The Information Security Manual (ISM) is the Australian Government's comprehensive cybersecurity manual, published and maintained by the Australian Cyber Security Centre (ACSC). It is updated quarterly and is the authoritative cybersecurity standard for Commonwealth government entities.
The ISM is significantly broader than the Essential Eight. It covers risk management, governance, personnel security, physical security, communications systems, enterprise IT, cloud services, mobile devices, evaluated products, cryptography, and incident management. Each topic includes specific controls rated as MUST, SHOULD or MAY — making it a prescriptive technical baseline rather than a high-level framework.
ISM compliance is mandatory for non-corporate Commonwealth entities under the Protective Security Policy Framework. For private-sector mid-market firms, the ISM is not a legal obligation, but its cloud-security and cryptography sections are commonly referenced in tendering for government and government-adjacent work. ISM controls also map cleanly to Essential Eight ML2 and CPS 234 §13 capability evidence.