environment
Guidelines for Gateways Web proxies Using web proxies ISM-0260 3 Mar-22 Yes Yes Yes Yes Yes No No No All web access, including that by internal servers, is conducted Applicable where administrative Applicable to common cloud Applicable if different per system
through web proxies. endpoints have web access production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Web proxies Web proxy event logging ISM-0261 6 Dec-23 Yes Yes Yes Yes Yes No No No The following details are centrally logged for websites accessed via Applicable where administrative Applicable to common cloud Applicable if different per system
web proxies: endpoints have web access production environments as well or service
• web address as customer systems
• date and time
• user Not Assessed Not Assessed Not Assessed
• amount of data uploaded and downloaded
• internal and external IP addresses.

Guidelines for Gateways Web content filters Using web content filters ISM-0963 7 Dec-22 Yes Yes Yes Yes Yes No No No Web content filtering is implemented to filter potentially harmful Applicable where administrative Applicable to common cloud Applicable if different per system
web-based content. endpoints have web access production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Web content filters Using web content filters ISM-0961 8 Mar-22 Yes Yes Yes Yes Yes No No No Client-side active content is restricted by web content filters to an Applicable where administrative Applicable to common cloud Applicable if different per system
organisation-approved list of domain names. endpoints have web access production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Web content filters Using web content filters ISM-1237 2 Mar-22 Yes Yes Yes Yes Yes No No No Web content filtering is applied to outbound web traffic where Applicable where administrative Applicable to common cloud Applicable if different per system
appropriate. endpoints have web access production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Web content filters Transport Layer Security ISM-0263 8 Mar-22 Yes Yes Yes Yes Yes No No No TLS traffic communicated through gateways is decrypted and Applicable where administrative Applicable to common cloud Applicable if different per system
filtering inspected. endpoints have web access production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Web content filters Allowing and blocking ISM-0958 8 Mar-22 Yes Yes Yes Yes Yes No No No An organisation-approved list of domain names, or list of website Applicable where administrative Applicable to common cloud Applicable if different per system
access to domain names categories, is implemented for all Hypertext Transfer Protocol and endpoints have web access production environments as well or service
Hypertext Transfer Protocol Secure traffic communicated through as customer systems Not Assessed Not Assessed Not Assessed
gateways.

Guidelines for Gateways Web content filters Allowing and blocking ISM-1236 2 Mar-22 Yes Yes Yes Yes Yes No No No Malicious domain names, dynamic domain names and domain Applicable where administrative Applicable to common cloud Applicable if different per system
access to domain names names that can be registered anonymously for free are blocked by endpoints have web access production environments as well or service Not Assessed Not Assessed Not Assessed
web content filters. as customer systems
Guidelines for Gateways Web content filters Allowing and blocking ISM-1171 2 Mar-22 Yes Yes Yes Yes Yes No No No Attempts to access websites through their IP addresses instead of Applicable where administrative Applicable to common cloud Applicable if different per system
access to domain names their domain names are blocked by web content filters. endpoints have web access production environments as well or service Not Assessed Not Assessed Not Assessed
as customer systems
Guidelines for Gateways Content filtering Performing content ISM-0659 6 Mar-22 Yes Yes Yes Yes Yes No No No Files imported or exported via gateways or CDSs undergo content Applicable to administrative Applicable to common cloud Applicable if different per system
filtering filtering checks. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Performing content ISM-0651 5 Mar-22 Yes Yes Yes Yes Yes No No No Files identified by content filtering checks as malicious, or that Applicable to administrative Applicable to common cloud Applicable if different per system
filtering cannot be inspected, are blocked. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Performing content ISM-0652 3 Mar-22 Yes Yes Yes Yes Yes No No No Files identified by content filtering checks as suspicious are Applicable to administrative Applicable to common cloud Applicable if different per system
filtering quarantined until reviewed and subsequently approved or not traffic and web traffic where the production environments as well or service
approved for release. administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Performing content ISM-1524 2 Mar-22 No No No Yes Yes No No No Content filters used by CDSs undergo rigorous security testing to Applicable to administrative Applicable to common cloud Applicable if different per system
filtering ensure they perform as expected and cannot be bypassed. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Encrypted files ISM-1293 2 Mar-22 Yes Yes Yes Yes Yes No No No Encrypted files imported or exported via gateways or CDSs are Applicable to administrative Applicable to common cloud Applicable if different per system
decrypted in order to undergo content filtering checks. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Archive files ISM-1289 2 Mar-22 Yes Yes Yes Yes Yes No No No Archive files imported or exported via gateways or CDSs are Applicable to administrative Applicable to common cloud Applicable if different per system
unpacked in order to undergo content filtering checks. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Archive files ISM-1290 2 Mar-22 Yes Yes Yes Yes Yes No No No Archive files are unpacked in a controlled manner to ensure Applicable to administrative Applicable to common cloud Applicable if different per system
content filter performance or availability is not adversely affected. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Antivirus scanning ISM-1288 2 Mar-22 Yes Yes Yes Yes Yes No No No Files imported or exported via gateways or CDSs undergo antivirus Applicable to administrative Applicable to common cloud Applicable if different per system
scanning using multiple different scanning engines. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Automated dynamic ISM-1389 2 Mar-22 Yes Yes Yes Yes Yes No No No Executable files imported via gateways or CDSs are automatically Applicable to administrative Applicable to common cloud Applicable if different per system
analysis executed in a sandbox to detect any suspicious behaviour. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Allowing specific content ISM-0649 8 Mar-22 Yes Yes Yes Yes Yes No No No Files imported or exported via gateways or CDSs are filtered for Applicable to administrative Applicable to common cloud Applicable if different per system
types allowed file types. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Content validation ISM-1284 3 Mar-22 Yes Yes Yes Yes Yes No No No Files imported or exported via gateways or CDSs undergo content Applicable to administrative Applicable to common cloud Applicable if different per system
validation. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Content checking ISM-1965 0 Sep-24 Yes Yes Yes Yes Yes No No No Files imported or exported via gateways or CDSs undergo content Applicable to administrative Applicable to common cloud Applicable if different per system
checking. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Content conversion ISM-1286 2 Mar-22 Yes Yes Yes Yes Yes No No No Files imported or exported via gateways or CDSs undergo content Applicable to administrative Applicable to common cloud Applicable if different per system
conversion. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Content sanitisation ISM-1287 2 Mar-22 Yes Yes Yes Yes Yes No No No Files imported or exported via gateways or CDSs undergo content Applicable to administrative Applicable to common cloud Applicable if different per system
sanitisation. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Content filtering Validating file integrity ISM-0677 7 Mar-23 Yes Yes Yes Yes Yes No No No Files imported or exported via gateways or CDSs that have a digital Applicable to administrative Applicable to common cloud Applicable if different per system
signature or cryptographic checksum are validated. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Gateways Peripheral switches Using peripheral switches ISM-0591 8 Mar-22 Yes Yes Yes Yes Yes No No No Evaluated peripheral switches are used when sharing peripherals Applicable where peripheral Not applicable as it relates to Not applicable as it relates to
between systems. switches are used customer systems customer systems Not Assessed Not Assessed Not Assessed
Guidelines for Gateways Peripheral switches Using peripheral switches ISM-1457 4 Mar-22 No No No Yes Yes No No No Evaluated peripheral switches used for sharing peripherals Applicable where peripheral Not applicable as it relates to Not applicable as it relates to
between SECRET and TOP SECRET systems, or between SECRET or switches are used customer systems customer systems
TOP SECRET systems belonging to different security domains, Not Assessed Not Assessed Not Assessed
preferably complete a high assurance evaluation.

