SoA March 2023

RFFR Statement of Applicability (SoA) Temp
Document version (must be completed by the Provider)

Provider Code:
Organisation name:
Category:
ISO27001 version:
Worksheets required:
Author:
Last updated date:
Template version
Based on ISM version:
Last updated:
Changes:
Introduction
A Statement of Applicability (SoA) contains all controls that have been considered for inclusion in an Informatio
Management System (ISMS). It serves to link risks to treatments, and acts as an ongoing management tool that
of controls to be tracked.
Annex A of the ISO27001 standard (2013 or 2022) contains a comprehensive list of controls, but the standard a
organisations to design their own controls, or identify them from another source. In order to obtain independe
organisation must address the Annex A controls. This template includes a worksheet to address the Annex A co
Right Fit For Risk (RFFR) requires organisations to address controls sourced from the Australian Government Inf
Manual (ISM). The ISM is produced by the Australian Cyber Security Centre (ACSC) and contains prescriptive co
government information of each classification. This template includes a worksheet to address all ISM controls t
OFFICIAL information.
RFFR imposes some specific obligations that are derived from the program deeds. Controls that support RFFR c
are flagged for convenience. This template also includes a worksheet to address some specific RFFR obligations
Information that is handled in the course of delivering program services is considered OFFICIAL, and any person
information is considered OFFICIAL: Sensitive. Therefore, all controls in this template must be addressed by fol
below.
Useful links and references
Latest SoA template
RFFR guidance
ISO27001:2013
ISO27001:2022
ACSC website
ISM Guidelines
Essential Eight
Glossary
How to complete
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Implementation Status Definitions
Fully implemented
Partially implemented
Not implemented
Not applicable
FFR Statement of Applicability (SoA) Template
ersion (must be completed by the Provider)
Please select your category from the list as determined and advised by DEWR
Please select your category first, then this field will be populated accordingly
rsion
March 2023
4/4/2023
(1) Incorporated the March 2023 ISM (controls applicable to OFFICIAL).
(2) ISM controls are no longer mapped to ISO 27001 Annex A, as this mapping differs between 2013 and
2022 versions.
(3) Removed Annex A control descriptions to allow providers to choose the 2013 or 2022 version.
(4) Split SoA into three sheets, separating ISO27001, ISM, and RFFR-specific controls.
(5) Refreshed mapping to Essential 8 Strategies in line with the March 2023 ISM.
(6) Updated Essential Eight mappings in accordance with ACSC SSP template
of Applicability (SoA) contains all controls that have been considered for inclusion in an Information Security
System (ISMS). It serves to link risks to treatments, and acts as an ongoing management tool that enables the status
o be tracked.
e ISO27001 standard (2013 or 2022) contains a comprehensive list of controls, but the standard also allows
to design their own controls, or identify them from another source. In order to obtain independent certification, an
must address the Annex A controls. This template includes a worksheet to address the Annex A controls.
Risk (RFFR) requires organisations to address controls sourced from the Australian Government Information Security
. The ISM is produced by the Australian Cyber Security Centre (ACSC) and contains prescriptive controls to secure
nformation of each classification. This template includes a worksheet to address all ISM controls that are relevant for
rmation.
s some specific obligations that are derived from the program deeds. Controls that support RFFR core expectations
or convenience. This template also includes a worksheet to address some specific RFFR obligations.
hat is handled in the course of delivering program services is considered OFFICIAL, and any personal or sensitive
s considered OFFICIAL: Sensitive. Therefore, all controls in this template must be addressed by following the steps
and references
https://www.dewr.gov.au/right-fit-risk-cyber-security-accreditation/resources/soa-template
https://www.dewr.gov.au/right-fit-risk-cyber-security-accreditation
https://www.iso.org/standard/54534.html
https://www.iso.org/standard/82875.html
https://www.cyber.gov.au/
https://www.cyber.gov.au/acsc/view-all-content/ism
https://www.cyber.gov.au/acsc/view-all-content/essential-eight
https://www.cyber.gov.au/acsc/view-all-content/glossary
plete
Scope
Ensure you have defined the 'physical boundaries' and 'logical boundaries' of your ISMS in your Scope
document. Consider all critical data assets and systems within these boundaries as you complete this SoA.
Template and guidance
If this SoA template is older than 3 months, obtain the latest SoA template from the department's
website (see link above).
Obtain the ISM document from ACSC website (see link above). It contains basic guidance and links to
detailed guidance pages in the ACSC website. These pages also link to specific guidance from common
vendors, such as Microsoft. You should search the web for further information as needed. Please attempt
to follow this guidance before consulting the department. Note that IT expertise will be beneficial when
researching.
Document version
Complete the 'Document version' section at the top of this worksheet. Worksheets required will be
populated automatically:
Category 1 providers must address 3 worksheets ('RFFR Obligations', ISM, and 'ISO27001 Annex A').
Category 2A providers must address 2 worksheets ('RFFR Obligations' and ISM).

ISO 27001
Obtain the ISO 27001 standard (you may currently use either the 2013 or 2022 version).
Category 1 providers must copy the control categories, identifiers and descriptions from the standard
into the 'ISO 27001 Annex A' worksheet.
Category 2A providers are not required to address ISO 27001 Annex A controls unless they are voluntarily
seeking independent certification.
Applicability
For each control, determine if it is applicable to your organisation. If the control is not applicable, set the
'Current implementation status' to 'Not applicable' via the dropdown list, and state a 'Justification' that
explains why the control is not applicable.
If the related asset is not used within your organisation, the control is not applicable. Ensure you follow
the definitions and guidance published by the ACSC (see links above). All controls in this template are
relevant to the sensitivity of program-related information. If a control is managed by a third party (e.g. an
IT service provider), it must be addressed.
In some cases, you may have effective alternate or compensating controls. If so, you may describe them
in the 'Justification' and set the status to 'Not applicable'. The department will determine if the
justification is acceptable.
As you address the controls, consider the risks outlined in the ISM document at a minimum. Note that the
SoA must provide an accurate picture of the residual risks facing the department. The department will
determine if the justifications are acceptable.
Status
For each applicable control, select the 'Current implementation status' via the dropdown list (see
definitions below).
Details
Describe the 'Implementation details'. Note that some controls are relevant to multiple assets that may
be within your scope, so ensure that every relevant asset is explicitly addressed.
For policy or procedure based controls you must reference the relevant document(s). It is best practice to
also briefly summarise the relevant content.
For technical controls, you must briefly describe how the control has been implemented, and to which
systems it is implemented. If a specific software/hardware solution is used, it must be named.
Implementation plans
For each applicable control that is 'Partially implemented' or 'Not implemented', briefly describe the
implementation plan, state the responsible person, and state the estimated completion date. Fully
implemented controls do not require ongoing plans.
Controls that support the RFFR core expectations are flagged in the 'Priority' column. While you should
prioritise the implementation of these controls, you must still address all other applicable controls. The
department expects very few outstanding implementations at the final milestone.
Maintenance
Review and update your SoA between RFFR Milestones and during your Accreditation Maintenance
period. This template is updated shortly after the ACSC publishes a new version of the ISM
(approximately every three months). You must consider the updated control list and regularly review the
effectiveness of your implementations.
tion Status Definitions
The control is applicable and implemented.

The solution effectively meets the control objective.
The control is applicable but only partially implemented.

The solution is not fully effective, or is only implemented on some of the relevant assets.
An implementation plan is expected.
The control is applicable but not implemented.

The solution, if any, is not effective.
An implementation plan is expected.
The control is not applicable to the ISMS scope.

A valid justification is required.
RFFR Contractual Obligations
Control Control description
identifier
RFFR Deeds - 1 Prior to offering employment, and on-going requirements to maintain

employment, the individual's identity is positively confirmed.
employment, the competency of the individual is verified via qualifications,
certifications and experience provided on the their CV.

employment, a police check and Working with Vulnerable People check are
completed per requirements in each state and territory.
https://aifs.gov.au/cfca/publications/pre-employment-screening-working-
children-checks-and-police-checks

employment, it is confirmed that the individual has a valid right to work in
Australia.
RFFR Deeds - 5 In considering results of pre-employment checks (e.g. if a person has a criminal
record), consideration will be limited to information that impacts on the
person’s ability to perform the inherent requirements of the job, consistent
with anti-discrimination legislation.
RFFR Deeds - 6 IT Administrators are Australian citizens or permanent residents to give them
sufficient connection with Australia.
RFFR Deeds - 7 In accordance with privacy requirements of contracts held, data relating to the
Services is not accessible from outside of Australia, and no data relating to the
Services is transferred or stored outside of Australia, without prior written
approval from the Department.
Priority Control Implementation
Supports RFFR Current implementation Implementation details
core expectations status (e.g. document or description)
or
Justification if N/A
Y
If control is applicable but not implemented or partially implemented
Implementation plan Implementation date Person responsible
(dd/mm/yyyy)
Australian Government Information Security Manual (March 2023) - Controls applicable to OFFICIAL
Guideline Section Topic Control
identifier
Guidelines for Cyber Chief Information Providing cyber security leadership 0714
Security Roles Security Officer and guidance
Guidelines for Cyber Chief Information Overseeing the cyber security 1478
Security Roles Security Officer program
Guidelines for Cyber Chief Information Coordinating cyber security 0725

Security Roles Security Officer
Guidelines for Cyber Chief Information Coordinating cyber security 0726

Guidelines for Cyber Chief Information Reporting on cyber security 0718

Guidelines for Cyber Chief Information Overseeing incident response 0733

Security Roles Security Officer activities
Guidelines for Cyber Chief Information Overseeing incident response 1618

Security Roles Security Officer activities
Guidelines for Cyber Chief Information Contributing to business continuity 0734

Security Roles Security Officer and disaster recovery planning
Guidelines for Cyber Chief Information Developing a cyber security 0720

Security Roles Security Officer communications strategy
Guidelines for Cyber Chief Information Working with suppliers 0731

Guidelines for Cyber Chief Information Receiving and managing a dedicated 0732
Security Roles Security Officer cyber security budget
Guidelines for Cyber Chief Information Overseeing cyber security personnel 0717
Guidelines for Cyber Chief Information Overseeing cyber security awareness 0735
Security Roles Security Officer raising
Guidelines for Cyber System owners System ownership and oversight 1071
Security Roles
Guidelines for Cyber System owners System ownership and oversight 1525
Security Roles
Guidelines for Cyber System owners Protecting systems and their 1633
Security Roles resources
Guidelines for Cyber System owners Annual reporting of system security 1587
Security Roles status
Guidelines for Cyber Managing cyber Incident management policy 0576

Security Incidents security incidents
Guidelines for Cyber Managing cyber Incident management policy 1784

Guidelines for Cyber Managing cyber Cyber security incident register 0125
Guidelines for Cyber Managing cyber Cyber security incident register 1803
Guidelines for Cyber Managing cyber Trusted insider program 1625

Guidelines for Cyber Managing cyber Trusted insider program 1626

Guidelines for Cyber Managing cyber Access to sufficient data sources and 0120
Security Incidents security incidents tools
Guidelines for Cyber Managing cyber Reporting cyber security incidents 0123
Guidelines for Cyber Managing cyber Reporting cyber security incidents to 0140
Security Incidents security incidents the ACSC
Guidelines for Cyber Responding to cyber Enacting incident response plans 1819
Guidelines for Cyber Responding to cyber Handling and containing data spills 0133
Guidelines for Cyber Responding to cyber Handling and containing malicious 0917
Security Incidents security incidents code infections
Guidelines for Cyber Responding to cyber Handling and containing intrusions 0137
Guidelines for Cyber Responding to cyber Maintaining the integrity of evidence 0138
Guidelines for Cyber supply chain Cyber supply chain risk management 1631
Procurement and risk management activities
Outsourcing
Outsourcing
Outsourcing
Outsourcing
Outsourcing
Outsourcing
Guidelines for Cyber supply chain Supplier relationship management 1785
Procurement and risk management
Outsourcing
Guidelines for Cyber supply chain Supplier relationship management 1786
Procurement and risk management
Outsourcing
Guidelines for Cyber supply chain Sourcing applications, ICT equipment 1787
Procurement and risk management and services
Outsourcing
Outsourcing
Outsourcing
Guidelines for Cyber supply chain Delivery of applications, ICT 1790
Procurement and risk management equipment and services
Outsourcing
Outsourcing
Outsourcing
Guidelines for Managed services and Managed services 1736
Procurement and cloud services
Outsourcing
Guidelines for Managed services and Managed services 1737
Outsourcing
Guidelines for Managed services and Assessment of managed service 1793

Procurement and cloud services providers
Outsourcing
Guidelines for Managed services and Outsourced cloud services 1637
Outsourcing
Guidelines for Managed services and Outsourced cloud services 1638
Outsourcing
Guidelines for Managed services and Assessment of outsourced cloud 1570

Procurement and cloud services service providers
Outsourcing
Guidelines for Managed services and Contractual security requirements 1395
Procurement and cloud services with service providers
Outsourcing
Outsourcing

Outsourcing
Outsourcing
Outsourcing
Outsourcing
Outsourcing
Outsourcing
Outsourcing
Outsourcing
Outsourcing
Outsourcing
Guidelines for Managed services and Access to systems and data by 1073
Outsourcing
Guidelines for Managed services and Access to systems and data by 1576
Outsourcing
Guidelines for Development and Cyber security strategy 0039
Security maintenance of
Documentation security
documentation
Guidelines for Development and Approval of security documentation 0047

documentation
Guidelines for Development and Approval of security documentation 1739

documentation
Guidelines for Development and Maintenance of security 0888

Security maintenance of documentation
documentation
Guidelines for Development and Communication of security 1602
Security maintenance of documentation
documentation
Guidelines for System-specific System security plan 0041

Security security
Documentation documentation
Guidelines for System-specific Incident response plan 0043
Security security
Guidelines for System-specific Continuous monitoring plan 1163

Security security
Guidelines for System-specific Security assessment report 1563

Security security
Guidelines for System-specific Plan of action and milestones 1564

Security security
Guidelines for Facilities and systems Physical access to systems 0810
Physical Security
Guidelines for Facilities and systems Physical access to servers, network 1053
Physical Security devices and cryptographic
equipment
equipment
equipment
equipment
Guidelines for Facilities and systems Physical access to network devices in 1296
Physical Security public areas
Guidelines for Facilities and systems Preventing observation by 0164
Physical Security unauthorised people
Guidelines for ICT equipment and Securing ICT equipment and media 0161
Physical Security media
Guidelines for Cyber security Providing cyber security awareness 0252
Personnel Security awareness training training
Guidelines for Cyber security Providing cyber security awareness 1565

