What the ISM does
The ISM outlines mandatory information security controls for Australian Government agencies and contractors handling Australian Government data. It’s structured around security domains, providing a detailed framework for protecting information and systems at varying classification levels. The manual is designed to be risk-based, allowing organisations to tailor implementation based on their specific context and the sensitivity of the information they manage. The ISM’s controls are far more granular than those found in the Essential Eight.
ISM in Australian tenants today
Many AU mid-market organisations in critical infrastructure, healthcare (particularly those involved with My Health Record), and those undergoing IRAP assessments will be familiar with the ISM. Defence and other Federal Government entities are required to adhere to it. Mapping ISM controls to Microsoft 365 can be achieved through Microsoft Compliance Manager, though a direct, automated mapping isn't always possible, requiring careful analysis and configuration. Alignment with the ISM demonstrates a commitment to robust security practices, supporting compliance with APRA CPS 234 and contributing to a stronger cybersecurity posture as outlined by the ACSC.