An introduction to Information Security Manual (ISM)

The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their information and systems from cyber threats. The cyber security guidelines within the ISM are based on the experience of the ACSC and ASD. These guidelines are intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cyber security professionals and information technology managers. As such, these guidelines discuss both governance and technical concepts in order to support the protection of organisations’ information and systems.

The first section of the ISM consists of a set of cybersecurity principles. The purpose of these principles is to "provide strategic guidance on how an organisation can protect their systems and data from cyber threats". The ISM’s cybersecurity principles are grouped together into 4 following categories: 

• Govern: Identifying and managing security risks - Through 5 Principles 
• Protect: Implementing security controls to reduce security risks - Through 14 Principles
• Detect: Detecting and understanding cybersecurity events to identify cybersecurity incidents - Through 2 Principles
• Respond: Responding to and recovering from cybersecurity incidents - Through 3 Principles

Through implementing the cyber security principles, ISM offers the following maturity model to assess the implementation of individual principles:

• Incomplete: The cyber security principles are partially implemented or not implemented. 
• Initial: The cyber security principles are implemented, but in a poor or ad hoc manner. 
• Developing: The cyber security principles are sufficiently implemented, but on a project-by-project basis. 
• Managing: The cyber security principles are established as standard business practices and robustly implemented throughout the organisation. 
• Optimising: A deliberate focus on optimisation and continual improvement exists for the implementation of the cyber security principles throughout the organisation.

Rezilens provides a fully automated platform to manage all of the above mentioned processes in an integrated "Single Pane of Glass" and it can benefit many organisations and professional, such as MSPs, MSSPs and IRAP assessors.