Understanding ISM controls and the PSPF

The Information Security Manual (ISM) is the Australian Government’s cyber security framework, produced by the Australian Signals Directorate through the Australian Cyber Security Centre. It sets out a risk-based set of controls that organisations apply, through their own risk management, to protect their systems and the information they hold. The ISM is maintained as a living document and updated regularly.

For Australian Government entities, ISM controls do not stand alone. They support the technology and information requirements of the Protective Security Policy Framework, administered by the Department of Home Affairs. The PSPF sets protective security policy and outcomes across its security domains, and the ISM provides the detailed cyber guidance that underpins the technology and information domains. Read together, they keep cyber security connected to governance rather than treated in isolation.

Because the ISM is risk-based, the right starting point is a clear understanding of the threats and priorities the controls are meant to address. A sound security risk assessment establishes that picture, and for critical infrastructure operators the same risk logic flows through to obligations under the critical infrastructure regime, where cyber and information security is one of the hazard categories that must be managed.

Agilient helps organisations understand where ISM controls fit within their wider security and governance posture, and how they connect to the PSPF, personnel security and physical security. Agilient’s focus is governance and protective security advice: setting the framework, the risk picture and the priorities. Agilient does not present itself as an ISM or IRAP assessor; formal ISM assessments are conducted by accredited assessors.

For a fuller explanation of how the ISM sits alongside the PSPF and your security risk posture, see Agilient’s guide on how the ISM fits the PSPF. To discuss your governance obligations, contact Agilient.