Personnel Security awareness training training
Guidelines for Cyber security Managing and reporting suspicious 1740
Personnel Security awareness training changes to banking details or
payment requests
Guidelines for Cyber security Reporting suspicious contact via 0817
Personnel Security awareness training online services
Guidelines for Cyber security Posting work information to online 0820
Personnel Security awareness training services
Guidelines for Cyber security Posting work information to online 1146
Guidelines for Cyber security Posting personal information to 0821
Personnel Security awareness training online services
Guidelines for Cyber security Sending and receiving files via online 0824
Guidelines for Access to systems and System access requirements 0432
Personnel Security their resources

Guidelines for Access to systems and User identification 0414
Guidelines for Access to systems and Unprivileged access to systems 0405
Guidelines for Access to systems and Privileged access to systems 1507
Guidelines for Access to systems and Suspension of access to systems 0430


Guidelines for Access to systems and Recording authorisation for 0407
Personnel Security their resources personnel to access systems
Guidelines for Access to systems and Temporary access to systems 0441

Guidelines for Access to systems and Emergency access to systems 1610


Guidelines for Cabling infrastructure Cabling infrastructure standards 0181
Communications
Infrastructure
Guidelines for Cabling infrastructure Use of fibre-optic cables 1111
Communications
Infrastructure
Guidelines for Cabling infrastructure Cable register 0211
Communications
Infrastructure
Guidelines for Cabling infrastructure Cable register 0208
Communications
Infrastructure
Guidelines for Cabling infrastructure Floor plan diagrams 1645

Communications
Infrastructure
Guidelines for Cabling infrastructure Floor plan diagrams 1646
Communications
Infrastructure
Guidelines for Cabling infrastructure Cable labelling processes and 0206

Communications procedures
Infrastructure
Guidelines for Cabling infrastructure Labelling cables 1096
Communications
Infrastructure
Guidelines for Cabling infrastructure Labelling building management 1639
Communications cables
Infrastructure
Guidelines for Cabling infrastructure Labelling cables for foreign systems 1640
Communications in Australian facilities
Infrastructure
Guidelines for Cabling infrastructure Cable colours 1820
Communications
Infrastructure
Guidelines for Cabling infrastructure Cable colours 0926
Communications
Infrastructure
Guidelines for Cabling infrastructure Cable inspectability 1112
Communications
Infrastructure
Guidelines for Cabling infrastructure Cable inspectability 1119
Communications
Infrastructure
Guidelines for Cabling infrastructure Common cable reticulation systems 1114
Communications
Infrastructure
Guidelines for Cabling infrastructure Enclosed cable reticulation systems 1130
Communications
Infrastructure
Guidelines for Cabling infrastructure Covers for enclosed cable 1164
Communications reticulation systems
Infrastructure
Guidelines for Cabling infrastructure Cables in walls 1115
Communications
Infrastructure
Guidelines for Cabling infrastructure Labelling wall outlet boxes 1095
Communications
Infrastructure
Guidelines for Cabling infrastructure Wall outlet box colours 1822
Communications
Infrastructure
Guidelines for Cabling infrastructure Wall outlet box colours 1107
Communications
Infrastructure
Guidelines for Cabling infrastructure Wall outlet box covers 1109
Communications
Infrastructure
Guidelines for Cabling infrastructure Connecting cable reticulation 1102
Communications systems to cabinets
Infrastructure
Infrastructure
Infrastructure
Guidelines for Emanation security Emanation security threat 0248
Communications assessments in Australia
Infrastructure
Guidelines for Emanation security Emanation security threat 0249

Communications assessments outside Australia
Infrastructure
Guidelines for Emanation security Early consideration of emanation 0246
Communications security threats
Infrastructure
Guidelines for Emanation security Electromagnetic 0250
Communications interference/electromagnetic
Infrastructure compatibility standards
Guidelines for Telephone systems Telephone system usage policy 1078
Communications
Systems
Guidelines for Telephone systems Personnel awareness 0229
Communications
Systems
Communications
Systems
Communications
Systems
Guidelines for Telephone systems Protecting conversations 0232
Communications
Systems
Guidelines for Telephone systems Cordless telephone systems 0233
Communications
Systems
Guidelines for Telephone systems Speakerphones 0235
Communications
Systems
Guidelines for Telephone systems Off-hook audio protection 0236

Communications
Systems
Guidelines for Telephone systems Off-hook audio protection 0931
Communications
Systems
Guidelines for Video conferencing Video conferencing and Internet 1562
Communications and Internet Protocol Protocol telephony infrastructure
Systems telephony hardening
Guidelines for Video conferencing Video-aware and voice-aware 0546
Communications and Internet Protocol firewalls and proxies
Systems telephony
Guidelines for Video conferencing Protecting video conferencing and 0548
Communications and Internet Protocol Internet Protocol telephony traffic
Systems telephony
Guidelines for Video conferencing Protecting video conferencing and 0547
Communications and Internet Protocol Internet Protocol telephony traffic
Systems telephony
Guidelines for Video conferencing Video conferencing unit and Internet 0554
Communications and Internet Protocol Protocol phone authentication
Systems telephony
Systems telephony
Systems telephony
Systems telephony
Guidelines for Video conferencing Traffic separation 0549

Communications and Internet Protocol
Systems telephony
Guidelines for Video conferencing Traffic separation 0556
Systems telephony
Guidelines for Video conferencing Internet Protocol phones in public 0558

Communications and Internet Protocol areas
Systems telephony
Guidelines for Video conferencing Microphones and webcams 0559
Systems telephony
Guidelines for Video conferencing Microphones and webcams 1450
Systems telephony
Guidelines for Video conferencing Denial of service response plan 1019
Systems telephony
Guidelines for Video conferencing Denial of service response plan 1805
Systems telephony
Guidelines for Fax machines and Fax machine and multifunction 0588
Communications multifunction devices device usage policy
Systems
Guidelines for Fax machines and Sending fax messages 1092
Communications multifunction devices
Systems
Guidelines for Fax machines and Sending fax messages 0241
Systems
Guidelines for Fax machines and Receiving fax messages 1075
Systems
Guidelines for Fax machines and Connecting multifunction devices to 0590
Communications multifunction devices networks
Systems
Guidelines for Fax machines and Connecting multifunction devices to 0245
Communications multifunction devices both networks and digital telephone
Systems systems
Guidelines for Fax machines and Copying documents on multifunction 0589
Communications multifunction devices devices
Systems
Guidelines for Fax machines and Observing fax machine and 1036
Communications multifunction devices multifunction device use
Systems
Guidelines for Mobile device Mobile device management policy 1533
Enterprise Mobility management
Guidelines for Mobile device Mobile device management policy 1195
Guidelines for Mobile device Privately-owned mobile devices 1297
Guidelines for Mobile device Privately-owned mobile devices 1400
Guidelines for Mobile device Organisation-owned mobile devices 1482

Guidelines for Mobile device Storage encryption 0869

Guidelines for Mobile device Communications encryption 1085
Guidelines for Mobile device Bluetooth functionality 1196
Guidelines for Mobile device Maintaining mobile device security 0863
Guidelines for Mobile device Connecting mobile devices to the 0874
Enterprise Mobility management internet
Guidelines for Mobile device Connecting mobile devices to the 0705
Enterprise Mobility management internet
Guidelines for Mobile device usage Mobile device usage policy 1082
Enterprise Mobility
Guidelines for Mobile device usage Personnel awareness 1083
Enterprise Mobility
Guidelines for Mobile device usage Paging, message services and 0240
Enterprise Mobility messaging apps
Guidelines for Mobile device usage Using mobile devices in public spaces 0866
Enterprise Mobility
Guidelines for Mobile device usage Using mobile devices in public spaces 1644
Enterprise Mobility
Guidelines for Mobile device usage Maintaining control of mobile 0871
Enterprise Mobility devices
Guidelines for Mobile device usage Mobile device emergency 0701

Enterprise Mobility sanitisation processes and
procedures
Guidelines for Mobile device usage Before travelling overseas with 1298
Enterprise Mobility mobile devices
Guidelines for Mobile device usage While travelling overseas with 1299
Guidelines for Mobile device usage While travelling overseas with 1088
Guidelines for Mobile device usage After travelling overseas with mobile 1300
Guidelines for Mobile device usage After travelling overseas with mobile 1556
Guidelines for Evaluated product Evaluated product selection 0280

Evaluated Products procurement
Guidelines for Evaluated product Delivery of evaluated products 0285

Evaluated Products procurement
Guidelines for Evaluated product Installation and configuration of 0289
Evaluated Products usage evaluated products
Guidelines for ICT ICT equipment usage ICT equipment management policy 1551
Equipment
Guidelines for ICT ICT equipment usage ICT equipment register 0336
Equipment
Guidelines for ICT ICT equipment usage Labelling ICT equipment 0294
Equipment
Guidelines for ICT ICT equipment usage Classifying ICT equipment 0293
Equipment
Guidelines for ICT ICT equipment usage Handling ICT equipment 1599
Equipment
Guidelines for ICT ICT equipment On-site maintenance and repairs 0305
Equipment maintenance and
repairs
repairs
repairs
Guidelines for ICT ICT equipment Off-site maintenance and repairs 0310
repairs
Guidelines for ICT ICT equipment Inspection of ICT equipment 1598
Equipment maintenance and following maintenance and repairs
repairs
Guidelines for ICT ICT equipment ICT equipment sanitisation processes 0313
Equipment sanitisation and and procedures
destruction
Guidelines for ICT ICT equipment ICT equipment destruction processes 1741
Equipment sanitisation and and procedures
destruction
Guidelines for ICT ICT equipment Sanitising ICT equipment 0311
Equipment sanitisation and
destruction
Guidelines for ICT ICT equipment Sanitising ICT equipment 1742
destruction
Guidelines for ICT ICT equipment Sanitising printers and multifunction 0317
Equipment sanitisation and devices
destruction
destruction
destruction
destruction
destruction
destruction
Guidelines for ICT ICT equipment Sanitising televisions and computer 1076
Equipment sanitisation and monitors
destruction
Guidelines for ICT ICT equipment Sanitising televisions and computer 1222
Equipment sanitisation and monitors
destruction
Guidelines for ICT ICT equipment Sanitising network devices 1223
destruction
Guidelines for ICT ICT equipment Sanitising fax machines 1225

destruction
Guidelines for ICT ICT equipment Sanitising fax machines 1226
destruction
Guidelines for ICT ICT equipment ICT equipment disposal processes 1550
Equipment disposal and procedures
Guidelines for ICT ICT equipment Disposal of ICT equipment 1217
Equipment disposal
Guidelines for ICT ICT equipment Disposal of ICT equipment 0316

Equipment disposal
Guidelines for Media Media usage Media management policy 1549
Guidelines for Media Media usage Removable media usage policy 1359
Guidelines for Media Media usage Removable media register 1713
Guidelines for Media Media usage Labelling media 0332
Guidelines for Media Media usage Classifying media 0323
Guidelines for Media Media usage Classifying media 0337
Guidelines for Media Media usage Reclassifying media 0325
Guidelines for Media Media usage Reclassifying media 0330
Guidelines for Media Media usage Handling media 0831
Guidelines for Media Media usage Handling media 1059
Guidelines for Media Media usage Sanitising media before first use 1600
Guidelines for Media Media usage Sanitising media before first use 1642
Guidelines for Media Media usage Using media for data transfers 0347
Guidelines for Media Media usage Using media for data transfers 0947
Guidelines for Media Media sanitisation Media sanitisation processes and 0348
procedures
Guidelines for Media Media sanitisation Volatile media sanitisation 0351
Guidelines for Media Media sanitisation Non-volatile magnetic media 0354

sanitisation

sanitisation
sanitisation
Guidelines for Media Media sanitisation Non-volatile erasable programmable 0357

read-only memory media
sanitisation
Guidelines for Media Media sanitisation Non-volatile electrically erasable 0836

programmable read-only memory
media sanitisation
Guidelines for Media Media sanitisation Non-volatile flash memory media 0359
sanitisation
Guidelines for Media Media sanitisation Media that cannot be successfully 1735
sanitised
Guidelines for Media Media destruction Media destruction processes and 0363
procedures
Guidelines for Media Media destruction Media that cannot be sanitised 0350
Guidelines for Media Media destruction Media destruction equipment 1361
Guidelines for Media Media destruction Media destruction equipment 1160
Guidelines for Media Media destruction Media destruction methods 1517
Guidelines for Media Media destruction Degaussing magnetic media 0361

Guidelines for Media Media destruction Supervision of destruction 0370
Guidelines for Media Media destruction Supervision of destruction 0371
Guidelines for Media Media destruction Supervision of accountable material 0372

destruction
Guidelines for Media Media destruction Supervision of accountable material 0373

destruction
Guidelines for Media Media destruction Outsourcing media destruction 0839
Guidelines for Media Media destruction Outsourcing media destruction 0840
Guidelines for Media Media disposal Media disposal processes and 0374
procedures
Guidelines for Media Media disposal Disposal of media 0378
Guidelines for Media Media disposal Disposal of media 0375
Guidelines for System Operating system Operating system selection 1743

Hardening hardening
Guidelines for System Operating system Operating system releases and 1407
Hardening hardening versions
Guidelines for System Operating system Operating system releases and 1408
Hardening hardening versions
Guidelines for System Operating system Standard Operating Environments 1406
Hardening hardening
Hardening hardening
Hardening hardening
Guidelines for System Operating system Hardening operating system 1409
Hardening hardening configurations
Guidelines for System Operating system Application management 1592

Hardening hardening
Guidelines for System Operating system Application management 0382
Hardening hardening
Guidelines for System Operating system Application control 0843
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening

Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Guidelines for System Operating system PowerShell 1621
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Guidelines for System Operating system Host-based Intrusion Prevention 1341
Hardening hardening System
Guidelines for System Operating system Host-based Intrusion Prevention 1034
Hardening hardening System
Guidelines for System Operating system Software firewall 1416
Hardening hardening
Guidelines for System Operating system Antivirus software 1417

Hardening hardening
Guidelines for System Operating system Device access control software 1418
Hardening hardening
Hardening hardening
Hardening hardening
Guidelines for System Operating system Operating system event logging 0582
Hardening hardening
Guidelines for System Operating system Operating system event logging 1747
Hardening hardening
Guidelines for System User application User application selection 0938
Hardening hardening
Guidelines for System User application User application releases 1467

Hardening hardening
Guidelines for System User application Hardening user application 1806


Guidelines for System User application Microsoft Office macros 1671
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening

Hardening hardening

Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Guidelines for System Server application Server application selection 1826
Hardening hardening
Guidelines for System Server application Server application releases 1483