Guidelines for Gateways Peripheral switches Using peripheral switches ISM-1480 2 Mar-22 No No No Yes Yes No No No Evaluated peripheral switches used for sharing peripherals Applicable where peripheral Not applicable as it relates to Not applicable as it relates to
between SECRET or TOP SECRET systems and any non-SECRET or switches are used customer systems customer systems
TOP SECRET systems complete a high assurance evaluation. Not Assessed Not Assessed Not Assessed

Guidelines for Data Data transfers Data transfer processes ISM-0663 7 Dec-22 Yes Yes Yes Yes Yes No No No Data transfer processes, and supporting data transfer procedures, Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers and procedures are developed, implemented and maintained. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access
Guidelines for Data Data transfers Data transfer processes ISM-1535 6 Jun-24 No No No Yes Yes No No No Processes, and supporting procedures, are developed, Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers and procedures implemented and maintained to prevent AUSTEO, AGAO and REL traffic and web traffic where the production environments as well or service
data in textual and non-textual formats from being exported to administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
unsuitable foreign systems. web or email access

Guidelines for Data Data transfers User responsibilities ISM-0661 8 Mar-22 Yes Yes Yes Yes Yes No No No Users transferring data to and from systems are held accountable Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers for data transfers they perform. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Manual import of data ISM-0657 6 Mar-22 Yes Yes Yes Yes Yes No No No When manually importing data to systems, the data is scanned for Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers malicious and active content. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Manual import of data ISM-1778 0 Mar-22 Yes Yes Yes Yes Yes No No No When manually importing data to systems, all data that fails Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers security checks is quarantined until reviewed and subsequently traffic and web traffic where the production environments as well or service
approved or not approved for release. administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Authorising export of ISM-0664 7 Mar-22 No No No Yes Yes No No No Data exported from SECRET and TOP SECRET systems is reviewed Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers data and authorised by a trusted source beforehand. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Authorising export of ISM-0675 6 Mar-22 No No No Yes Yes No No No Data authorised for export from SECRET and TOP SECRET systems is Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers data digitally signed by a trusted source. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Authorising export of ISM-0665 7 Jun-23 No No No Yes Yes No No No Trusted sources for SECRET and TOP SECRET systems are limited to Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers data people and services that have been authorised as such by the Chief traffic and web traffic where the production environments as well or service
Information Security Officer. administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Manual export of data ISM-1187 3 Mar-22 Yes Yes Yes Yes Yes No No No When manually exporting data from systems, the data is checked Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers for unsuitable protective markings. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Manual export of data ISM-0669 6 Dec-22 No No No Yes Yes No No No When manually exporting data from SECRET and TOP SECRET Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers systems, digital signatures are validated and keyword checks are traffic and web traffic where the production environments as well or service
performed within all textual data. administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Manual export of data ISM-1779 0 Mar-22 Yes Yes Yes Yes Yes No No No When manually exporting data from systems, all data that fails Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers security checks is quarantined until reviewed and subsequently traffic and web traffic where the production environments as well or service
approved or not approved for release. administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Monitoring data import ISM-1586 0 Aug-20 Yes Yes Yes Yes Yes No No No Data transfer logs are used to record all data imports and exports Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers and export from systems. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Monitoring data import ISM-1294 5 Mar-22 Yes Yes Yes Yes Yes No No No Data transfer logs for systems are partially verified at least Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers and export monthly. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access

Guidelines for Data Data transfers Monitoring data import ISM-0660 9 Mar-22 No No No Yes Yes No No No Data transfer logs for SECRET and TOP SECRET systems are fully Applicable to administrative Applicable to common cloud Applicable if different per system
Transfers and export verified at least monthly. traffic and web traffic where the production environments as well or service
administrative endpoints have as customer systems Not Assessed Not Assessed Not Assessed
web or email access