ACSC ISM 02 March 2023
AWS Audit Manager provides a prebuilt standard framework that supports the Australian Cyber Security Center (ACSC) Information Security Manual (ISM).
What is the ACSC ISM?
The ACSC is the Australian government's lead agency for cyber security. The ACSC produces the ISM, which functions as a set of cyber security principles. The purpose of these principles is to provide strategic guidance on how an organization can protect their systems and data from cyber threats. These cyber security principles are grouped into four key activities: govern, protect, detect and respond. An organization should be able to demonstrate that the cyber security principles are being adhered to within their organization. The ISM is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals, and information technology managers.
The ISM framework is provided by the ACSC under a Creative Commons Attribution 4.0
International License
Using this framework
You can use the ACSC ISM standard framework in AWS Audit Manager to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to ACSC ISM requirements. You can also customize this framework and its controls to support internal audits with specific requirements.
Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the ACSC ISM framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
|---|---|---|---|
| Australian Cyber Security Center (ACSC) Information Security Manual (ISM) 02 March 2023 | 222 | 655 | 22 |
Tip
To review the AWS Config rules that are used as data source mappings in this standard framework, download the AuditManager_ConfigDataSourceMappings_ACSC-ISM-02-March-2023.zip file.
The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the ACSC Information Security Manual controls. Moreover, they can't guarantee that you'll pass an ACSC audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
You can find the ACSC ISM framework under the Standard frameworks tab of the framework library in Audit Manager.
Next steps
For instructions on how to create an assessment using this framework, see Creating an assessment in AWS Audit Manager.
For instructions on how to customize this framework to support your specific requirements, see Making an editable copy of an existing framework in AWS Audit Manager.
Additional resources
