Skip to main content

Here in the second edition of our series on cybersecurity we at Securus Consulting Group remain key to the top-of-mind leadership in national institutions when it comes to cybersecurity. Today we look at the granular controls from a central policy framework through which we can all come to understand how to contribute to keeping our security community safe.

For those who are new to using the Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM) understanding some of the metadata associated with an ISM control can be challenging. Far more for those unfamiliar with the guidance or working in the Australian Government we can show you how to decode this information to get the most value of out of the ISM guidance.

Controls that are more relevant to government audiences

By visual inspection of the applicability tags, we can figure out that this control is more relevant to government audiences.

Control: ISM-000x; Revision: 5; Updated: Dec-21; Applicability: O, P, S, TS; Essential Eight: N/A

For those not having worked in government, the applicability tags might not at once leap out as classifications. These classifications come from the Attorney-General’s Department’s Protective Policy Security Framework in Policy 8.

Security controls with these markings are suitable for government audiences that deal with the stated classification ranges.

Controls that are more relevant to wider audience

However, now let us look at this control where there are no classifications listed:

Control: ISM-000x; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A

In the December 2021 release, the ISM changes document states that:

“Security controls suitable for all audiences have been identified with the ‘All’ applicability marking while additional security controls suitable for just government audiences have been identified with the O, P, S and TS applicability markings.

Security controls suitable for specific classifications have been amended to include their classification(s) in the wording of the security controls to reduce the reliance on applicability markings to confer suitability.” – ISM, ACSC.gov.au

We see that some security controls with these markings are suitable for a much wider audience and many of these controls can be considered good cyber security hygiene.

Essential Eight Maturity Model guidance in the ISM

One final example.

Control: ISM-000x; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3

The ISM reflects Essential Eight Maturity Level 2 and Maturity Level 3 guidance in the controls. Note that some of these may not be verbatim and a reading of preceding explanatory text may clear things up.

Maturity Level 1 controls don’t feature in the ISM. One pragmatic approach might involve placing Implementation comments against the closest Maturity Level 2 guidance. If the assessment focusses on the Essential Eight, there are more resources available in the Essential Eight Assessment Process Guide | Cyber.gov.au.

Summary

In these examples we’ve gone through how the ISM metadata can help focus the attention of the implementer and assessor alike, through applicability markings and associated audiences. Practicing ready recognition of these markings throughout your cybersecurity efforts will help you accurately interpret controls quickly.