Handling the Australian ISM version changes: June 2024 update

Hello everyone, I'm Andrew Robinson, Chief Information Security Officer (CISO) at 6clicks. Today I want to address an important topic for all organizations with a need to comply with the Australian Government's Information Security Manual (ISM). Just this week, the Australian Cyber Security Centre (ACSC) released the June 2024 version of the ISM. With every update, there are crucial changes and additions that need to be incorporated into your cybersecurity practices to stay compliant and secure.

Executive summary

Understanding the changes

The ISM is a living document, constantly evolving to address new threats and improve existing security measures. The June 2024 update includes several key changes:

1. Governance of OT cybersecurity: CISOs are now recommended to extend their leadership to Operational Technology (OT) cybersecurity, beyond their traditional focus on Information Technology (IT) cybersecurity
2. OT cyber supply chain security: New controls require ensuring cyber supply chain security measures cover OT equipment in addition to IT equipment
3. Internal cybersecurity reporting: CISOs are urged to report on both IT and OT cybersecurity matters to the organization’s audit, risk, and compliance committee (or equivalent), in addition to their existing reporting duties to the executive committee or board of directors
4. AI application development: New requirements include:
   1. Mitigation of vulnerabilities identified in OWASP's Top 10 critical security risks for large language model (LLM) applications
   2. Evaluation and mitigation of adversarial user prompts in LLM applications to prevent the generation of sensitive or harmful content
5. Multi-Factor Authentication (MFA) deployments: As part of the new ISM, organizations utilizing MFA must:
   1. Disable all authentication protocols that do not support MFA when MFA is in use
   2. Ensure that users can only enroll in MFA from trustworthy devices when protecting sensitive or classified systems
6. Mobile app development: Organizations need to adopt OWASP’s mobile app security verification standard to support secure-by-design principles in mobile app development
   
   

Steps for handling the ISM version changes

Here are some actions your organization can take to incorporate the new version of the ISM into your cybersecurity program:

1. Conduct a gap analysis: The first step is to perform a thorough gap analysis to understand how the new requirements differ from the previous version. This involves reviewing each updated control and assessing your current compliance status.

2. Update your policies and procedures: Once you have identified the gaps, update your existing policies and procedures to align with the new requirements. This may involve revising your cloud security policies, incident response plans, and vendor management processes.

3. Train your team: Ensure that your security team and other relevant staff are aware of the changes and understand how to implement them. Conduct training sessions and workshops to cover the new controls and their implications.

4. Review vendor contracts: Given the new OT supply chain risk management requirements, review your contracts with third-party vendors of OT equipment to ensure they comply with the updated ISM guidelines. This may involve renegotiating terms or conducting additional security assessments.

5. Enhance monitoring and reporting: Review and update your monitoring and reporting mechanisms to meet the reporting requirements related to OT equipment. This may include deploying additional detection coverage and establishing clear reporting lines for issues and incidents.

6. Secure your OT environments: If your organization operates OT systems, review and update your security controls to protect these environments. This may involve segmenting OT networks, implementing robust access controls, and conducting regular security assessments.

Leveraging 6clicks for cyber risk and compliance

At 6clicks, we understand the challenges of staying compliant with evolving standards like the ISM. Our platform is designed to simplify this process by providing comprehensive tools for risk management, compliance tracking, and continuous monitoring. Here’s how 6clicks can help:

1. Automate version changes: Our platform automates the gap analysis process between versions, helping you update your SSP annex or controls matrix and focus your efforts on what is new
2. Leverage policy and procedure templates: Access the 6clicks Content Library for up-to-date policy and assessment templates that align with the requirements of the ISM and popular OT standards
3. Streamline control evidence management: Build a single unified internal control framework, collect evidence once, and reuse it across multiple overlapping standards, laws, and regulations
4. Manage your supply chain: Manage your third-party vendors and ensure they comply with the new OT supply chain risk management guidelines (in addition to managing traditional IT vendors)
5. Monitor continuously: Implement continuous control monitoring via our Developer API and additional native integrations (stay tuned!) and reporting to stay ahead of potential threats and ensure ongoing compliance

Staying compliant with the ISM is crucial for protecting your organization against cyber threats and maintaining trust with your stakeholders. By understanding the changes in the June 2024 version of the ISM and taking proactive steps to address them, you can ensure your organization remains secure and compliant.

For more detailed guidance on handling the ISM changes, or to see how 6clicks can support your compliance efforts, feel free to reach out to our team. Together, we can navigate these regular updates and strengthen your cybersecurity posture.