The Australian Government's Information Security Manual (ISM), the standard that governs the security of government ICT systems, was updated in June 2024 as part of its regular revision cycle managed by the Australian Cyber Security Centre (ACSC). These updates reflect ongoing efforts to adapt to evolving cybersecurity threats and improve the resilience of information systems. Here’s a comprehensive look at these updates and what they mean for organizations.
1. Refinement of Cyber Security Principles
The ISM's cyber security principles have been refined for clearer governance and risk identification:
- Changes to the GOVERN principle include updated guidelines on security risk management for systems, applications, and data.
- The principle G5 from the March version has been split into the new principle IDENTIFY which focuses on identifying and documenting assets, risks, and vulnerabilities within the organisation.
- The PROTECT principles have been updated to ensure that systems and applications align with their designated security requirements and business criticality.
- The RESPOND principles have been updated to provide clarity on reporting incidents, specifically who should you report to, emphasize on the importance of including detailed analysis in cyber incident reports and improved clarification of incident response, business continuity, and disaster recovery plans in a cyber incident.
2. Inclusion of Operational Technology
The June 2024 update integrates Operational Technology into the ISM framework, acknowledging the importance of securing these systems alongside traditional IT:
- Procurement and Outsourcing: New guidelines include specific considerations for OT equipment and services, aligning them with IT security measures.
- Cyber Supply Chain Risk Management: Controls have been adjusted to encompass both IT and OT equipment, addressing the risks associated with interconnected supply chains.
3. New Controls
New controls have been added to adapt to the evolving cybersecurity environment:
- Reporting on cyber security - New guideline which requires CISOs to regularly report on cybersecurity to their organization's audit, risk, and compliance committee (or equivalent).
- Multi-factor Authentication: Enhanced guidelines now recommend disabling any authentication protocols that do not support multi-factor authentication.
- Scanning for unmitigated vulnerabilities - New recommendation to frequently assess the likelihood of system compromise.
- Software Development: New guidelines advocate for the use of established standards like OWASP in the secure development of mobile and AI applications.
4. Updated Controls
Guidelines for Cyber Security Roles
- CISO leadership and guidance has been amended to include covering information technology and operational technology.
- Further clarification on who the CISO should report cyber security matters directly to.
Guidelines for Cyber Security Incidents
- More robust requirements for internal and external reporting of cyber security incidents is emphasized. This includes tighter guidelines on analyzing, containing, eradicating, and recovering from incidents to ensure timely responses and recovery.
Guidelines for Procurement and Outsourcing
- The updated ISM includes provisions for maintaining a detailed register of all managed services, including the service provider's name, as part of a broader initiative to enhance transparency and security in outsourcing arrangements.
Guidelines for Enterprise Mobility
- The guidelines for mobile device management have been refined to specify the use of Mobile Device Management (MDM) solutions that have completed a Common Criteria evaluation against specified versions, ensuring a higher standard for security management of mobile devices across sensitive or protected systems.
5. Expanded Roles and Reporting for Cybersecurity Leadership
Updates expand the role and reporting responsibilities of Chief Information Security Officers (CISOs):
- Leadership and Reporting: CISOs must now provide more frequent and comprehensive updates on security matters to executive boards or committees.
Next Steps
To align your cybersecurity program with the new ISM updates, consider the following actionable steps:
- Review the Updated ISM Guidelines: Start by thoroughly reviewing the changes in the ISM.
- Assess Your Current Security Practices: Conduct a comprehensive assessment of your existing security frameworks and risk management protocols to identify any gaps or misalignments with the new ISM standards.some text
- Avertro’s CyberHQ helps you automate up to 70% the process of assessing your security posture against frameworks such as ISM and more (Some other common standards we have worked with: NIST CSF, NIST 800-53, ISO 27001, ISO 27002, SEC Cyber Rules, PCI-DSS, CPS 234, ASD Essential 8, Australian ISM, Australian SOCI Act, AESCSF, IEC 62443, SOC 2, Singapore MAS TRM, CMMC, CIS, C2M2, HIPAA, FSSCC (FFIEC), and many more). With our maturity and risk reports, derive insights into gaps to be filled in order to best align with ISM.
- Update Your Training Programs: Revise your internal training and awareness programs to include the latest ISM principles, especially focusing on areas such as multi-factor authentication and secure software development practices.
- Consult with Cybersecurity Experts: Engage with cybersecurity professionals or consultants who can provide expert advice on how to effectively implement the ISM changes within your organization.some text
- Avertro offers a managed GRC service that acts as an extension of your team and works with you to navigate your implementation of ISM and any other industry frameworks.
- Implement Changes Systematically: Begin integrating the necessary changes into your security policies and operational procedures, prioritizing areas that address the most immediate risks or compliance requirements.some text
- Aligning your security program to your posture and goals, CyberHQ highlights key controls that require attention, tracking and supporting your continuous improvement over time to achieve your business goals.
- Monitor and Adjust: Continuously monitor the effectiveness of these implemented changes and be prepared to make adjustments as needed, ensuring ongoing compliance and protection against emerging threats.some text
- CyberHQ supports you through ongoing and continuous monitoring and management of your cybersecurity posture, ensuring ongoing compliance with ISM or other standards.
The June 2024 updates to the Australian ISM represent a pivotal opportunity for your organization to enhance its cybersecurity measures. By systematically implementing these updates and utilizing tools like CyberHQ and our Managed GRC service, you can effectively strengthen your security protocols and streamline compliance processes. But effective cybersecurity is more than just compliance. Leveraging existing standards and tools, your team is truly supported to work towards building a more resilient security infrastructure. To better understand how these solutions can be tailored to your needs and contribute to your cybersecurity strategy, reach out to our team and we’d be happy to discuss!