Hardening hardening
Guidelines for System Server application Hardening server application 1246
Guidelines for System Server application Restricting privileges for server 1249
Hardening hardening applications
Guidelines for System Server application Restricting privileges for server 1250
Hardening hardening applications
Guidelines for System Server application Microsoft Active Directory Domain 1827
Hardening hardening Services domain controllers
Hardening hardening Services account hardening
Hardening hardening Services security group memberships
Guidelines for System Authentication Authenticating to systems 1546

Hardening hardening
Guidelines for System Authentication Insecure authentication methods 1603
Hardening hardening
Guidelines for System Authentication Insecure authentication methods 1055
Hardening hardening
Guidelines for System Authentication Multi-factor authentication 0974
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening

Hardening hardening

Hardening hardening

Hardening hardening
Hardening hardening

Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Guidelines for System Authentication Single-factor authentication 0417
Hardening hardening
Hardening hardening

Hardening hardening
Guidelines for System Authentication Setting credentials for user accounts 1593
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Hardening hardening
Guidelines for System Authentication Setting credentials for local 1685
Hardening hardening administrator accounts and service
accounts
accounts
accounts
Guidelines for System Authentication Changing credentials 1590
Hardening hardening
Guidelines for System Authentication Changing credentials 1847

Hardening hardening
Guidelines for System Authentication Protecting credentials 0418

Hardening hardening
Hardening hardening
Hardening hardening

Hardening hardening
Hardening hardening
Guidelines for System Authentication Account lockouts 1403
Hardening hardening
Guidelines for System Authentication Session termination 0853
Hardening hardening
Guidelines for System Authentication Session and screen locking 0428
Hardening hardening
Guidelines for System Authentication Logon banner 0408

Hardening hardening
Guidelines for System Authentication Logon banner 0979
Hardening hardening
Guidelines for System Virtualisation Functional separation between 1460
Hardening hardening computing environments




Guidelines for System System System administration processes and 0042

Management administration procedures
Guidelines for System System System administration processes and 1211

Management administration procedures
Guidelines for System System Separate privileged operating 1380

Management administration environments



Guidelines for System System Administrative infrastructure 1385

Management administration




Guidelines for System System patching Patch management processes and 1143
Management procedures
Guidelines for System System patching Patch management processes and 0298
Management procedures
Guidelines for System System patching Software register 1493

Management
Guidelines for System System patching Software register 1643

Management
Guidelines for System System patching Scanning for missing patches or 1807
Management updates
Management updates
Management updates
Management updates
Management updates
Management updates
Management updates
Management updates
Management updates
Guidelines for System System patching When to patch security 1690

Management vulnerabilities







Guidelines for System System patching Cessation of support 1704

Management

Management

Management

Management

Management
Guidelines for System Data backup and Digital preservation policy 1510
Management restoration
Guidelines for System Data backup and Data backup and restoration 1547
Management restoration processes and procedures
Guidelines for System Data backup and Data backup and restoration 1548
Management restoration processes and procedures
Guidelines for System Data backup and Performing and retaining backups 1511
Guidelines for System Data backup and Backup access 1812




Guidelines for System Data backup and Backup modification and deletion 1814
Guidelines for System Data backup and Testing restoration of backups 1515
Guidelines for System Event logging and Event logging policy 0580
Monitoring monitoring
Guidelines for System Event logging and Event log details 0585
Guidelines for System Event logging and Centralised event logging facility 1405
Guidelines for System Event logging and Event log monitoring 0109
Guidelines for System Event logging and Event log monitoring 1228
Guidelines for System Event logging and Event log retention 0859
Guidelines for System Event logging and Event log retention 0991
Guidelines for Application Development, testing and 0400
Software development production environments
Development
Development
Development
Development
Development
Guidelines for Application Secure software design and 0401
Software development development
Development
Development
Development
Development
Development
Development
Guidelines for Application Software bill of materials 1730
Software development
Development
Guidelines for Application Application security testing 0402
Development
Guidelines for Application Application security testing 1754
Development
Guidelines for Application Vulnerability disclosure program 1616
Development
Development
Development
Development
Guidelines for Web application Open Web Application Security 0971
Software development Projects
Development
Development
Development
Guidelines for Web application Web application frameworks 1239
Development
Guidelines for Web application Web application interactions 1552
Development
Guidelines for Web application Web application programming 1817
Software development interfaces
Development
Development
Development
Guidelines for Web application Web application input handling 1240
Development
Guidelines for Web application Web application output encoding 1241
Development
Guidelines for Web application Web browser-based controls 1424
Development
Guidelines for Web application Web application event logging 1536
Development
Guidelines for Web application Web application event logging 1757
Development
Guidelines for Database servers Functional separation between 1269
Database Systems database servers and web servers
Guidelines for Database servers Communications between database 1277

Database Systems servers and web servers
Guidelines for Database servers Network environment 1270

Database Systems
Database Systems

Database Systems
Guidelines for Database servers Separation of development, testing 1273

Database Systems and production database servers
Guidelines for Databases Database register 1243

Database Systems
Guidelines for Databases Protecting databases 1256
Database Systems
Guidelines for Databases Protecting database contents 0393
Database Systems
Database Systems
Database Systems
Guidelines for Databases Separation of development, testing 1274
Database Systems and production databases
Guidelines for Databases Web application interaction with 1275
Database Systems databases
Guidelines for Databases Database event logging 1537
Database Systems
Guidelines for Databases Database event logging 1758

Database Systems
Guidelines for Email Email usage Email usage policy 0264
Guidelines for Email Email usage Webmail services 0267
Guidelines for Email Email usage Protective markings for emails 0270
Guidelines for Email Email usage Protective marking tools 0271
Guidelines for Email Email usage Handling emails with inappropriate, 0565
invalid or missing protective
markings
Guidelines for Email Email usage Handling emails with inappropriate, 1023
invalid or missing protective
markings
Guidelines for Email Email gateways and Centralised email gateways 0569
servers
Guidelines for Email Email gateways and Centralised email gateways 0571
servers
Guidelines for Email Email gateways and Email gateway maintenance 0570
servers activities
Guidelines for Email Email gateways and Open relay email servers 0567
servers
Guidelines for Email Email gateways and Email server transport encryption 0572
servers
Guidelines for Email Email gateways and Email server transport encryption 1589
servers
Guidelines for Email Email gateways and Sender Policy Framework 0574
servers
servers
servers
Guidelines for Email Email gateways and DomainKeys Identified Mail 0861
servers
servers
servers
Guidelines for Email Email gateways and Domain-based Message 1540
servers Authentication, Reporting and
Conformance
Guidelines for Email Email gateways and Domain-based Message 1799
servers Authentication, Reporting and
Conformance
Guidelines for Email Email gateways and Email content filtering 1234
servers
Guidelines for Email Email gateways and Blocking suspicious emails 1502
servers
Guidelines for Email Email gateways and Notifications of undeliverable emails 1024
servers
Guidelines for Network design and Network documentation 0518
Networking configuration

Guidelines for Network design and Network encryption 1781

Guidelines for Network design and Network segmentation and 1181
Networking configuration segregation
Guidelines for Network design and Network segmentation and 1577
Networking configuration segregation
Guidelines for Network design and Using Virtual Local Area Networks 1532
Guidelines for Network design and Using Internet Protocol version 6 0521
Guidelines for Network design and Network access controls 0520

Guidelines for Network design and Network access controls 1182
Guidelines for Network design and Functional separation between 0385
Networking configuration servers
Guidelines for Network design and Functional separation between 1479
Networking configuration servers
Guidelines for Network design and Network management traffic 1006
Guidelines for Network design and Use of Simple Network Management 1311
Networking configuration Protocol
Guidelines for Network design and Use of Simple Network Management 1312
Networking configuration Protocol
Guidelines for Network design and Using Network-based Intrusion 1028
Networking configuration Detection and Prevention Systems
Guidelines for Network design and Using Network-based Intrusion 1030

Networking configuration Detection and Prevention Systems
Guidelines for Network design and Blocking anonymity network traffic 1627
Guidelines for Network design and Blocking anonymity network traffic 1628
Guidelines for Network design and Protective Domain Name System 1782
Networking configuration Services
Guidelines for Network design and Flashing network devices with 1800
Networking configuration trusted firmware before first use
Guidelines for Network design and Default accounts and credentials for 1304
Networking configuration network devices
Guidelines for Network design and Disabling unused physical ports on 0534
Networking configuration network devices
Guidelines for Network design and Regularly restarting network devices 1801
Guidelines for Wireless networks Choosing wireless devices 1314
Networking
Guidelines for Wireless networks Public wireless networks 0536
Networking
Guidelines for Wireless networks Administrative interfaces for wireless 1315
Networking access points
Guidelines for Wireless networks Default settings 1710
Networking
Networking
Networking

Networking
Guidelines for Wireless networks Media Access Control address 1320
Networking filtering
Guidelines for Wireless networks Static addressing 1319
Networking
Guidelines for Wireless networks Confidentiality and integrity of 1332
Networking wireless network traffic
Guidelines for Wireless networks 802.1X authentication 1321
Networking
Guidelines for Wireless networks 802.1X authentication 1711
Networking
Guidelines for Wireless networks Evaluation of 802.1X authentication 1322
Networking implementation
Guidelines for Wireless networks Generating and issuing certificates 1324
Networking for authentication
Guidelines for Wireless networks Caching 802.1X authentication 1330
Networking outcomes
Guidelines for Wireless networks Fast Basic Service Set Transition 1712
Networking
Guidelines for Wireless networks Remote Authentication Dial-In User 1454
Networking Service authentication
Guidelines for Wireless networks Interference between wireless 1334

Networking networks
Guidelines for Wireless networks Protecting management frames on 1335
Networking wireless networks
Guidelines for Wireless networks Wireless network footprint 1338
Networking
Guidelines for Service continuity for Cloud-based hosting of online 1437

Networking online services services
Guidelines for Service continuity for Location policies for online services 1578
Networking online services
Guidelines for Service continuity for Availability planning and monitoring 1579
Networking online services for online services
Guidelines for Service continuity for Using content delivery networks 1438
Guidelines for Service continuity for Using content delivery networks 1439
Guidelines for Service continuity for Denial of service strategies 1431

Guidelines for Service continuity for Denial of service strategies 1458

Guidelines for Service continuity for Domain name registrar locking 1432
Guidelines for Service continuity for Monitoring with real-time alerting 1435
Guidelines for Service continuity for Segregation of critical online services 1436
Guidelines for Service continuity for Preparing for service continuity 1518
Guidelines for Cryptographic Cryptographic key management 0507

Cryptography fundamentals processes and procedures
Guidelines for Cryptographic Encrypting data at rest 1080
Cryptography fundamentals

Guidelines for Cryptographic Encrypting data in transit 0469

Guidelines for Cryptographic Encrypting data in transit 0465

Guidelines for Cryptographic Data recovery 0455

Guidelines for Cryptographic Handling encrypted ICT equipment 0462

Cryptography fundamentals and media
Guidelines for Cryptographic Transporting cryptographic 0501

Cryptography fundamentals equipment
Guidelines for Cryptographic Reporting cryptographic-related 0142
Cryptography fundamentals cyber security incidents
Guidelines for Cryptographic Reporting cryptographic-related 1091

Cryptography fundamentals cyber security incidents
Guidelines for ASD-Approved Using ASD-Approved Cryptographic 0471
Cryptography Cryptographic Algorithms
Algorithms
Guidelines for ASD-Approved Asymmetric/public key algorithms 0994
Cryptography Cryptographic
Algorithms
Guidelines for ASD-Approved Using Diffie-Hellman 0472
Algorithms
Guidelines for ASD-Approved Using Diffie-Hellman 1629
Algorithms
Guidelines for ASD-Approved Using the Digital Signature Algorithm 0473
Algorithms
Guidelines for ASD-Approved Using the Digital Signature Algorithm 1630
Algorithms
Guidelines for ASD-Approved Using Elliptic Curve Cryptography 1446
Algorithms
Guidelines for ASD-Approved Using Elliptic Curve Diffie-Hellman 0474
Algorithms
Guidelines for ASD-Approved Using the Elliptic Curve Digital 0475
Cryptography Cryptographic Signature Algorithm
Algorithms
Guidelines for ASD-Approved Using Rivest-Shamir-Adleman 0476
Algorithms
Guidelines for ASD-Approved Using Rivest-Shamir-Adleman 0477
Algorithms
Guidelines for ASD-Approved Using hashing algorithms 1766
Algorithms
Guidelines for ASD-Approved Using symmetric encryption 1769
Cryptography Cryptographic algorithms
Algorithms
Guidelines for ASD-Approved Using symmetric encryption 0479
Cryptography Cryptographic algorithms
Algorithms
Guidelines for ASD-Approved Using ASD-Approved Cryptographic 0481
Cryptography Cryptographic Protocols
Protocols
Guidelines for Transport Layer Configuring Transport Layer Security 1139
Cryptography Security
Guidelines for Secure Shell Configuring Secure Shell 1506
Cryptography
Guidelines for Secure Shell Configuring Secure Shell 0484
Cryptography
Guidelines for Secure Shell Authentication mechanisms 0485

Cryptography
Guidelines for Secure Shell Authentication mechanisms 1449
Cryptography
Guidelines for Secure Shell Automated remote access 0487
Cryptography
Guidelines for Secure Shell Automated remote access 0488

Cryptography
Guidelines for Secure Shell SSH-agent 0489

Cryptography
Guidelines for Secure/Multipurpose Configuring Secure/Multipurpose 0490

Cryptography Internet Mail Internet Mail Extension
Extension
Guidelines for Internet Protocol Mode of operation 0494
Guidelines for Internet Protocol Protocol selection 0496
Guidelines for Internet Protocol Key exchange 1233
Guidelines for Internet Protocol Encryption algorithms 1771
Guidelines for Internet Protocol Pseudorandom function algorithms 1772
Guidelines for Internet Protocol Integrity algorithms 0998
Guidelines for Internet Protocol Diffie-Hellman groups 0999

Guidelines for Internet Protocol Security association lifetimes 0498
Guidelines for Internet Protocol Perfect Forward Secrecy 1000
Guidelines for Gateways Implementing gateways 0628
Gateways
Gateways
Gateways
Gateways
Gateways
Guidelines for Gateways System administrators for gateways 1520
Gateways

Gateways
Gateways
Gateways
Guidelines for Gateways System administration of gateways 1774
Gateways
Guidelines for Gateways System administration of gateways 0629
Gateways
Guidelines for Gateways Authenticating to networks accessed 0619

