Skip to content

ACSC ISM March 2023

Best for: Australian Government agencies and ICT contractors handling data at OFFICIAL, PROTECTED, or SECRET classification levels must align with the ISM. Cloud providers, managed service providers, and software vendors with government contracts will typically face ISM alignment requirements, often enforced through an IRAP assessment. Critical infrastructure operators under the SOCI Act 2018 also frequently adopt this framework.

Mandatory?Mandatory for Australian government entities
Who validates?Self-assessment; IRAP assessors for higher classifications
RenewalAnnual; updated quarterly by ACSC
ScopeInformation and systems across Australian government

๐Ÿ› Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD) ยท ACSC ISM March 2023 Official source โ†’

Get Started

module "..." {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • Logging and Audit Trail Completeness: 8 controls covering CloudTrail data event logging for S3 (read and write), CloudWatch log integration, and service-level logging for ELB, CodeBuild, DocumentDB, and Elasticsearch. Each maps to ISM event logging requirements.
    • Encryption and Cryptographic Standards: 4 controls: ACM certificate key lengths (RSA 2048+), deprecated SSL/TLS protocol usage on CloudFront, root CA status in AWS Private CA, and KMS-based encryption of EKS secrets.
    • Identity and Access Management: 3 controls flagging empty IAM groups, inline policies attached to groups, users, or roles, and administrative privilege grants via inline policy.
    • Threat Detection and Monitoring: Checks that GuardDuty is enabled in all regions and aggregated to a delegated administrator account (2 controls).
    • Network and Application Protection: One control: confirms WAF Web ACL association on API Gateway stages. Detects internet-facing endpoints with no web application firewall coverage.

  • What you handle

    • Logging and Audit Trail Completeness: Setting retention periods per classification level, writing SIEM alerting rules, establishing log review procedures, and documenting the logging policy itself.
    • Encryption and Cryptographic Standards: Maintaining a cryptographic key register, defining approved algorithm lists per ISM guidance, managing key rotation schedules, and handling ASD-approved cryptographic equipment for classified systems.
    • Identity and Access Management: Defining access approval workflows, conducting periodic access reviews, managing privileged access management (PAM) processes, and keeping records of access authorizations from system owners.
    • Threat Detection and Monitoring: Triaging and responding to GuardDuty findings, integrating them into your incident response process, tuning suppression rules, and reporting to the ACSC as required for government systems.
    • Network and Application Protection: Configuring WAF rule groups to match your threat profile, maintaining allow/deny lists, reviewing WAF logs, and designing broader network segmentation per ISM gateway guidelines.

Controls by Category

Guidelines for Cryptography (2 controls)

Certificate inventories and TLS configuration reports are the primary evidence here. The assessor checks that ACM certificates use RSA 2048-bit keys or stronger (ISM-0994, ISM-1446) and that no deprecated protocols remain in use on public or internal endpoints. Legacy TLS on internal services is a frequent finding, particularly on services that were excluded from the initial hardening scope.

RSA certificates managed by ACM should use a key length of at least 2,048 bits compliance.tf module EKS clusters should be configured to have kubernetes secrets encrypted using KMS compliance.tf module

Guidelines for System Monitoring (5 controls)

S3 data event logging is disabled by default in AWS, and this is the most common gap under ISM-0580, ISM-0585, and ISM-0586. Assessors check that CloudTrail covers data-plane events (not just management events), that logs flow to a centralized SIEM or CloudWatch Logs, and that retention satisfies the 7-year minimum for PROTECTED systems.

CloudTrail trails should be integrated with CloudWatch logs CodeBuild projects should have logging enabled DocumentDB instance logging should be enabled ELB application and classic load balancer logging should be enabled compliance.tf module Elasticsearch domains should have audit logging enabled
Additional Controls (20)

Amazon OpenSearch Service (1)

OpenSearch domains should have audit logging enabled. compliance.tf module

Amazon RDS (4)

RDS DB clusters should have automatic minor version upgrade enabled RDS DB instance automatic minor version upgrade should be enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module

Amazon Redshift (5)

AWS Redshift audit logging should be enabled compliance.tf module Redshift clusters should be encrypted with CMK compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift enhanced VPC routing should be enabled compliance.tf module

Amazon S3 (6)

S3 buckets access control lists (ACLs) should not be used to manage user access to buckets compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket MFA delete should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 buckets object logging should be enabled S3 bucket versioning should be enabled compliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at rest compliance.tf module

Amazon SageMaker (2)

SageMaker notebook instances should be encrypted using CMK SageMaker notebook instance encryption should be enabled

Other (1)

Amazon Redshift Serverless workgroups should use enhanced VPC routing

  • NIST 800-53 Rev 5 โ€” ๐ŸŸข High overlap (65%)

    The ISM draws heavily from NIST 800-53 control families, particularly AU (Audit and Accountability), AC (Access Control), SC (System and Communications Protection), and IA (Identification and Authentication). The ISM tailors these to Australian classification levels and adds ASD-specific cryptographic requirements that NIST 800-53 does not cover.

  • CIS AWS Benchmark v3.0.0 โ€” ๐ŸŸก Medium overlap (45%)

    CIS AWS Foundations Benchmark shares many technical controls around logging, IAM hygiene, and encryption. The ISM is broader in scope (covering governance and physical security) but the AWS-specific technical checks partially overlap with it. Running both provides complementary coverage.

  • ACSC Essential Eight โ€” ๐ŸŸก Medium overlap (30%)

    The Essential Eight is also published by the ACSC and is a prioritized subset of ISM controls focused on mitigation strategies. Organizations already aligned to the Essential Eight will find those controls are a subset of a full ISM implementation.

Frequently Asked Questions

Does the ISM apply to my organization if we are not an Australian Government agency?

Not mandatory for private companies with no government nexus. If you're a cloud service provider, managed service provider, or software vendor contracting with the Australian Government, you'll likely be required to demonstrate ISM alignment, typically through an IRAP assessment. Companies with no government work are free to adopt the ISM voluntarily; in critical infrastructure sectors regulated under the SOCI Act, many do.

How does the ISM relate to IRAP assessments?

IRAP is the assessment mechanism; the ISM is the control set being assessed against. An IRAP assessor evaluates your system against the ISM controls relevant to your data classification level and produces a security assessment report (and a cloud security assessment report for cloud systems). There is no formal 'ISM certification'. The authorising officer accepts residual risk based on the IRAP assessment findings.

This benchmark references the March 2023 ISM. Is it outdated?

The ACSC updates the ISM multiple times per year. March 2023 is one snapshot; later 2023 and 2024 editions introduced control numbering changes and new guidelines. Check the ACSC website for the current version and compare control IDs against this benchmark. Most controls are stable across versions, so coverage remains substantial, but verify any gaps against the latest published edition.

How many controls does the full ISM contain, and why does this benchmark only cover 50?

The full ISM contains over 800 controls spanning physical security, personnel security, communications security, and ICT security. This benchmark covers 50 that are verifiable through AWS resource configuration checks. Physical security, personnel vetting, governance processes, and documentation controls can't be verified through infrastructure scanning and require manual assessment or separate tooling.

Can I use this benchmark to satisfy both ISM and Essential Eight requirements simultaneously?

Partially. Essential Eight controls that intersect with this benchmark's checks (restricting administrative privileges, for example) will be covered. The Essential Eight maturity model has specific implementation requirements at each level (Maturity Level 1 through 3) that go beyond what ISM controls specify. Run both benchmarks and cross-reference findings to identify shared remediation work.