Skip to main content

Many of us eagerly await new release of the Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM) and scan for changes in the security controls, however, does anyone like to stop by at the front of the publication? There’s the Cyber Security Principles and these provide strategic guidance on how an organisation can protect their systems and data from cyber threats.

These principles are broken down into four categories, with some commonality with the categories in the NIST Cyber Security Framework.

• Govern
• Detect
• Protect
• Respond

Some ISM controls may appear to be oddly specific or Microsoft Windows centric. It can be worthwhile to read the explanatory paragraph accompanying the security control and make use of a cyber security principle if needing further guidance.
In an Australian Government context, protective security principals and governance is provided by a policy framework known as the Attorney-General’s Department’s Protective Security Policy Framework (PSPF), where Policy 11 for robust ICT systems showcases this key requirement:
Each entity must ensure the secure operation of their ICT systems to safeguard their information and data and the continuous delivery of government business by applying the Information Security Manual’s cyber security principles during all stages of the lifecycle of each system.

This is a notable link between the PSPF and the ISM, where the cyber security principles are core requirements of the PSPF Policy 11, and the PSPF requires the appropriate implementation of effective security controls from the ISM. In reality, many government projects are implementing ISM controls in the initial instance without any consideration of the core PSPF requirements.

Consider dwelling longer on how the Cyber Security Principles can work to secure your next project before moving onto specific security controls. Focussing on the Cyber Security Principles is a sound foundation to your project and offers stability as ISM controls are added, amended or rescinded.

See the ISM Cyber Security Principles here: Cyber Security Principles |