Gateways via gateways
Guidelines for Gateways Authenticating to networks accessed 0622
Gateways via gateways
Guidelines for Gateways Border Gateway Protocol route 1783
Gateways security
Guidelines for Gateways Gateway event logging and alerting 0634
Gateways
Guidelines for Gateways Gateway event logging and alerting 1775

Gateways
Guidelines for Gateways Assessment of gateways 1037
Gateways
Guidelines for Gateways Assessment of gateways 0100

Gateways
Guidelines for Firewalls Using firewalls 1528
Gateways
Guidelines for Firewalls Using firewalls 0639
Gateways
Guidelines for Diodes Using diodes 0643
Gateways
Guidelines for Diodes Using diodes 1157

Gateways
Guidelines for Web proxies Web usage policy 0258
Gateways
Guidelines for Web proxies Using web proxies 0260
Gateways
Guidelines for Web proxies Web proxy event logging 0261
Gateways
Guidelines for Web proxies Web proxy event logging 1777

Gateways
Guidelines for Web content filters Using web content filters 0963
Gateways
Gateways
Gateways
Guidelines for Web content filters Transport Layer Security filtering 0263
Gateways
Guidelines for Web content filters Allowing and blocking access to 0958
Gateways domain names
Guidelines for Content filtering Performing content filtering 0659
Gateways
Gateways
Gateways
Guidelines for Content filtering Encrypted files 1293
Gateways
Guidelines for Content filtering Archive files 1289
Gateways
Guidelines for Content filtering Archive files 1290
Gateways
Guidelines for Content filtering Antivirus scanning 1288
Gateways
Guidelines for Content filtering Automated dynamic analysis 1389
Gateways
Guidelines for Content filtering Allowing specific content types 0649
Gateways
Guidelines for Content filtering Content validation 1284
Gateways
Guidelines for Content filtering Content conversion 1286
Gateways
Guidelines for Content filtering Content sanitisation 1287
Gateways
Guidelines for Content filtering Validating file integrity 0677
Gateways
Guidelines for Peripheral switches Using peripheral switches 0591
Gateways
Guidelines for Data Data transfers Data transfer processes and 0663
Transfers procedures
Guidelines for Data Data transfers User responsibilities 0661
Transfers
Guidelines for Data Data transfers Manual import of data 0657
Transfers
Guidelines for Data Data transfers Manual import of data 1778
Transfers
Guidelines for Data Data transfers Manual export of data 1187

Transfers
Guidelines for Data Data transfers Manual export of data 1779
Transfers
Guidelines for Data Data transfers Monitoring data import and export 1586
Transfers
Guidelines for Data Data transfers Monitoring data import and export 1294
Transfers
plicable to OFFICIAL Priority
Control description Supports RFFR
core expectations
A CISO is appointed to provide cyber security leadership and guidance for their
organisation.
The CISO oversees their organisation’s cyber security program and ensures their Y
organisation’s compliance with cyber security policy, standards, regulations and
legislation.
The CISO regularly reviews and updates their organisation’s cyber security program to
ensure its relevance in addressing cyber threats and harnessing business and cyber
security opportunities.
The CISO implements cyber security measurement metrics and key performance
indicators for their organisation.
The CISO coordinates cyber security and business alignment through a cyber security
steering committee or advisory board, comprising of key cyber security and business
executives, which meets formally and on a regular basis.
The CISO coordinates security risk management activities between cyber security and
business teams.
The CISO reports directly to their organisation’s senior executive or Board on cyber
security matters.
The CISO is fully aware of all cyber security incidents within their organisation.
The CISO oversees their organisation’s response to cyber security incidents.
The CISO contributes to the development and maintenance of business continuity and Y
disaster recovery plans for their organisation to ensure that business-critical services
are supported appropriately in the event of a disaster.
The CISO develops, implements and maintains a cyber security communications

strategy for their organisation.
The CISO oversees cyber supply chain risk management activities for their organisation.
The CISO receives and manages a dedicated cyber security budget for their
organisation.
The CISO oversees the management of cyber security personnel within their
organisation.
The CISO oversees the development, implementation and maintenance of their

organisation’s cyber security awareness training program.
Each system has a designated system owner.

System owners register each system with its authorising officer.
System owners determine the type, value and security objectives for each system
based on an assessment of the impact if it were to be compromised.
System owners select controls for each system and tailor them to achieve desired
security objectives.
System owners implement controls for each system and its operating environment.
System owners ensure controls for each system and its operating environment are
assessed to determine if they have been implemented correctly and are operating as
intended.
System owners obtain authorisation to operate each system from its authorising officer
based on the acceptance of the security risks associated with its operation.
System owners monitor each system, and associated cyber threats, security risks and Y
controls, on an ongoing basis.
System owners report the security status of each system to its authorising officer at
least annually.
An incident management policy, and associated incident response plan, is developed,

implemented and maintained.
The incident management policy, including the associated incident response plan, is
exercised at least annually.
A cyber security incident register is developed, implemented and maintained. Y
A cyber security incident register contains the following for each cyber security
incident:
• the date the cyber security incident occurred
• the date the cyber security incident was discovered
• a description of the cyber security incident
• any actions taken in response to the cyber security incident
• to whom the cyber security incident was reported.
A trusted insider program is developed, implemented and maintained.
Legal advice is sought regarding the development and implementation of a trusted

insider program.
Cyber security personnel have access to sufficient data sources and tools to ensure that
systems can be monitored for key indicators of compromise.
Cyber security incidents are reported to an organisation’s Chief Information Security Y

Officer, or one of their delegates, as soon as possible after they occur or are
discovered.
Cyber security incidents are reported to the ACSC.
Following the identification of a cyber security incident, an organisation’s incident
response plan is enacted.
When a data spill occurs, data owners are advised and access to the data is restricted. Y
When malicious code is detected, the following steps are taken to handle the infection:
• the infected systems are isolated
• all previously connected media used in the period leading up to the infection are
scanned for signs of infection and isolated if necessary
• antivirus software is used to remove the infection from infected systems and media
• if the infection cannot be reliably removed, systems are restored from a known good
backup or rebuilt.
Legal advice is sought before allowing intrusion activity to continue on a system for the
purpose of collecting further data or evidence.
System owners are consulted before allowing intrusion activity to continue on a system
for the purpose of collecting further data or evidence.
Planning and coordination of intrusion remediation activities are conducted on a

separate system to that which has been compromised.
To the extent possible, all intrusion remediation activities are conducted in a

coordinated manner during the same planned outage.
Following intrusion remediation activities, full network traffic is captured for at least Y
seven days and analysed to determine whether the adversary has been successfully
removed from the system.
The integrity of evidence gathered during an investigation is maintained by
investigators:
• recording all of their actions
• maintaining a proper chain of custody
• following all instructions provided by relevant law enforcement agencies.
Suppliers of applications, ICT equipment and services associated with systems are
identified.
A supply chain risk assessment is performed for suppliers of applications, ICT Y

equipment and services in order to assess the impact to a system’s security risk profile.
Suppliers identified as high risk by a cyber supply chain risk assessment are not used.
Applications, ICT equipment and services are chosen from suppliers that have
demonstrated a commitment to the security of their products and services.
Applications, ICT equipment and services are chosen from suppliers that have a strong
track record of transparency and maintaining the security of their own systems and
cyber supply chains.
A shared responsibility model is created, documented and shared between suppliers
and their customers in order to articulate the security responsibilities of each party.
A supplier relationship management policy is developed, implemented and maintained.

An approved supplier list is developed, implemented and maintained.
Applications, ICT equipment and services are sourced from approved suppliers.
Multiple potential suppliers are identified for sourcing critical applications, ICT
equipment and services.
Sufficient spares of critical ICT equipment are sourced and kept in reserve.
Applications, ICT equipment and services are delivered in a manner that maintains their
integrity.
The integrity of applications, ICT equipment and services are assessed as part of
acceptance of products and services.
The authenticity of applications, ICT equipment and services are assessed as part of
acceptance of products and services.
A managed service register is developed, implemented, maintained and verified on a

regular basis.
A managed service register contains the following for each managed service:
• managed service provider’s name
• managed service’s name
• purpose for using the managed service
• sensitivity or classification of data involved
• due date for the next security assessment of the managed service
• contractual arrangements for the managed service
• point of contact for users of the managed service
• 24/7 contact details for the managed service provider.
Managed service providers and their managed services undergo a security assessment
by an IRAP assessor at least every 24 months.
An outsourced cloud service register is developed, implemented, maintained and

verified on a regular basis.
An outsourced cloud service register contains the following for each outsourced cloud
service:
• cloud service provider’s name
• cloud service’s name
• purpose for using the cloud service
• sensitivity or classification of data involved
• due date for the next security assessment of the cloud service
• contractual arrangements for the cloud service
• point of contact for users of the cloud service
• 24/7 contact details for the cloud service provider.
Outsourced cloud service providers and their cloud services undergo a security
assessment by an IRAP assessor at least every 24 months.
Service providers, including any subcontractors, provide an appropriate level of Y

protection for any data entrusted to them or their services.
Security requirements associated with the confidentiality, integrity and availability of
data are documented in contractual arrangements with service providers and reviewed
on a regular and ongoing basis to ensure they remain fit for purpose.
The right to verify compliance with security requirements is documented in contractual Y

arrangements with service providers.
The right to verify compliance with security requirements documented in contractual Y

arrangements with service providers is exercised on a regular and ongoing basis.
Break clauses associated with failure to meet security requirements are documented in
contractual arrangements with service providers.
The requirement for service providers to report cyber security incidents to a designated Y
point of contact as soon as possible after they occur or are discovered is documented
in contractual arrangements with service providers.
A minimum notification period of one month by service providers for significant
changes to their own service provider arrangements is documented in contractual
Types of data and its ownership is documented in contractual arrangements with
service providers.
The regions or availability zones where data will be processed, stored and Y
communicated is documented in contractual arrangements with service providers.
Access to all logs relating to an organisation’s data and services is documented in

contractual arrangements with service providers.
The storage of data in a portable manner that allows for backups, service migration and
service decommissioning without any loss of data is documented in contractual
A minimum notification period of one month for the cessation of any services by a
service provider is documented in contractual arrangements with service providers.
An organisation’s systems and data are not accessed or administered by a service

provider unless a contractual arrangement exists between the organisation and the
service provider to do so.
If an organisation’s systems or data are accessed or administered by a service provider
in an unauthorised manner, the organisation is immediately notified.
A cyber security strategy is developed, implemented and maintained. Y
Organisational-level security documentation is approved by the Chief Information

Security Officer while system-specific security documentation is approved by the
system’s authorising officer.
A system’s security architecture is approved prior to the development of the system.
Security documentation is reviewed at least annually and includes a ‘current as at

[date]’ or equivalent statement.
Security documentation, including notification of subsequent changes, is
communicated to all stakeholders.
Systems have a system security plan that includes a description of the system and an Y
annex that covers both applicable controls from this document and any additional
controls that have been identified.
Systems have an incident response plan that covers the following: Y
• guidelines on what constitutes a cyber security incident
• the types of cyber security incidents likely to be encountered and the expected
response to each type
• how to report cyber security incidents, internally to an organisation and externally to
relevant authorities
• other parties which need to be informed in the event of a cyber security incident
• the authority, or authorities, responsible for investigating and responding to cyber
security incidents
• the criteria by which an investigation of a cyber security incident would be requested
from a law enforcement agency, the Australian Cyber Security Centre or other relevant
authority
• the steps necessary to ensure the integrity of evidence relating to a cyber security
incident
• system contingency measures or a reference to such details if they are located in a
separate document.
Systems have a continuous monitoring plan that includes: Y

• conducting vulnerability scans for systems at least monthly
• conducting vulnerability assessments or penetration tests for systems at least
annually
• analysing identified security vulnerabilities to determine their potential impact
• implementing mitigations based on risk, effectiveness and cost.
At the conclusion of a security assessment for a system, a security assessment report is Y

produced by the assessor and covers:
• the scope of the security assessment
• the system’s strengths and weaknesses
• security risks associated with the operation of the system
• the effectiveness of the implementation of controls
• any recommended remediation actions.
At the conclusion of a security assessment for a system, a plan of action and milestones Y
is produced by the system owner.
Systems are secured in facilities that meet the requirements for a security zone suitable
for their sensitivity or classification.
Servers, network devices and cryptographic equipment are secured in server rooms or
communications rooms that meet the requirements for a security zone suitable for
their sensitivity or classification.
Servers, network devices and cryptographic equipment are secured in security
containers or secure rooms suitable for their sensitivity or classification taking into
account the combination of security zones they reside in.
Server rooms, communications rooms, security containers and secure rooms are not
left in unsecured states.
Keys or equivalent access mechanisms to server rooms, communications rooms,

security containers and secure rooms are appropriately controlled.
Physical security is implemented to protect network devices in public areas from Y

physical damage or unauthorised access.
Unauthorised people are prevented from observing systems, in particular workstation
displays and keyboards, within facilities.
ICT equipment and media are secured when not in use.
Cyber security awareness training is undertaken annually by all personnel and covers: Y
• the purpose of the cyber security awareness training
• security appointments and contacts
• authorised use of systems and their resources
• protection of systems and their resources
• reporting of cyber security incidents and suspected compromises of systems and
their resources.
Tailored privileged user training is undertaken annually by all privileged users.
Personnel dealing with banking details and payment requests are advised of what Y
business email compromise is, how to manage such situations and how to report it.
Personnel are advised of what suspicious contact via online services is and how to
report it.
Personnel are advised to not post work information to unauthorised online services
and to report cases where such information is posted.
Personnel are advised to maintain separate work and personal accounts for online
services.
Personnel are advised of security risks associated with posting personal information to
online services and are encouraged to use any available privacy settings to restrict who
can view such information.
Personnel are advised not to send or receive files via unauthorised online services.
Access requirements for a system and its resources are documented in its system
security plan.
Personnel undergo appropriate employment screening and, where necessary, hold an Y
appropriate security clearance before being granted access to a system and its
resources.
Personnel receive any necessary briefings before being granted access to a system and
its resources.
Personnel granted access to a system and its resources are uniquely identifiable.
The use of shared user accounts is strictly controlled, and personnel using such
accounts are uniquely identifiable.
Personnel who are contractors are identified as such.
Requests for unprivileged access to systems, applications and data repositories are
validated when first requested.
Use of unprivileged access is logged.
Unprivileged access event logs are stored centrally.
Requests for privileged access to systems and applications are validated when first Y
requested.
Requests for privileged access to data repositories are validated when first requested.
Privileged access to systems and applications is limited to only what is required for
users and services to undertake their duties.
Privileged user accounts are prevented from accessing the internet, email and web Y
services.
Privileged service accounts are prevented from accessing the internet, email and web
services.
Just-in-time administration is used for administering systems and applications.
Privileged users are assigned a dedicated privileged account to be used solely for tasks
requiring privileged access.
Unique privileged accounts are used for administering individual server applications.
Privileged access events are logged. Y
Privileged access event logs are stored centrally. Y
Privileged account and group management events are logged. Y
Privileged account and group management event logs are stored centrally. Y
Access to systems, applications and data repositories is removed or suspended on the

same day personnel no longer have a legitimate requirement for access.
Access to systems, applications and data repositories is removed or suspended as soon

as practicable when personnel are detected undertaking malicious activities.
Unprivileged access to systems and applications is automatically disabled after 45 days

of inactivity.
Privileged access to systems and applications is automatically disabled after 45 days of
inactivity.
Access to data repositories is automatically disabled after 45 days of inactivity.
Privileged access to systems and applications is automatically disabled after 12 months

unless revalidated.
Privileged access to data repositories is automatically disabled after 12 months unless
revalidated.
A secure record is maintained for the life of each system covering:
• all personnel authorised to access the system, and their user identification
• who provided authorisation for access
• when access was granted
• the level of access that was granted
• when access, and the level of access, was last reviewed
• when the level of access was changed, and to what extent (if applicable)
• when access was withdrawn (if applicable).
When personnel are granted temporary access to a system, effective controls are put in
place to restrict their access to only data required for them to undertake their duties.
A method of emergency access to systems is documented and tested at least once

when initially implemented and each time fundamental information technology
infrastructure changes occur.
Break glass accounts are only used when normal authentication processes cannot be
used.
Break glass accounts are only used for specific authorised activities.
Break glass account credentials are changed by the account custodian after they are
accessed by any other party.
Break glass accounts are tested after credentials are changed.
Use of break glass accounts is logged.
Break glass event logs are stored centrally.

