What the ISM does
The ISM outlines mandatory information security controls for Australian Government agencies and contractors handling Australian Government data. It’s structured around security domains, providing a detailed framework for protecting information and systems at varying classification levels. The manual is designed to be risk-based, allowing organisations to tailor implementation based on their specific context and the sensitivity of the information they manage. The ISM’s controls are far more granular than those found in the Essential Eight.
ISM in Australian tenants today
Many AU mid-market organisations in critical infrastructure, healthcare (particularly those involved with My Health Record), and those undergoing IRAP assessments will be familiar with the ISM. Defence and other Federal Government entities are required to adhere to it. Mapping ISM controls to Microsoft 365 can be achieved through Microsoft Compliance Manager, though a direct, automated mapping isn't always possible, requiring careful analysis and configuration. ISM alignment does double duty: the same controls support APRA CPS 234 compliance and satisfy much of what the ACSC expects of a well-run tenant.