Home > Services > ISM Compliance
ISM

Information Security Manual compliance

ISM-aligned control assessment, documentation, and implementation support for Australian organisations managing classified or sensitive information.

Talk to an Adviser See All Services
AGSVA Cleared Team Canberra-Based ISM-Experienced

ISM Control Assessment

Assessment Status

Information Security Governance Compliant ✓
Personnel Security Compliant ✓
Communications Security Gap Identified
System Hardening Compliant ✓
Access Control In Review

ISM Controls

Assessed

Gap Report

3

Items Ready

The challenge

Why ISM compliance matters

Hundreds of controls

The ISM contains hundreds of security controls across multiple domains. Determining which apply to your environment and how to evidence compliance is a significant task.

Constantly evolving

The ISM is updated regularly by ASD. Keeping pace with changes and understanding their impact on your compliance posture requires ongoing attention.

Mapping to other frameworks

You may already have controls in place for Essential Eight, PSPF, or DSPF. Understanding where ISM overlaps — and where it doesn't — avoids duplicated effort.

What you get

What's included in ISM Compliance

ISM control applicability assessment

We determine which ISM controls apply to your systems based on classification level, deployment model, and operational context.

Gap analysis and compliance report

Detailed assessment of your current control posture against applicable ISM requirements.

Control implementation guidance

Practical recommendations for implementing or remediating ISM controls in your specific environment.

Policy and documentation support

Security documentation aligned to ISM requirements, including system security plans and operating procedures.

Framework mapping

Clear mapping between ISM controls and your existing compliance obligations (E8, PSPF, DSPF) to identify overlap and reduce effort.

Case study to be inserted here

Right for you

Who should consider ISM compliance assessment

DISP-registered organisations

ISM compliance underpins your DISP cyber security requirements. We help you understand and evidence the specific ISM controls relevant to your membership level.

Government service providers

Your government clients expect ISM-aligned security. We help you demonstrate compliance and manage the ongoing control assessment cycle.

Deep-tech and defence technology

You're building systems or platforms for classified environments. ISM compliance is foundational to your security assurance.

Complementary services

Related services you might need

Essential Eight Assessment

The cyber baseline that maps to ISM mitigation strategies.

Learn more

IRAP Assessment

ASD-aligned security assessment for government systems.

Learn more

Cyber Risk Advisory

Security risk assessments, governance, and board-level reporting.

Learn more
Common questions

Frequently asked questions

How does the ISM relate to Essential Eight?

The Essential Eight is a subset of ISM mitigation strategies prioritised by ASD for baseline cyber resilience. ISM compliance is broader, covering governance, personnel security, communications security, and more. Achieving E8 ML2 addresses a significant portion of your ISM cyber requirements.

Do we need to comply with every ISM control?

No. ISM control applicability depends on your system's classification level, deployment model, and operational context. We help you determine exactly which controls apply and focus your effort where it matters.

How often does the ISM change?

ASD updates the ISM regularly — typically multiple times per year. Our advisory services help you stay across changes and assess their impact on your compliance posture.

Get started

Need help with ISM compliance?

Talk to our team about your ISM requirements and compliance obligations.

Talk to an Adviser Call (02) 6152 8342

Canberra-based • AGSVA cleared • ISM-experienced