Cabling infrastructure is installed in accordance with relevant Australian Standards, as
directed by the Australian Communications and Media Authority.
Fibre-optic cables are used for cabling infrastructure instead of copper cables.
A cable register is developed, implemented, maintained and verified on a regular basis.
A cable register contains the following for each cable:

• cable identifier
• cable colour
• sensitivity/classification
• source
• destination
• location
• seal numbers (if applicable).
Floor plan diagrams are developed, implemented, maintained and verified on a regular
basis.
Floor plan diagrams contain the following:

• cable paths (including ingress and egress points between floors)
• cable reticulation system and conduit paths
• floor concentration boxes
• wall outlet boxes
• network cabinets.
Cable labelling processes, and supporting cable labelling procedures, are developed,
Cables are labelled at each end with sufficient source and destination details to enable
the physical identification and inspection of the cable.
Building management cables are labelled with their purpose in black writing on a
yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre
intervals.
Cables for foreign systems installed in Australian facilities are labelled at inspection
points.
Cables for individual systems use a consistent colour.
OFFICIAL and PROTECTED cables are coloured neither salmon pink nor red.
Cables are inspectable at a minimum of five-metre intervals.
Cables in TOP SECRET areas are fully inspectable for their entire length.
Cable bundles or conduits sharing a common cable reticulation system have a dividing
partition or visible gap between each cable bundle and conduit.
In shared facilities, cables are run in an enclosed cable reticulation system.

In shared facilities, conduits or the front covers of ducts, cable trays in floors and
ceilings, and associated fittings are clear plastic.
Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit.
Wall outlet boxes denote the systems, cable identifiers and wall outlet box identifier.
Wall outlet boxes for individual systems use a consistent colour.
OFFICIAL and PROTECTED wall outlet boxes are coloured neither salmon pink nor red.
Wall outlet box covers are clear plastic.
Cable reticulation systems leading into cabinets are terminated as close as possible to
the cabinet.
In TOP SECRET areas, cable reticulation systems leading into cabinets in server rooms
or communications rooms are terminated as close as possible to the cabinet.
In TOP SECRET areas, cable reticulation systems leading into cabinets not in server
rooms or communications rooms are terminated at the boundary of the cabinet.
System owners deploying OFFICIAL or PROTECTED systems with Radio Frequency

transmitters that will be co-located with SECRET or TOP SECRET systems contact the
ACSC for an emanation security threat assessment and implement any additional
installation criteria derived from the threat assessment.
System owners deploying systems or military platforms overseas contact the ACSC for
an emanation security threat assessment and implement any additional installation
criteria derived from the threat assessment.
An emanation security threat assessment is sought as early as possible in a system’s life
cycle as implementing emanation security can have significant cost implications.
ICT equipment meets industry and government standards relating to electromagnetic

interference/electromagnetic compatibility.
A telephone system usage policy is developed, implemented and maintained.
Personnel are advised of the permitted sensitivity or classification of information that

can be discussed over both internal and external telephone systems.
Personnel are advised of security risks posed by non-secure telephone systems in areas
where sensitive or classified conversations can occur.
When using cryptographic equipment to permit different levels of conversation for

different kinds of connections, telephone systems give a visual indication of what kind
of connection has been made.
Telephone systems used for sensitive or classified conversations encrypt all traffic that
passes over external systems.
Cordless telephone handsets and headsets are not used for sensitive or classified
conversations unless all communications are encrypted.
Speakerphones are not used on telephone systems in TOP SECRET areas unless the
telephone system is located in an audio secure room, the room is audio secure during
conversations and only personnel involved in conversations are present in the room.
Off-hook audio protection features are used on telephone systems in areas where
background conversations may exceed the sensitivity or classification that the
telephone system is authorised for communicating.
In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are
used to meet any off-hook audio protection requirements.
Video conferencing and IP telephony infrastructure is hardened.
When video conferencing or IP telephony traffic passes through a gateway containing a

firewall or proxy, a video-aware or voice-aware firewall or proxy is used.
Video conferencing and IP telephony calls are established using a secure session
initiation protocol.
Video conferencing and IP telephony calls are conducted using a secure real-time
transport protocol.
An encrypted and non-replayable two-way authentication scheme is used for call

authentication and authorisation.
Authentication and authorisation is used for all actions on a video conferencing

network, including call setup and changing settings.
Authentication and authorisation is used for all actions on an IP telephony network,

including registering a new IP phone, changing phone users, changing settings and
accessing voicemail.
IP telephony is configured such that:
• IP phones authenticate themselves to the call controller upon registration
• auto-registration is disabled and only authorised devices are allowed to access the
network
• unauthorised devices are blocked by default
• all unused and prohibited functionality is disabled.
Video conferencing and IP telephony traffic is separated physically or logically from

other data traffic.
Workstations are not connected to video conferencing units or IP phones unless the
workstation or the device uses Virtual Local Area Networks or similar mechanisms to
maintain separation between video conferencing, IP telephony and other data traffic.
IP phones used in public areas do not have the ability to access data networks,
voicemail and directory services.
Microphones (including headsets and USB handsets) and webcams are not used with
non-SECRET workstations in SECRET areas.
Microphones (including headsets and USB handsets) and webcams are not used with
non-TOP SECRET workstations in TOP SECRET areas.
A denial of service response plan for video conferencing and IP telephony services is
developed, implemented and maintained.
A denial of service response plan for video conferencing and IP telephony services
contains the following:
• how to identify signs of a denial-of-service attack
• how to identify the source of a denial-of-service attack
• how capabilities can be maintained during a denial-of-service attack
• what actions can be taken to respond to a denial-of-service attack.
A fax machine and MFD usage policy is developed, implemented and maintained.
Separate fax machines or MFDs are used for sending sensitive or classified fax
messages and all other fax messages.
When sending fax messages, the fax message is encrypted to an appropriate level to be
communicated over unsecured telecommunications infrastructure.
The sender of a fax message makes arrangements for the receiver to collect the fax
message as soon as possible after it is sent and for the receiver to notify the sender if
the fax message does not arrive in an agreed amount of time.
Controls for MFDs connected to networks are of a similar strength to those for other
devices on networks.
A direct connection from an MFD to a digital telephone system is not enabled unless
the digital telephone system is authorised to operate at the same sensitivity or
classification as the network to which the MFD is connected.
MFDs connected to networks are not used to copy documents above the sensitivity or
classification of connected networks.
Fax machines and MFDs are located in areas where their use can be observed.
A mobile device management policy is developed, implemented and maintained.
A Mobile Device Management solution is used to ensure mobile device management

policy is applied to all mobile devices.
Legal advice is sought prior to allowing privately-owned mobile devices to access
systems or data.
Personnel accessing OFFICIAL and PROTECTED systems or data using a privately-owned
mobile device use an ASD-approved platform, a security configuration in accordance
with ACSC guidance, and have enforced separation of work and personal data.
Personnel accessing systems or data using an organisation-owned mobile device use an

ASD-approved platform, a security configuration in accordance with ACSC guidance,
and have enforced separation of work and personal data.
Mobile devices encrypt their internal storage and any removable media.
Mobile devices encrypt all sensitive or classified data communicated over public
network infrastructure.
OFFICIAL and PROTECTED mobile devices are configured to remain undiscoverable to
other Bluetooth devices except during Bluetooth pairing.
Bluetooth pairing for OFFICIAL and PROTECTED mobile devices is performed using
Secure Connections, preferably with Numeric Comparison if supported.
Bluetooth pairing for OFFICIAL and PROTECTED mobile devices is performed in a
manner such that connections are only made between intended Bluetooth devices.
Bluetooth pairings for OFFICIAL and PROTECTED mobile devices are removed when
there is no longer a requirement for their use.
Mobile devices prevent personnel from installing or uninstalling non-approved
applications once provisioned.
Mobile devices prevent personnel from disabling or modifying security functionality
once provisioned.
Security updates are applied to mobile devices as soon as they become available.
Mobile devices access the internet via a VPN connection to an organisation’s internet
gateway rather than via a direct connection to the internet.
When accessing an organisation’s network via a VPN connection, split tunnelling is
disabled.
A mobile device usage policy is developed, implemented and maintained.
Personnel are advised of the sensitivity or classification permitted for voice and data
communications when using mobile devices.
Paging, Multimedia Message Service, Short Message Service and messaging apps are
not used to communicate sensitive or classified data.
Sensitive or classified data is not viewed or communicated in public locations unless
care is taken to reduce the chance of the screen of a mobile device being observed.
Sensitive or classified phone calls are not conducted in public locations unless care is Y
taken to reduce the chance of conversations being overheard.
Mobile devices are kept under continual direct supervision when being actively used.
Mobile devices are carried or stored in a secured state when not being actively used.
If unable to carry or store mobile devices in a secured state, they are physically
transferred in a security briefcase or an approved multi-use satchel, pouch or transit
bag.
Mobile device emergency sanitisation processes, and supporting mobile device
emergency sanitisation procedures, are developed, implemented and maintained.
Personnel are advised of privacy and security risks when travelling overseas with
mobile devices.
If travelling overseas with mobile devices to high or extreme risk countries, personnel
are:
• issued with newly provisioned accounts, mobile devices and removable media from a
pool of dedicated travel devices which are used solely for work-related activities
• advised on how to apply and inspect tamper seals to key areas of mobile devices
• advised to avoid taking any personal mobile devices, especially if rooted or jailbroken.
Before travelling overseas with mobile devices, personnel take the following actions:
• record all details of the mobile devices being taken, such as product types, serial
numbers and International Mobile Equipment Identity numbers
• update all operating systems and applications
• remove all non-essential accounts, applications and data
• apply security configuration settings, such as lock screens
• configure remote locate and wipe functionality
• enable encryption, including for any removable media
• backup all important data and configuration settings.
Personnel take the following precautions when travelling overseas with mobile devices:
• never leaving mobile devices or removable media unattended for any period of time,
including by placing them in checked-in luggage or leaving them in hotel safes
• never storing credentials with mobile devices that they grant access to, such as in
laptop bags
• never lending mobile devices or removable media to untrusted people, even if briefly
• never allowing untrusted people to connect their mobile devices or removable
media, including for charging
• never using designated charging stations, wall outlet charging ports or chargers
supplied by untrusted people
• avoiding connecting mobile devices to open or untrusted Wi-Fi networks
• using a VPN connection to encrypt all mobile device communications
• using encrypted messaging apps for communications instead of using foreign
telecommunication networks
• disabling any communications capabilities of mobile devices when not in use, such as
cellular data, wireless, Bluetooth and Near Field Communication
• avoiding reuse of removable media once used with other parties’ systems or mobile
devices
• ensuring any removable media used for data transfers are thoroughly checked for
malicious code beforehand
• never using any gifted mobile devices, especially removable media, when travelling or
upon returning from travelling.
Personnel report the potential compromise of mobile devices, removable media or

credentials to their organisation as soon as possible, especially if they:
• provide credentials to foreign government officials
• decrypt mobile devices for foreign government officials
• have mobile devices taken out of sight by foreign government officials
• have mobile devices or removable media stolen that are later returned
• lose mobile devices or removable media that are later found
• observe unusual behaviour of mobile devices.
Upon returning from travelling overseas with mobile devices, personnel take the
following actions:
• sanitise and reset mobile devices, including all removable media
• decommission any credentials that left their possession during their travel
• report if significant doubt exists as to the integrity of any mobile devices or
removable media.
If returning from travelling overseas with mobile devices to high or extreme risk
countries, personnel take the following additional actions:
• reset credentials used with mobile devices, including those used for remote access to
their organisation’s systems
• monitor accounts for any indicators of compromise, such as failed logon attempts.
If procuring an evaluated product, a product that has completed a PP-based evaluation,

including against all applicable PP modules, is selected in preference to one that has
completed an EAL-based evaluation.
Evaluated products are delivered in a manner consistent with any delivery procedures
defined in associated evaluation documentation.
Evaluated products are installed, configured, administered and operated in accordance
with vendor guidance and evaluation documentation.
An ICT equipment management policy is developed, implemented and maintained.
An ICT equipment register is developed, implemented, maintained and verified on a

regular basis.
ICT equipment, with the exception of high assurance ICT equipment, is labelled with
protective markings reflecting its sensitivity or classification.
ICT equipment is classified based on the highest sensitivity or classification of data that
it is approved for processing, storing or communicating.
ICT equipment is handled in a manner suitable for its sensitivity or classification.
Maintenance and repairs of ICT equipment is carried out on site by an appropriately

cleared technician.
If an uncleared technician is used to undertake maintenance or repairs of ICT

equipment, the ICT equipment and associated media is sanitised before maintenance
or repair work is undertaken.
If an uncleared technician is used to undertake maintenance or repairs of ICT
equipment, the technician is escorted by someone who:
• is appropriately cleared and briefed
• takes due care to ensure that data is not disclosed
• takes all responsible measures to ensure the integrity of the ICT equipment
• has the authority to direct the technician
• is sufficiently familiar with the ICT equipment to understand the work being
performed.
ICT equipment maintained or repaired off site is done so at facilities approved for
handling the sensitivity or classification of the ICT equipment.
Following maintenance or repair activities for ICT equipment, the ICT equipment is
inspected to confirm it retains its approved software configuration and that no
unauthorised modifications have taken place.
ICT equipment sanitisation processes, and supporting ICT equipment sanitisation
procedures, are developed, implemented and maintained.
ICT equipment destruction processes, and supporting ICT equipment destruction

procedures, are developed, implemented and maintained.
ICT equipment containing media is sanitised by removing the media from the ICT
equipment or by sanitising the media in situ.
ICT equipment that cannot be sanitised is destroyed.
At least three pages of random text with no blank areas are printed on each colour
printer cartridge or MFD print drum.
MFD print drums and image transfer rollers are inspected and destroyed if there is
remnant toner which cannot be removed or a print is visible on the image transfer
roller.
Printer and MFD platens are inspected and destroyed if any text or images are retained
on the platen.
Printers and MFDs are checked to ensure no pages are trapped in the paper path due
to a paper jam.
When unable to sanitise printer cartridges or MFD print drums, they are destroyed as
per electrostatic memory devices.
Printer ribbons in printers and MFDs are removed and destroyed.

