ACSC ISM March 2023
Best for: Australian Government agencies and ICT contractors handling data at OFFICIAL, PROTECTED, or SECRET classification levels must align with the ISM. Cloud providers, managed service providers, and software vendors with government contracts will typically face ISM alignment requirements, often enforced through an IRAP assessment. Critical infrastructure operators under the SOCI Act 2018 also frequently adopt this framework.
| Mandatory? | Mandatory for Australian government entities |
| Who validates? | Self-assessment; IRAP assessors for higher classifications |
| Renewal | Annual; updated quarterly by ACSC |
| Scope | Information and systems across Australian government |
π Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD) Β· ACSC ISM March 2023 Official source β
Get Started
module "..." {
source = "acscism2023.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Logging and Audit Trail Completeness: 8 controls covering CloudTrail data event logging for S3 (read and write), CloudWatch log integration, and service-level logging for ELB, CodeBuild, DocumentDB, and Elasticsearch. Each maps to ISM event logging requirements.
- Encryption and Cryptographic Standards: 4 controls: ACM certificate key lengths (RSA 2048+), deprecated SSL/TLS protocol usage on CloudFront, root CA status in AWS Private CA, and KMS-based encryption of EKS secrets.
- Identity and Access Management: 3 controls flagging empty IAM groups, inline policies attached to groups, users, or roles, and administrative privilege grants via inline policy.
- Threat Detection and Monitoring: Checks that GuardDuty is enabled in all regions and aggregated to a delegated administrator account (2 controls).
- Network and Application Protection: One control: confirms WAF Web ACL association on API Gateway stages. Detects internet-facing endpoints with no web application firewall coverage.
What you handle
- Logging and Audit Trail Completeness: Setting retention periods per classification level, writing SIEM alerting rules, establishing log review procedures, and documenting the logging policy itself.
- Encryption and Cryptographic Standards: Maintaining a cryptographic key register, defining approved algorithm lists per ISM guidance, managing key rotation schedules, and handling ASD-approved cryptographic equipment for classified systems.
- Identity and Access Management: Defining access approval workflows, conducting periodic access reviews, managing privileged access management (PAM) processes, and keeping records of access authorizations from system owners.
- Threat Detection and Monitoring: Triaging and responding to GuardDuty findings, integrating them into your incident response process, tuning suppression rules, and reporting to the ACSC as required for government systems.
- Network and Application Protection: Configuring WAF rule groups to match your threat profile, maintaining allow/deny lists, reviewing WAF logs, and designing broader network segmentation per ISM gateway guidelines.
Controls by Category
Guidelines for Cryptography (2 controls)
Certificate inventories and TLS configuration reports are the primary evidence here. The assessor checks that ACM certificates use RSA 2048-bit keys or stronger (ISM-0994, ISM-1446) and that no deprecated protocols remain in use on public or internal endpoints. Legacy TLS on internal services is a frequent finding, particularly on services that were excluded from the initial hardening scope.
Guidelines for System Monitoring (5 controls)
S3 data event logging is disabled by default in AWS, and this is the most common gap under ISM-0580, ISM-0585, and ISM-0586. Assessors check that CloudTrail covers data-plane events (not just management events), that logs flow to a centralized SIEM or CloudWatch Logs, and that retention satisfies the 7-year minimum for PROTECTED systems.
Additional Controls (20)
Amazon OpenSearch Service (1)
Amazon RDS (4)
Amazon Redshift (5)
compliance.tf moduleRedshift clusters should be encrypted with CMKcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have enhanced VPC routing enabledcompliance.tf moduleAmazon S3 (6)
compliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should have MFA delete enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have versioning enabledcompliance.tf moduleAmazon SageMaker (2)
Related Frameworks
NIST 800-53 Rev 5 β π’ High overlap (65%)
The ISM draws heavily from NIST 800-53 control families, particularly AU (Audit and Accountability), AC (Access Control), SC (System and Communications Protection), and IA (Identification and Authentication). The ISM tailors these to Australian classification levels and adds ASD-specific cryptographic requirements that NIST 800-53 does not cover.
CIS AWS Benchmark v3.0.0 β π‘ Medium overlap (45%)
CIS AWS Foundations Benchmark shares many technical controls around logging, IAM hygiene, and encryption. The ISM is broader in scope (covering governance and physical security) but the AWS-specific technical checks partially overlap with it. Running both provides complementary coverage.
ACSC Essential Eight β π‘ Medium overlap (30%)
The Essential Eight is also published by the ACSC and is a prioritized subset of ISM controls focused on mitigation strategies. Organizations already aligned to the Essential Eight will find those controls are a subset of a full ISM implementation.