A mirror of ISM OSCAL documents. The authoritative source can be found at https://www.cyber.gov.au/ism/oscal. The Australian Signals Directorate (ASD) provides the Information Security Manual (ISM) in the Open Security Controls Assessment Language (OSCAL), a standardised machine-readable format developed by the United States’ National Institute of Standards and Technology (NIST). ISM OSCAL enables enhanced machine-supported consumption possibilities that can be incorporated into organisations’ governance, risk and compliance (GRC) processes and tooling. For example, improved tooling could include programmatic ingestion of ISM releases into internal systems for tracking in line with organisations’ GRC processes. NIST publishes several OSCAL learning resources to help organisations understand the concepts behind OSCAL and its use.

The ISM is provided as an OSCAL catalog with the use of OSCAL props for unique ISM attributes. ASD also provides illustrative OSCAL profiles and OSCAL resolved profile catalogs for each ISM control’s applicability (ALL, OFFICIAL: Sensitive, PROTECTED, SECRET, TOP SECRET), as well as for Essential Eight Maturity Level One (ML1), Maturity Level Two (ML2) and Maturity Level Three (ML3). Importantly, to enable greater flexibility for consumers, and to align with the ISM’s non-machine-readable documents, the information used to inform these profiles are also included in the source ISM catalog.

ASD welcomes feedback regarding ISM OSCAL. If you would like to provide any feedback or insights about your usage, or have enquiries regarding ISM OSCAL, please complete the ISM Feedback Form. Feedback pertaining to the broader use of OSCAL (including the OSCAL specification) should be directed to the OSCAL community or NIST’s OSCAL team.

Disclaimer

The material in this guide is of a general nature and should not be regarded as legal advice or relied on for assistance in any particular circumstance or emergency situation. In any important matter, you should seek appropriate independent professional advice in relation to your own circumstances.

The Commonwealth accepts no responsibility or liability for any damage, loss or expense incurred as a result of the reliance on information contained in this guide.

Copyright

© Commonwealth of Australia 2024.

With the exception of the Coat of Arms, the Australian Signals Directorate logo and where otherwise stated, all material presented in this publication is provided under a Creative Commons Attribution 4.0 International licence (www.creativecommons.org/licenses).

For the avoidance of doubt, this means this licence only applies to material as set out in this document.

The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 4.0 licence (www.creativecommons.org/licenses).

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the Department of the Prime Minister and Cabinet website (www.pmc.gov.au/government/commonwealth-coat-arms).

For more information, or to report a cyber security incident, contact us:

cyber.gov.au | 1300 CYBER1 (1300 292 371)