Televisions and computer monitors with minor burn-in or image persistence are
sanitised by displaying a solid white image on the screen for an extended period of
time.
Televisions and computer monitors that cannot be sanitised are destroyed.
Memory in network devices is sanitised using the following processes, in order of

preference:
• following device-specific guidance provided in evaluation documentation
• following vendor sanitisation guidance
• loading a dummy configuration file, performing a factory reset and then reinstalling
firmware.
The paper tray of the fax machine is removed, and a fax message with a minimum
length of four pages is transmitted, before the paper tray is re-installed to allow a fax
summary page to be printed.
Fax machines are checked to ensure no pages are trapped in the paper path due to a
paper jam.
ICT equipment disposal processes, and supporting ICT equipment disposal procedures,
are developed, implemented and maintained.
Labels and markings indicating the owner, sensitivity, classification or any other
marking that can associate ICT equipment with its prior use are removed prior to its
disposal.
Following sanitisation, destruction or declassification, a formal administrative decision
is made to release ICT equipment, or its waste, into the public domain.
A media management policy is developed, implemented and maintained.
A removable media usage policy is developed, implemented and maintained.
A removable media register is developed, implemented, maintained and verified on a

regular basis.
Media, with the exception of internally mounted fixed media within ICT equipment, is
labelled with protective markings reflecting its sensitivity or classification.
Media is classified to the highest sensitivity or classification of data it stores, unless the
media has been classified to a higher sensitivity or classification.
Media is only used with systems that are authorised to process, store or communicate
its sensitivity or classification.
Any media connected to a system with a higher sensitivity or classification than the
media is reclassified to the higher sensitivity or classification, unless the media is read-
only or the system has a mechanism through which read-only access can be ensured.
Before reclassifying media to a lower sensitivity or classification, the media is sanitised

or destroyed, and a formal administrative decision is made to reclassify it.
Media is handled in a manner suitable for its sensitivity or classification.
All data stored on media is encrypted.
Media is sanitised before it is used for the first time.
Media is sanitised before it is reused in a different security domain.
When transferring data manually between two systems belonging to different security
domains, write-once media is used unless the destination system has a mechanism
through which read-only access can be ensured.
When transferring data manually between two systems belonging to different security
domains, rewritable media is sanitised after each data transfer.
Media sanitisation processes, and supporting media sanitisation procedures, are
Volatile media is sanitised by removing its power for at least 10 minutes.
Non-volatile magnetic media is sanitised by overwriting it at least once (or three times
if pre-2001 or under 15 GB) in its entirety with a random pattern followed by a read
back for verification.
The host-protected area and device configuration overlay table are reset prior to the
sanitisation of non-volatile magnetic hard drives.
The ATA secure erase command is used, in addition to block overwriting software, to
ensure the growth defects table of non-volatile magnetic hard drives is overwritten.
Non-volatile EPROM media is sanitised by applying three times the manufacturer’s

specified ultraviolet erasure time and then overwriting it at least once in its entirety
with a random pattern followed by a read back for verification.
Non-volatile EEPROM media is sanitised by overwriting it at least once in its entirety

with a random pattern followed by a read back for verification.
Non-volatile flash memory media is sanitised by overwriting it at least twice in its

entirety with a random pattern followed by a read back for verification.
Faulty or damaged media that cannot be successfully sanitised is destroyed prior to its
disposal.
Media destruction processes, and supporting media destruction procedures, are
The following media types are destroyed prior to their disposal:
• microfiche and microfilm
• optical discs
• programmable read-only memory
• read-only memory
• other types of media that cannot be sanitised.
Security Construction and Equipment Committee-approved equipment or ASIO-

approved equipment is used when destroying media.
If using degaussers to destroy media, degaussers evaluated by the United States’
National Security Agency are used.
Equipment that is capable of reducing microform to a fine powder, with resultant
particles not showing more than five consecutive characters per particle upon
microscopic inspection, is used to destroy microfiche and microfilm.
Electrostatic memory devices are destroyed using a furnace/incinerator, hammer mill,

disintegrator or grinder/sander.
Magnetic floppy disks are destroyed using a furnace/incinerator, hammer mill,
disintegrator, degausser or by cutting.
Magnetic hard disks are destroyed using a furnace/incinerator, hammer mill,
disintegrator, grinder/sander or degausser.
Magnetic tapes are destroyed using a furnace/incinerator, hammer mill, disintegrator,
degausser or by cutting.
Optical disks are destroyed using a furnace/incinerator, hammer mill, disintegrator,
grinder/sander or by cutting.
Semiconductor memory is destroyed using a furnace/incinerator, hammer mill or
disintegrator.
Media destroyed using a hammer mill, disintegrator, grinder/sander or by cutting
results in media waste particles no larger than 9 mm.
Magnetic media is destroyed using a degausser with a suitable magnetic field strength
and magnetic orientation.
Product-specific directions provided by degausser manufacturers are followed.
Following the use of a degausser, magnetic media is physically damaged by deforming

any internal platters.
The destruction of media is performed under the supervision of at least one person
cleared to its sensitivity or classification.
Personnel supervising the destruction of media supervise its handling to the point of
destruction and ensure that the destruction is completed successfully.
The destruction of media storing accountable material is performed under the
supervision of at least two personnel cleared to its sensitivity or classification.
Personnel supervising the destruction of media storing accountable material supervise

its handling to the point of destruction, ensure that the destruction is completed
successfully and sign a destruction certificate afterwards.
The destruction of media storing accountable material is not outsourced.
When outsourcing the destruction of media storing non-accountable material, a

National Association for Information Destruction AAA certified destruction service with
endorsements, as specified in ASIO’s Protective Security Circular-167, is used.
Media disposal processes, and supporting media disposal procedures, are developed,
Labels and markings indicating the owner, sensitivity, classification or any other
marking that can associate media with its prior use are removed prior to its disposal.
Following sanitisation, destruction or declassification, a formal administrative decision

is made to release media, or its waste, into the public domain.
Operating systems are chosen from vendors that have demonstrated a commitment to
secure-by-design and secure-by-default principles, use of memory-safe programming
languages where possible, secure programming practices, and maintaining the security
of their products.
The latest release, or the previous release, of operating systems are used.
Where supported, 64-bit versions of operating systems are used.
SOEs are used for workstations and servers.
SOEs provided by third parties are scanned for malicious code and configurations.
SOEs are reviewed and updated at least annually.
ACSC and vendor guidance is implemented to assist in hardening the configuration of

operating systems.
Unneeded accounts, components, services and functionality of operating systems are
disabled or removed.
Default accounts or credentials for operating systems, including for any pre-configured
accounts, are changed.
Automatic execution features for removable media are disabled.
Internet Explorer 11 is disabled or removed.
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
Operating system exploit protection functionality is enabled.

Early Launch Antimalware, Secure Boot, Trusted Boot and Measured Boot functionality
is enabled.
Unprivileged users are prevented from bypassing, disabling or modifying security
functionality of operating systems.
Unprivileged users are prevented from running script execution engines, including:
• Windows Script Host (cscript.exe and wscript.exe)
• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)
• Command Prompt (cmd.exe)
• Windows Management Instrumentation (wmic.exe)
• Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).
Unprivileged users do not have the ability to install unapproved software.
Unprivileged users do not have the ability to uninstall or disable approved software.
Application control is implemented on workstations. Y
Application control is implemented on internet-facing servers.
Application control is implemented on non-internet-facing servers.
Application control restricts the execution of executables, software libraries, scripts,

installers, compiled HTML, HTML applications and control panel applets to an
organisation-approved set.
Application control restricts the execution of drivers to an organisation-approved set.
Application control is implemented using cryptographic hash rules, publisher certificate

rules or path rules.
Application control rulesets are validated on an annual or more frequent basis.
When implementing application control using publisher certificate rules, both publisher
names and product names are used.
When implementing application control using path rules, only approved users can
modify approved files and write to approved folders.
When implementing application control using path rules, only approved users can
change file system permissions for approved files and folders.
Microsoft’s ‘recommended block rules’ are implemented.
Microsoft’s ‘recommended driver block rules’ are implemented.
All users (with the exception of local administrator accounts and break glass accounts)
cannot disable, bypass or be exempted from application control.
Allowed and blocked execution events on workstations are logged.
Allowed and blocked execution events on internet-facing servers are logged.
Allowed and blocked execution events on non-internet-facing servers are logged.
Application control event logs are stored centrally.
Windows PowerShell 2.0 is disabled or removed.
PowerShell is configured to use Constrained Language Mode.
PowerShell is configured to use module logging, script block logging and transcription
functionality.
PowerShell script block logs are protected by Protected Event Logging functionality.
Blocked PowerShell script execution events are logged.
PowerShell event logs are stored centrally.
A HIPS is implemented on workstations.
A HIPS is implemented on critical servers and high-value servers.
A software firewall is implemented on workstations and servers to restrict inbound and

outbound network connections to an organisation-approved set of applications and
services.
Antivirus software is implemented on workstations and servers with: Y
• signature-based detection functionality enabled and set to a high level
• heuristic-based detection functionality enabled and set to a high level
• reputation rating functionality enabled
• ransomware protection functionality enabled
• detection signatures configured to update on at least a daily basis
• regular scanning configured for all fixed disks and removable media.
If there is no business requirement for reading from removable media and devices,
such functionality is disabled via the use of device access control software or by
disabling external communication interfaces.
If there is no business requirement for writing to removable media and devices, such
functionality is disabled via the use of device access control software or by disabling
external communication interfaces.
External communication interfaces that allow DMA are disabled.
The following events are logged for operating systems: Y

• application and operating system crashes and error messages
• changes to security policies and system configurations
• successful user logons and logoffs, failed user logons and account lockouts
• failures, restarts and changes to important processes and services
• requests to access internet resources
• security product-related events
• system startups and shutdowns.
Operating system event logs are stored centrally. Y
User applications are chosen from vendors that have demonstrated a commitment to
of their products.
The latest release of office productivity suites, web browsers and their extensions,
email clients, PDF software, and security products are used.
Default accounts or credentials for user applications, including for any pre-configured
ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF
software is implemented.
Unneeded components, services and functionality of office productivity suites, web
browsers, email clients, PDF software and security products are disabled or removed.
Add-ons, extensions and plug-ins for office productivity suites, web browsers, email
clients, PDF software and security products are restricted to an organisation-approved
set.
Microsoft Office is blocked from creating child processes.
Microsoft Office is blocked from creating executable content.
Microsoft Office is blocked from injecting code into other processes.
Microsoft Office is configured to prevent activation of Object Linking and Embedding

packages.
Office productivity suite security settings cannot be changed by users.
Web browsers do not process Java from the internet. Y
Web browsers do not process web advertisements from the internet. Y
Internet Explorer 11 does not process content from the internet. Y
Web browser security settings cannot be changed by users.
PDF software is blocked from creating child processes.
PDF software security settings cannot be changed by users.
Microsoft’s Attack Surface Reduction rules are implemented.
Email client security settings cannot be changed by users.
Security product security settings cannot be changed by users.
Microsoft Office macros are disabled for users that do not have a demonstrated Y
business requirement.
Microsoft Office macros in files originating from the internet are blocked. Y
Microsoft Office macro antivirus scanning is enabled. Y
Microsoft Office macros are blocked from making Win32 API calls.
Only Microsoft Office macros running from within a sandboxed environment, a Trusted
Location or that are digitally signed by a trusted publisher are allowed to execute.
Only privileged users responsible for validating that Microsoft Office macros are free of
malicious code can write to and modify content within Trusted Locations.
Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled

via the Message Bar or Backstage View.
Microsoft Office’s list of trusted publishers is validated on an annual or more frequent
basis.
Microsoft Office macro security settings cannot be changed by users. Y
Allowed and blocked Microsoft Office macro execution events are logged.
Microsoft Office macro event logs are stored centrally.
Server applications are chosen from vendors that have demonstrated a commitment to
of their products.
The latest release of internet-facing server applications are used.

ACSC or vendor hardening guidance for server applications is implemented.
Default accounts or credentials for server applications, including for any pre-configured
Unneeded accounts, components, services and functionality of server applications are
disabled or removed.
All temporary installation files and logs created during server application installation
processes are removed after server applications have been installed.
Server applications are configured to run as a separate account with the minimum
privileges needed to perform their functions.
The accounts under which server applications run have limited access to their
underlying server’s file system.
Microsoft AD DS domain controllers are administered using dedicated domain
administrator user accounts that are not used to administer other systems.
The Print Spooler service is disabled on Microsoft AD DS domain controllers.
Passwords and cpasswords are not used in Group Policy Preferences.
security-related events for Microsoft AD DS are logged.
Microsoft AD DS event logs are stored centrally.
Only service accounts and computer accounts are configured with Service Principal
Names (SPNs).
Service accounts are provisioned with the minimum privileges required and are not
members of the domain administrators group or similar highly privileged groups.
Duplicate SPNs do not exist within the domain.
Privileged user accounts are configured as sensitive and cannot be delegated.
User accounts require Kerberos pre-authentication.
User accounts are not configured with password never expires or password not
required.
The UserPassword attribute for user accounts is not used.
Account properties accessible by unprivileged users are not used to store passwords.
User account passwords do not use reversible encryption.

