What is the difference between the ISM and the Essential Eight?

The ISM is the ASD’s comprehensive cyber security framework containing a large catalogue of controls. The Essential Eight is a prioritised subset focused on the highest-impact mitigations, making it the natural starting point for smaller organisations.

Does a small business need to implement the entire ISM?

No. The ISM is risk-based and intended to be applied proportionately. Most SMBs start with the Essential Eight and adopt additional ISM controls only as obligations and maturity require.

How often is the ISM updated?

The ASD updates the Information Security Manual regularly throughout the year to reflect the evolving threat environment, so it should be treated as a living reference.

The ACSC Information Security Manual (ISM), explained for SMBs

If the Essential Eight is the headline, the Information Security Manual is the full text. The ISM is the ASD’s comprehensive cyber security guidance — hundreds of controls covering everything from system hardening to incident response. It can look overwhelming, so here is how a smaller business should approach it.

Key takeaways

The ISM is published by the ASD and is updated regularly throughout the year.
It uses a risk-based framework rather than a rigid checklist.
The Essential Eight is a prioritised subset of ISM guidance, which is where most SMBs should start.
Backup, recovery and data retention controls run throughout the ISM.

What the ISM is

The Information Security Manual (ISM) is the Australian Signals Directorate’s detailed cyber security framework. It is aimed at chief information security officers, IT managers and security practitioners, and provides a large catalogue of controls organised around a risk-management approach: define your context, identify risks, apply controls, and monitor. It is refreshed regularly, so it tracks the current threat landscape.

How it relates to the Essential Eight

People often ask whether they should follow the ISM or the Essential Eight. The answer is that the Essential Eight is effectively a prioritised starter-set drawn from the broader ISM. For a small business, the sensible path is to implement the Essential Eight first, then reach into relevant ISM controls as your maturity and obligations grow.

Which parts matter most for an SMB

You do not need every control. Focus on the areas with the highest payoff:

Access control and MFA — strong authentication everywhere it counts.
Patching and hardening — keep systems current and minimise attack surface.
Email and web security — the most common entry points.
Data backup and recovery — regular, retained, tested and isolated.
Incident response — a simple, documented plan beats improvisation.

The role of backups in the ISM

Backup and recovery controls thread through the ISM, reflecting a simple truth: resilience is a security outcome, not an afterthought. The guidance consistently points to backups that are performed regularly, retained for an appropriate period, tested through restoration, and protected from unauthorised modification or deletion. For cloud data such as Xero, that means an independent backup you control.

A pragmatic approach

Treat the ISM as a reference library, not a to-do list. Anchor on the Essential Eight, document your decisions, and consult specific ISM controls when a contract, a customer or a risk assessment calls for them.

What the ISM is

How it relates to the Essential Eight

Which parts matter most for an SMB

The role of backups in the ISM

A pragmatic approach

Frequently asked questions

What is the difference between the ISM and the Essential Eight?

Does a small business need to implement the entire ISM?

How often is the ISM updated?

The Essential Eight, explained for Australian small businesses

What is DISP? The Defence Industry Security Program explained

ISO 27001 vs SOC 2: which security framework do you need?