ACSC Information Security Manual (ISM) compliance for Australian government entities and their suppliers
The Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) is the cyber security framework for Australian government entities and their suppliers. It is updated quarterly by ACSC within the Australian Signals Directorate. This guide sets out 10 core ISM obligations — governance, risk management, system certification, Essential Eight, cryptography, and event logging — across the four ISM principles of govern, protect, detect, and respond.
Coverage
Commonwealth government entities under the Protective Security Policy Framework. State and territory agencies that have adopted the ISM. Suppliers and service providers handling Australian Government information, including DISP members. Any organisation choosing to align to ISM as best practice.
Legal basis
ACSC Information Security Manual (quarterly release); Protective Security Policy Framework (PSPF Policy 10 — Safeguarding Information from Cyber Threats); Public Governance, Performance and Accountability Act 2013 (Cth); Security of Critical Infrastructure Act 2018 (Cth) CIRMP Rules 2023 (recognises ISM-aligned frameworks).
The obligations
Establish cyber security governance with a Chief Information Security Officer
Designate a CISO (or equivalent) with responsibility for cyber security strategy, risk management, and reporting. The CISO must have sufficient authority and visibility into system security.
Apply the cyber security risk management framework
Identify, analyse, evaluate, treat, and monitor cyber security risks using a documented framework (e.g. ISO 31000 or NIST RMF). Risks must be owned and reviewed at least annually.
Certify and accredit systems before go-live
Systems handling Australian Government information must be assessed against ISM controls and authorised to operate (ATO) by the accountable authority. Re-accreditation is required on material change.
Implement the Essential Eight mitigation strategies
Mitigation strategies — application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups — must be implemented at the required maturity level.
Use approved cryptography
Cryptographic algorithms, modes, and key management must align to the ISM Cryptography guidelines. Australian Cryptographic Module Program (ACMP) evaluated products are required for classified information.
Configure event logging and retain logs
Event logs must be generated, stored, protected, and reviewed in line with the ISM. Retention periods vary by system classification and use case — commonly 7 years for security-relevant events.
Classify and handle information appropriately
Information must be classified (OFFICIAL, OFFICIAL: Sensitive, PROTECTED, SECRET, TOP SECRET) and handled using controls calibrated to the classification. Markings, storage, transmission, and destruction all follow the classification.
Establish cyber security incident response capability
Document an incident response plan, appoint an incident response team, test the plan at least annually, and integrate reporting to the ACSC and other regulators (e.g. OAIC, CISC).
Conduct vulnerability management and patch management
Identify vulnerabilities via scanning, prioritise based on exploitability and criticality, patch within ISM-specified timeframes (48 hours for critical, 2 weeks to 1 month for others), and verify patches.
Manage third-party and supply chain cyber risk
Assess suppliers against ISM-aligned security requirements before onboarding and throughout the contract. Include rights of audit, incident notification, and data return clauses in supplier contracts.
What happens if you do not comply
ISM compliance is enforced via the PSPF for Commonwealth agencies — non-compliance is reported in annual PSPF assessments. For suppliers, non-compliance may breach contract, lead to loss of DISP membership, or trigger SOCI Act enforcement where the entity operates critical infrastructure. Data breaches can attract Privacy Act and NDB penalties.
Reporting requirements
Annual PSPF compliance assessment to the Attorney-General's Department. Cyber security incidents reported to the ACSC via ReportCyber. SOCI Act cyber incidents reported within 12 or 72 hours. PGPA Act annual reporting on cyber risk where material.
What firms should do today
- Map each ISM control family to a documented policy, system owner, and evidence artefact
- Move from Essential Eight maturity baseline to the required level on a phased plan
- Introduce a quarterly ISM update review — ACSC releases changes regularly
- Test the incident response plan against a realistic scenario at least annually
- Consolidate vulnerability management onto a single tool with SLA-aligned patch workflows
- Include ISM-equivalent clauses in every supplier contract handling Australian Government information
Compliance with Quillio
Quillio drafts ISM-aligned security policies, incident response plans, supplier security schedules, and Essential Eight uplift plans mapped to the current ISM release. Australian-hosted infrastructure aligns with ISM principles and does not export data offshore. See /resources/security or start a free trial.
This guide is general information about the ACSC Information Security Manual — not legal or cyber security advice. ISM is updated quarterly and controls are system-specific. Obtain specialist cyber security advice before certifying a system or concluding an Essential Eight maturity level.
Build compliance into your stack.
Quillio is built around AU compliance from the ground up — SOC 2 Type II + ISO 27001 + Australian data sovereignty. The free trial requires no sales call.
Start your free trial