Information Security Manual update: 20% less cyber controls, no more ‘should’ or ‘must’

By Stephen Easton

Thursday December 6, 2018

The Australian government’s Information Security Manual has been simplified with the removal of 258 recommended cyber security controls and the addition of 63.

Words like “should” and “must” were also removed from the descriptions of 687 entries to get away from “compliance-based language” in the manual, according to a report listing all the changes.

Presumably, the idea is to encourage executives to take charge of managing cyber security risks and to use the ISM as a guide, but not to rely on it too much as a kind of checklist.

The latest update sees a net reduction of 20% on the 950 individual security tips that were listed in the previous version of the ISM.

Others were “modified to merge in content from other security controls, clarify their intent or clarify the classifications that they were applicable to” as well, the Australian Cyber Security Centre reports.

READ MORE: Alastair MacGibbon explains why cyber catastrophe is society’s ‘greatest existential threat’ right now

Public service leaders often hear that compliance does not equal security — a handy point to bring up when you’re non-compliant — but that does not mean they can ignore the recommendations either. The message from ACSC chief Alastair MacGibbon is that it remains important to tick all the most important boxes, but it’s not enough on its own; information security requires ongoing risk management.

The ACSC has published the new ISM online, along with various supporting documents including one that explains all the individual changes and, briefly, the specific reasoning behind each one.

The key questions

Decisions to get rid of controls were broadly based on a list of criteria:

  • Does the security control need to be removed due to Protective Security Policy Framework (PSPF) reforms?
  • Does the security control need to be removed due to a change in the threat environment?
  • Does the security control need to be changed due to a change in technology?
  • Does the security control need to be changed due to a change in policy position?
  • Is the security control of sufficient value to be retained?
  • Is the security control duplicated elsewhere in the document?
  • Is the security part of a group of similar security controls that could be combined?

A similar set of tests applied to the new additions:

  • Does a security control require additional clarification?
  • Would a security control be better served by being two or more distinct security controls?
  • Does supporting information exist that isn’t related to a security control?
  • Do gaps exist in security control coverage?

About the author
Inline Feedbacks
View all comments

The essential resource for effective
public sector professionals