ISM Controls

The ISM control catalog contains all 992 controls from ASD's Information Security Manual, automatically synced from the official OSCAL source. Browse, filter, and track your compliance status for each control.

Browsing Controls

Filtering and Search

• Filter by topic (e.g., Access Control, Cryptography, Network Security)
• Filter by status (Compliant, Partially Compliant, Non-Compliant, Not Assessed)
• Filter by Essential Eight strategy
• Search by control ID (e.g., "ISM-1504") or keywords

Control Detail View

Each control page shows:

• Control statement and guidance from ASD
• Topic and subtopic grouping
• Applicability levels
• Your organisation's compliance status and notes
• Related findings, evidence, and action items
• AI assessment (if available)

Setting Compliance Status

Status Options

Updating Status

• Open the control detail page
• Select status from the sidebar dropdown
• Add implementation notes describing how the control is met

AI Assessment

• AI analyses your findings, policies, and system context
• Suggests compliance status with confidence level (High/Medium/Low)
• Shows reasoning for the suggestion
• You decide whether to accept or override

Applicability

Marking Controls Not Applicable

• Some controls won't apply to your environment
• Mark as "Not Applicable" with a reasoning note
• Not-applicable controls are excluded from readiness calculation

Applicability Levels

• Controls specify classification levels they apply to (NC, O, OS, P, S, TS)
• OFFICIAL: Sensitive (OS) is the most common for IRAP assessments

Essential Eight Tagging

• Controls are tagged by Essential Eight strategy and maturity level
• Filter controls by E8 strategy to focus on specific areas

Learn more about Essential Eight