Unprivileged user accounts cannot add machines to the domain.
Dedicated service accounts are used to add machines to the domain.
User accounts with unconstrained delegation are reviewed at least annually, and those
without an associated Kerberos SPN or demonstrated business requirement are
removed.
Computer accounts that are not Microsoft AD SD domain controllers are not trusted for
delegation to services.
Privileged user accounts are members of the Protected Users security group.
When a user account is disabled, it is removed from all security group memberships.
The Pre-Windows 2000 Compatible Access security group does not contain user
accounts.
Users are authenticated before they are granted access to a system and its resources.
Authentication methods susceptible to replay attacks are disabled.
LAN Manager and NT LAN Manager authentication methods are disabled.
Multi-factor authentication is used to authenticate unprivileged users of systems.
Multi-factor authentication is used to authenticate privileged users of systems.
Multi-factor authentication is used by an organisation’s users if they authenticate to Y

their organisation’s internet-facing services.
Multi-factor authentication is used by an organisation’s users if they authenticate to Y
third-party internet-facing services that process, store or communicate their
organisation's sensitive data.
Multi-factor authentication (where available) is used by an organisation’s users if they Y
authenticate to third-party internet-facing services that process, store or communicate
their organisation's non-sensitive data.
Multi-factor authentication is enabled by default for non-organisational users (but Y
users can choose to opt out) if they authenticate to an organisation’s internet-facing
services.
Multi-factor authentication is used to authenticate users accessing important data
repositories.
Multi-factor authentication uses either: something users have and something users
know, or something users have that is unlocked by something users know or are.
Multi-factor authentication is phishing-resistant.
Memorised secrets used for multi-factor authentication are a minimum of 6 characters,

unless more stringent requirements apply.
Successful and unsuccessful multi-factor authentication events are logged.
Multi-factor authentication event logs are stored centrally.
When systems cannot support multi-factor authentication, single-factor authentication

using passphrases is implemented instead.
Passphrases used for single-factor authentication are at least 4 random words with a
total minimum length of 14 characters, unless more stringent requirements apply.
Passphrases used for single-factor authentication are not a list of categorised words; do
not form a real sentence in a natural language; and are not constructed from song
lyrics, movies, literature or any other publicly available material.
Users provide sufficient evidence to verify their identity when requesting new
credentials.
Credentials set for user accounts are randomly generated.
Credentials are provided to users via a secure communications channel or, if not
possible, split into two parts with one part provided to users and the other part
provided to supervisors.
Credentials provided to users are changed on first use.
Credentials, in the form of memorised secrets, are not reused by users across different
systems.
Credentials for local administrator accounts and service accounts are long, unique,
unpredictable and managed.
Service accounts are created as group Managed Service Accounts.
Credentials for local administrator accounts and service accounts are a minimum of 30
characters.
Credentials are changed if:

• they are directly compromised
• they are suspected of being compromised
• they appear in an online data breach database
• they are discovered stored on networks in the clear
• they are discovered being transferred across networks in the clear
• membership of a shared account changes
• they have not been changed in the past 12 months.
Credentials for the Kerberos Key Distribution Center’s service account (KRBTGT) are
changed twice, allowing for replication to all Microsoft Active Directory Domain
Services domain controllers in-between each change, if:
• the domain has been directly compromised
• the domain is suspected of being compromised
• they have not been changed in the past 12 months.
Credentials are kept separate from systems they are used to authenticate to, except for
when performing authentication activities.
Credentials are obscured as they are entered into systems.
Credentials stored on systems are protected by a password manager; a hardware

security module; or by salting, hashing and stretching them before storage within a
database.
Windows Defender Credential Guard and Windows Defender Remote Credential Guard
are enabled.
Cached credentials are limited to one previous logon.
Accounts are locked out after a maximum of five failed logon attempts.
On a daily basis, outside of business hours and after an appropriate period of inactivity,
user sessions are terminated and workstations are restarted.
Systems are configured with a session or screen lock that:
• activates after a maximum of 15 minutes of user inactivity, or if manually activated by
users
• conceals all session content on the screen
• ensures that the screen does not enter a power saving state before the session or
screen lock is activated
• requires users to authenticate to unlock the session
• denies users the ability to disable the session or screen locking mechanism.
Systems have a logon banner that requires users to acknowledge and accept their
security responsibilities before access is granted.
Legal advice is sought on the exact wording of logon banners.
When using a software-based isolation mechanism to share a physical server’s

hardware, the isolation mechanism is from a vendor that has demonstrated a
commitment to secure-by-design and secure-by-default principles, use of memory-safe
programming languages where possible, secure programming practices, and
maintaining the security of their products.

hardware, the configuration of the isolation mechanism is hardened by removing
unneeded functionality and restricting access to the administrative interface used to
manage the isolation mechanism.

hardware, the underlying operating system is hardened.
hardware, patches, updates or vendor mitigations for security vulnerabilities are
applied to the isolation mechanism and underlying operating system in a timely
manner.

hardware, the isolation mechanism or underlying operating system is replaced when it
is no longer supported by a vendor.
hardware, integrity and log monitoring are performed for the isolation mechanism and
underlying operating system in a timely manner.
System administration processes, and supporting system administration procedures,
System administrators document requirements for administrative activities, consider Y

potential security impacts, obtain any necessary approvals, notify users of any
disruptions or outages, and maintain system and security documentation.
Privileged users use separate privileged and unprivileged operating environments. Y
Privileged operating environments are not virtualised within unprivileged operating

environments.
Unprivileged accounts cannot logon to privileged operating environments. Y
Privileged accounts (excluding local administrator accounts) cannot logon to Y

unprivileged operating environments.
Administrative infrastructure is segregated from the wider network.

Administrative infrastructure for critical servers, high-value servers and regular servers
is segregated from each other.
Network management traffic can only originate from administrative infrastructure.
Administrative activities are conducted through jump servers.
Only privileged operating environments can communicate with jump servers.
Only jump servers can communicate with assets requiring administrative activities to
be performed.
Patch management processes, and supporting patch management procedures, are Y

A centralised and managed approach that maintains the integrity of patches or

updates, and confirms that they have been applied successfully, is used to patch or
update applications, operating systems, drivers and firmware.
Software registers for workstations, servers, network devices and other ICT equipment
are developed, implemented, maintained and verified on a regular basis.
Software registers contain versions and patch histories of applications, drivers,

operating systems and firmware.
An automated method of asset discovery is used at least fortnightly to support the

detection of assets for subsequent vulnerability scanning activities.
A vulnerability scanner with an up-to-date vulnerability database is used for

vulnerability scanning activities.
A vulnerability scanner is used at least daily to identify missing patches or updates for Y
security vulnerabilities in internet-facing services.
A vulnerability scanner is used at least weekly to identify missing patches or updates

for security vulnerabilities in office productivity suites, web browsers and their
extensions, email clients, PDF software, and security products.
A vulnerability scanner is used at least fortnightly to identify missing patches or
updates for security vulnerabilities in other applications.
A vulnerability scanner is used at least daily to identify missing patches or updates for
security vulnerabilities in operating systems of internet-facing services.

for security vulnerabilities in operating systems of workstations, servers and network
devices.
for security vulnerabilities in operating systems of other ICT equipment.

for security vulnerabilities in drivers and firmware.
Patches, updates or vendor mitigations for security vulnerabilities in internet-facing Y

services are applied within two weeks of release, or within 48 hours if an exploit exists.
Patches, updates or vendor mitigations for security vulnerabilities in office productivity
suites, web browsers and their extensions, email clients, PDF software, and security
products are applied within two weeks of release.
Patches, updates or vendor mitigations for security vulnerabilities in office productivity
suites, web browsers and their extensions, email clients, PDF software, and security
products are applied within 48 hours if an exploit exists.
Patches, updates or vendor mitigations for security vulnerabilities in other applications

are applied within one month of release.
Patches, updates or vendor mitigations for security vulnerabilities in operating systems

of internet-facing services are applied within two weeks of release, or within 48 hours
if an exploit exists.
of workstations, servers and network devices are applied within two weeks of release.

of workstations, servers and network devices are applied within 48 hours if an exploit
exists.
of other ICT equipment are applied within two weeks of release, or within 48 hours if
an exploit exists.
Patches, updates or vendor mitigations for security vulnerabilities in drivers and
firmware are applied within two weeks of release, or within 48 hours if an exploit
exists.
Internet-facing services, office productivity suites, web browsers and their extensions, Y
email clients, PDF software, Adobe Flash Player, and security products that are no
longer supported by vendors are removed.
Applications that are no longer supported by vendors are removed.
Operating systems that are no longer supported by vendors are replaced.
Network devices and other ICT equipment that are no longer supported by vendors are
replaced.
When applications, operating systems, network devices or other ICT equipment that
are no longer supported by vendors cannot be immediately removed or replaced,
compensating controls are implemented until such time that they can be removed or
replaced.
A digital preservation policy is developed, implemented and maintained.
Data backup processes, and supporting data backup procedures, are developed, Y
Data restoration processes, and supporting data restoration procedures, are Y

Backups of important data, software and configuration settings are performed and Y
retained with a frequency and retention timeframe in accordance with business
continuity requirements.
Backups of important data, software and configuration settings are synchronised to
enable restoration to a common point in time.
Backups of important data, software and configuration settings are retained in a secure
and resilient manner.
Unprivileged accounts cannot access backups belonging to other accounts.
Unprivileged accounts cannot access their own backups.
Privileged accounts (excluding backup administrator accounts) cannot access backups

belonging to other accounts.
Privileged accounts (excluding backup administrator accounts) cannot access their own
backups.
Unprivileged accounts are prevented from modifying and deleting backups.
Privileged accounts (excluding backup administrator accounts) are prevented from

modifying and deleting backups.
Privileged accounts (including backup administrator accounts) are prevented from

modifying and deleting backups during their retention period.
Restoration of important data, software and configuration settings from backups to a Y

common point of time is tested as part of disaster recovery exercises.
An event logging policy is developed, implemented and maintained. Y
For each event logged, the date and time of the event, the relevant user or process, the Y
relevant filename, the event description, and the ICT equipment involved are recorded.
A centralised event logging facility is implemented and event logs are sent to the Y
facility as soon as possible after they occur.
Event logs stored within a centralised event logging facility are protected from Y
unauthorised modification and deletion.
An accurate time source is established and used consistently across systems to assist Y
with identifying connections between events.
Event logs are analysed in a timely manner to detect cyber security events. Y
Cyber security events are analysed in a timely manner to identify cyber security
incidents.
Event logs, excluding those for Domain Name System services and web proxies, are
retained for at least seven years.
Event logs for Domain Name System services and web proxies are retained for at least
18 months.
Development, testing and production environments are segregated.
Development and modification of software only takes place in development

environments.
Data from production environments is not used in a development or testing

environment unless the environment is secured to the same level as the production
environment.
Unauthorised access to the authoritative source for software is prevented.
Unauthorised modification of the authoritative source for software is prevented.
Secure-by-design and secure-by-default principles, use of memory-safe programming

languages where possible, and secure programming practices are used as part of
application development.
SecDevOps practices are used for application development.
Threat modelling is used in support of application development.
Files containing executable content are digitally signed as part of application

development.
Installers, patches and updates are digitally signed or provided with cryptographic
checksums as part of application development.
Secure configuration guidance is produced as part of application development.
A software bill of materials is produced and made available to consumers of software.
Applications are comprehensively tested for security vulnerabilities, using both static
application security testing and dynamic application security testing, prior to their
initial release and following any maintenance activities.
Security vulnerabilities identified in applications are resolved by software developers.
A vulnerability disclosure program is implemented to assist with the secure

development and maintenance of products and services.
A vulnerability disclosure policy is developed, implemented and maintained.
Vulnerability disclosure processes, and supporting vulnerability disclosure procedures,

A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in

the responsible disclosure of security vulnerabilities in an organisation’s products and
services.
The OWASP Application Security Verification Standard is used in the development of
web applications.
The OWASP Top Ten Proactive Controls are used in the development of web
applications.
The OWASP Top 10 are mitigated in the development of web applications.
Robust web application frameworks are used in the development of web applications.
All web application content is offered exclusively using HTTPS.
Authentication and authorisation of clients is performed when clients call web APIs
that facilitate access to data not authorised for release into the public domain.
Authentication and authorisation of clients is performed when clients call web APIs
that facilitate modification of data.
The OWASP API Security Top 10 are mitigated in the development of web APIs.
Validation or sanitisation is performed on all input handled by web applications.
Output encoding is performed on all output produced by web applications.
Web applications implement Content-Security-Policy, HSTS and X-Frame-Options via

security policy in response headers.
The following events are logged for web applications: attempted access that is denied, Y
crashes and error messages, and search queries initiated by users.
Web application event logs are stored centrally. Y
Database servers and web servers are functionally separated.
Data communicated between database servers and web servers is encrypted.
Database servers are placed on a different network segment to user workstations.
Network access controls are implemented to restrict database server communications

to strictly defined network resources, such as web servers, application servers and
storage area networks.
If only local access to a database is required, networking functionality of database
management system software is disabled or directed to listen solely to the localhost
interface.
Development and testing environments do not use the same database servers as
production environments.
A database register is developed, implemented, maintained and verified on a regular

basis.
File-based access controls are applied to database files.
Databases and their contents are classified based on the sensitivity or classification of
data that they contain.
Database users’ ability to access, insert, modify and remove database contents is
restricted based on their work duties.
The need-to-know principle is enforced for database contents through the application
of minimum privileges, database views and database roles.
Database contents from production environments are not used in development or
testing environments unless the environment is secured to the same level as the
production environment.
All queries to databases from web applications are filtered for legitimate content and
correct syntax.
Parameterised queries or stored procedures, instead of dynamically generated queries,
are used for database interactions.
Web applications are designed or configured to provide as little error information as
possible about the structure of databases.
The following events are logged for databases: Y
• access or modification of particularly important content
• addition of new users, especially privileged users
• changes to user roles or privileges
• attempts to elevate user privileges
• queries containing comments
• queries containing multiple embedded queries
• database and query alerts or failures
• database structure changes
• database administrator actions
• use of executable commands
• database logons and logoffs.
Database event logs are stored centrally. Y
An email usage policy is developed, implemented and maintained.
Access to non-approved webmail services is blocked.
Protective markings are applied to emails and reflect the highest sensitivity or
classification of the subject, body and attachments.
Protective marking tools do not automatically insert protective markings into emails.
Protective marking tools do not allow users to select protective markings that a system
has not been authorised to process, store or communicate.
Protective marking tools do not allow users replying to or forwarding emails to select
protective markings lower than previously used.
Email servers are configured to block, log and report emails with inappropriate
protective markings.
The intended recipients of blocked inbound emails, and the senders of blocked
outbound emails, are notified.
Emails are routed via centralised email gateways.
When users send or receive emails, an authenticated and encrypted channel is used to
route emails via their organisation’s centralised email gateways.
Where backup or alternative email gateways are in place, they are maintained at the
same standard as the primary email gateway.
Email servers only relay emails destined for or originating from their domains (including
subdomains).
Opportunistic TLS encryption is enabled on email servers that make incoming or
outgoing email connections over public network infrastructure.
MTA-STS is enabled to prevent the unencrypted transfer of emails between complying
servers.
SPF is used to specify authorised email servers (or lack thereof) for all domains
(including subdomains).
A hard fail SPF record is used when specifying authorised email servers (or lack thereof)
for all domains (including subdomains).
SPF is used to verify the authenticity of incoming emails.
DKIM signing is enabled on emails originating from an organisation’s domains
(including subdomains).
DKIM signatures on received emails are verified.
Email distribution list software used by external senders is configured such that it does
not break the validity of the sender’s DKIM signature.
DMARC records are configured for all domains (including subdomains) such that emails
are rejected if they do not pass DMARC checks.
Incoming emails are rejected if they do not pass DMARC checks.
Email content filtering is implemented to filter potentially harmful content in email

