agilient-logo-white
MENU

How the ISM Fits the PSPF and Your Security Risk Posture

Modern Australian corporate data centre, illustrating the Information Security Manual

The Information Security Manual (ISM) is the Australian Government’s cyber security framework, and it works hand in hand with the Protective Security Policy Framework (PSPF). Understanding where the ISM sits helps a security leader connect technical controls to governance obligations and to the organisation’s overall security risk posture, rather than treating cyber security as a separate silo.

Key takeaways

  • The ISM is produced by the Australian Signals Directorate (ASD), through the Australian Cyber Security Centre (ACSC).
  • It sets out a risk-based cyber security framework that organisations apply through their own risk management.
  • The PSPF sets the protective security policy and outcomes; the ISM provides the supporting cyber controls.
  • The ISM is applied on a risk basis, not as a fixed checklist.
  • This page is an explainer; it is not control-by-control implementation advice.

What is the Information Security Manual?

The Information Security Manual is a cyber security framework published by the Australian Signals Directorate through the Australian Cyber Security Centre. It is intended to be used by organisations, applying their own risk management framework, to help protect their systems and the information they hold from cyber threats. It is maintained as a living document and updated regularly.1

How does the ISM relate to the PSPF?

The two frameworks are complementary. The PSPF sets out what good protective security looks like for Commonwealth entities across six domains, including technology and information. The ISM provides the detailed cyber security guidance that supports those technology and information outcomes. In practice, an entity uses the PSPF to set policy and accountability, and the ISM to inform how it protects the systems that hold official information. Treating them together, rather than in isolation, is what keeps cyber security connected to governance.

Where the ISM sits in your security risk posture

The ISM is built on a risk-based approach. Rather than mandating a single fixed configuration for every organisation, it expects an entity to select and apply controls according to the risks it faces and the sensitivity of the systems involved. That makes a sound security risk assessment the natural starting point: it establishes the threats, the assets and the priorities that should drive which technical measures matter most. For critical infrastructure operators, the same risk logic flows through to obligations under the critical infrastructure regime, where cyber and information security is one of the hazard categories that must be managed.

Common misunderstandings

A frequent mistake is to read the ISM as a compliance checklist to be ticked once. It is guidance to be applied continuously and on a risk basis, and it changes as the threat environment does. Another is to separate it from the PSPF entirely, when the value comes from connecting the technical controls to the governance and accountability the PSPF requires.

How Agilient can assist

Agilient helps organisations understand how the ISM fits alongside the PSPF and their wider security risk posture, and how cyber considerations connect to governance, personnel and physical security. Agilient’s focus is governance and protective security advice: setting the framework, the risk picture and the priorities. To be clear, Agilient does not present itself as an ISM or IRAP assessor and this page is not a substitute for a formal assessment. Where a technical ISM assessment is required, that is performed by an accredited assessor.

To connect cyber to your governance posture, explore protective security consulting or book a short briefing.

Frequently asked questions

Who produces the ISM?

The Information Security Manual is produced by the Australian Signals Directorate, through the Australian Cyber Security Centre.

Is the ISM mandatory?

The ISM is guidance applied on a risk basis. Commonwealth entities address cyber security through the PSPF, which draws on the ISM for technical guidance; how strictly it applies depends on the entity and its obligations.

How is the ISM different from the PSPF?

The PSPF is the overarching protective security policy framework covering governance, risk, information, technology, personnel and physical security. The ISM is the cyber security framework that supports the technology and information aspects.

Does Agilient perform ISM or IRAP assessments?

No. Agilient provides governance and protective security advice on how the ISM fits your posture. Formal ISM assessments are conducted by accredited assessors.

References

  1. Australian Signals Directorate, Australian Cyber Security Centre, Information Security Manual, cyber.gov.au
Picture of Mark Bezzina

Mark Bezzina

Blog Categories

Agilient News Updates 1
Business Continuity & Resilience 8
Counter-Terrorism & Public Safety 47
Crisis & Emergency Management 9
Cyber Security & Data Privacy 169
Physical & Protective Security 36
Risk Management & Compliance 51

Recent Posts

Where the Essential Eight Sits in Your Security and Governance Posture
How the ISM Fits the PSPF and Your Security Risk Posture
How to Run a PSPF Maturity Assessment: A Practical Guide
How to Assess Building Security: A Step-by-Step Guide for Australian Facilities
The Security Risk Assessment Process: A Step-by-Step Guide for Australian Organisations