bodies and attachments.
Emails arriving via an external connection where the email source address uses an
internal domain, or internal subdomain, are blocked at the email gateway.
Notifications of undeliverable emails are only sent to senders that can be verified via
SPF or other trusted means.
Network documentation is developed, implemented, maintained.
Network documentation includes high-level network diagrams showing all connections

into networks and logical network diagrams showing all critical servers, high-value
servers, network devices and network security appliances.
Network documentation provided to a third party, or published in public tender
documentation, only contains details necessary for other parties to undertake
contractual services.
All data communicated over network infrastructure is encrypted.
Networks are segregated into multiple network zones according to the criticality of
servers, services and data.
An organisation’s networks are segregated from their service providers’ networks.
VLANs are not used to separate network traffic between an organisation’s networks
and public network infrastructure.
VLANs are not used to separate network traffic between networks belonging to
different security domains.
Network devices managing VLANs are administered from the most trusted security
domain.
Network devices managing VLANs belonging to different security domains do not share
VLAN trunks.
Network devices managing VLANs terminate VLANs belonging to different security
domains on separate physical network interfaces.
IPv6 functionality is disabled in dual-stack network devices unless it is being used.
IPv6 capable network security appliances are used on IPv6 and dual-stack networks.
Unless explicitly required, IPv6 tunnelling is disabled on all network devices.
IPv6 tunnelling is blocked by network security appliances at externally-connected

network boundaries.
Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration
Protocol version 6 in a stateful manner with lease data stored in a centralised event
logging facility.
Network access controls are implemented on networks to prevent the connection of
unauthorised network devices.
Network access controls are implemented to limit network traffic within and between
network segments to only those required for business purposes.
Servers maintain effective functional separation with other servers allowing them to
operate independently.
Servers minimise communications with other servers at both the network and file
system level.
Security measures are implemented to prevent unauthorised access to network
management traffic.
SNMP version 1 and SNMP version 2 are not used on networks.
All default SNMP community strings on network devices are changed and write access
is disabled.
A NIDS or NIPS is deployed in gateways between an organisation’s networks and other
networks they do not manage.
A NIDS or NIPS is located immediately inside the outermost firewall for gateways and
configured to generate event logs and alerts for network traffic that contravenes any
rule in a firewall ruleset.
Inbound network connections from anonymity networks to internet-facing services are
blocked.
Outbound network connections to anonymity networks are blocked.
A protective DNS service is used to block access to known malicious domain names.
Network devices are flashed with trusted firmware before they are used for the first
time.
Default accounts or credentials for network devices including for any pre-configured
Unused physical ports on network devices are disabled.
Network devices are restarted on at least a monthly basis.
All wireless devices are Wi-Fi Alliance certified.
Public wireless networks provided for general public use are segregated from all other
organisation networks.
The administrative interface on wireless access points is disabled for wireless network
connections.
Configuration settings for wireless access points are hardened.
Default SSIDs of wireless access points are changed.
SSIDs of non-public wireless networks are not readily associated with an organisation,
the location of their premises or the functionality of wireless networks.
SSID broadcasting is not disabled on wireless access points.
MAC address filtering is not used to restrict which devices can connect to wireless
networks.
Static addressing is not used for assigning IP addresses on wireless networks.
WPA3-Enterprise 192-bit mode is used to protect the confidentiality and integrity of all
wireless network traffic.
802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual
authentication; with all other EAP methods disabled on supplications and
authentication servers.
User identity confidentiality is used if available with EAP-TLS implementations.
Evaluated supplicants, authenticators, wireless access points and authentication

servers are used in wireless networks.
Certificates are generated using an evaluated certificate authority or hardware security
module.
Certificates are required for both devices and users accessing wireless networks.
Certificates are protected by encryption, user authentication, and both logical and
physical access controls.
The PMK caching period is not set to greater than 1440 minutes (24 hours).
The use of FT (802.11r) is disabled unless authenticator-to-authenticator

communications are secured by an ASD-Approved Cryptographic Protocol.
Communications between authenticators and a RADIUS server are encapsulated with
an additional layer of encryption using RADIUS over Internet Protocol Security or
RADIUS over Transport Layer Security.
Wireless networks implement sufficient frequency separation from other wireless
networks.
Wireless access points enable the use of the 802.11w amendment to protect
management frames.
Instead of deploying a small number of wireless access points that broadcast on high
power, a greater number of wireless access points that use less broadcast power are
deployed to achieve the desired footprint for wireless networks.
Cloud service providers are used for hosting online services.
An organisation is notified by cloud service providers of any change to configured

regions or availability zones for online services.
Cloud service providers’ ability to dynamically scale resources due to a genuine spike in
demand or a denial-of-service attack is tested as part of capacity planning processes for
online services.
Where a high availability requirement exists for online services, the services are
architected to automatically transition between availability zones.
Where a requirement for high availability exists for online services, a denial of service
mitigation service is used.
Continuous real-time monitoring of the availability of online services is performed.
Where a high availability requirement exists for website hosting, CDNs that cache
websites are used.
If using CDNs, disclosing the IP addresses of web servers under an organisation’s
control (referred to as origin servers) is avoided and access to the origin servers is
restricted to the CDNs and authorised management networks.
Denial-of-service attack mitigation strategies are discussed with cloud service

providers, specifically:
• their capacity to withstand denial-of-service attacks
• any costs likely to be incurred as a result of denial-of-service attacks
• thresholds for notification of denial-of-service attacks
• thresholds for turning off online services during denial-of-service attacks
• pre-approved actions that can be undertaken during denial-of-service attacks
• any arrangements with upstream service providers to block malicious network traffic
as far upstream as possible.
The functionality and quality of online services, how to maintain such functionality, and
what functionality can be lived without during a denial-of-service attack, are
determined and documented.
Domain names for online services are protected via registrar locking and confirming
domain registration details are correct.
Availability monitoring with real-time alerting is implemented for online services to
detect denial-of-service attacks and measure their impact.
Critical online services are segregated from other online services that are more likely to
be targeted.
A static version of a website is pre-prepared that requires minimal processing and
bandwidth in order to facilitate at least a basic level of service when under a denial-of-
service attack.
Cryptographic key management processes, and supporting cryptographic key
management procedures, are developed, implemented and maintained.
An ASD-Approved Cryptographic Algorithm (AACA) or high assurance cryptographic
algorithm is used when encrypting media.
Cryptographic equipment or software that has completed a Common Criteria
evaluation against a Protection Profile is used when encrypting media that contains
OFFICIAL: Sensitive or PROTECTED data.
Full disk encryption, or partial encryption where access controls will only allow writing
to the encrypted partition, is implemented when encrypting data at rest.
An ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic

protocol is used to protect data when communicated over network infrastructure.
Cryptographic equipment or software that has completed a Common Criteria

evaluation against a Protection Profile is used to protect OFFICIAL: Sensitive or
PROTECTED data when communicated over insufficiently secure networks, outside of
appropriately secure areas or via public network infrastructure.
Where practical, cryptographic equipment and software provides a means of data

recovery to allow for circumstances where the encryption key is unavailable due to
loss, damage or failure.
When a user authenticates to the encryption functionality of ICT equipment or media,
it is treated in accordance with its original sensitivity or classification until the user
deauthenticates from the encryption functionality.
Keyed cryptographic equipment is transported based on the sensitivity or classification
of its keying material.
The compromise or suspected compromise of cryptographic equipment or associated
keying material is reported to an organisation’s Chief Information Security Officer, or
one of their delegates, as soon as possible after it occurs.
Keying material is changed when compromised or suspected of being compromised.
Only AACAs or high assurance cryptographic algorithms are used by cryptographic

equipment and software.
ECDH and ECDSA are used in preference to DH and DSA.
When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits
is used, preferably 3072 bits.
When using DH for agreeing on encryption session keys, a modulus and associated
parameters are selected according to NIST SP 800-56A Rev. 3.
When using DSA for digital signatures, a modulus of at least 2048 bits is used.
When using DSA for digital signatures, a modulus and associated parameters are
generated according to FIPS 186-4.
When using elliptic curve cryptography, a curve from FIPS 186-4 is used.
When using ECDH for agreeing on encryption session keys, a base point order and key
size of at least 224 bits is used, preferably the NIST P-384 curve.
When using ECDSA for digital signatures, a base point order and key size of at least 224
bits is used, preferably the P-384 curve.
When using RSA for digital signatures, and passing encryption session keys or similar
keys, a modulus of at least 2048 bits is used, preferably 3072 bits.
When using RSA for digital signatures, and for passing encryption session keys or
similar keys, a different key pair is used for digital signatures and passing encrypted
session keys.
When using SHA-2 for hashing, an output size of at least 224 bits is used, preferably
SHA-384.
When using AES for encryption, AES-128, AES-192 or AES-256 is used, preferably AES-
256.
Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.
Only AACPs or high assurance cryptographic protocols are used by cryptographic

equipment and software.
Only the latest version of TLS is used for TLS connections.
AES-GCM is used for encryption of TLS connections.
Only server-initiated secure renegotiation is used for TLS connections.
DH or ECDH is used for key establishment of TLS connections.
When using DH or ECDH for key establishment of TLS connections, the ephemeral
variant is used.
Anonymous DH is not used for TLS connections.
SHA-2-based certificates are used for TLS connections.
SHA-2 is used for the Hash-based Message Authentication Code (HMAC) and
pseudorandom function (PRF) for TLS connections.
TLS compression is disabled for TLS connections.
Perfect Forward Secrecy (PFS) is used for TLS connections.
The use of SSH version 1 is disabled for SSH connections.

The SSH daemon is configured to:
• only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx)
• have a suitable login banner (Banner x)
• have a login authentication timeout of no more than 60 seconds (LoginGraceTime 60)
• disable host-based authentication (HostbasedAuthentication no)
• disable rhosts-based authentication (IgnoreRhosts yes)
• disable the ability to login directly as root (PermitRootLogin no)
• disable empty passwords (PermitEmptyPasswords no)
• disable connection forwarding (AllowTCPForwarding no)
• disable gateway ports (GatewayPorts no)
• disable X11 forwarding (X11Forwarding no).
Public key-based authentication is used for SSH connections.
SSH private keys are protected with a passphrase or a key encryption key.
When using logins without a passphrase for SSH connections, the following are
disabled:
• access from IP addresses that do not require access
• port forwarding
• agent credential forwarding
• X11 display remoting
• console access.
If using remote access without the use of a passphrase for SSH connections, the ‘forced
command’ option is used to specify what command is executed and parameter
checking is enabled.
When SSH-agent or similar key caching programs are used, it is limited to workstations
and servers with screen locks and key caches that are set to expire within four hours of
inactivity.
Versions of S/MIME earlier than S/MIME version 3.0 are not used for S/MIME
connections.
Tunnel mode is used for IPsec connections; however, if using transport mode, an IP
tunnel is used.
The ESP protocol is used for authentication and encryption of IPsec connections.
IKE version 2 is used for key exchange when establishing IPsec connections.
AES is used for encrypting IPsec connections, preferably ENCR_AES_GCM_16.
PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384 or PRF_HMAC_SHA2_512 is used for

IPsec connections, preferably PRF_HMAC_SHA2_512.
AUTH_HMAC_SHA2_256_128, AUTH_HMAC_SHA2_384_192,
AUTH_HMAC_SHA2_512_256 or NONE (only with AES-GCM) is used for authenticating
IPsec connections, preferably NONE.
DH or ECDH is used for key establishment of IPsec connections, preferably 384-bit
random ECP group, 3072-bit MODP Group or 4096-bit MODP Group.
A security association lifetime of less than four hours (14400 seconds) is used for IPsec
connections.
PFS is used for IPsec connections.
Gateways are implemented between networks belonging to different security domains.
Gateways implement a demilitarised zone if external parties require access to an

organisation’s services.
Gateways only allow explicitly authorised data flows.
Gateways inspect and filter data flows at the transport and above network layers.
Gateways perform ingress traffic filtering to detect and prevent IP source address
spoofing.
System administrators for gateways undergo appropriate employment screening and,
where necessary, hold an appropriate security clearance based on the sensitivity or
classification of gateways.
System administrators for gateways are assigned the minimum privileges required to
perform their duties.
Separation of duties is implemented in performing administrative activities for
gateways.
System administrators for gateways are formally trained on the operation and
management of gateways.
Gateways are managed via a secure path isolated from all connected networks.
For gateways between networks belonging to different security domains, any shared
components are managed by system administrators for the higher security domain or
by system administrators from a mutually-agreed third party.
Users authenticate to other networks accessed via gateways.
ICT equipment authenticates to other networks accessed via gateways.
Public IP addresses controlled by, or used by, an organisation are signed by valid ROA
records.
The following events are logged for gateways:
• data packets and data flows permitted through gateways
• data packets and data flows attempting to leave gateways
• real-time alerts for attempted intrusions.
Gateway event logs are stored centrally.
Gateways undergo testing following configuration changes, and at regular intervals no

more than six months apart, to validate they conform to expected security
configurations.
Gateways undergo a security assessment by an IRAP assessor at least every 24 months.
Evaluated firewalls are used between an organisation’s networks and public network
infrastructure.
Evaluated firewalls are used between networks belonging to different security
domains.
Evaluated diodes are used for controlling the data flow of unidirectional gateways
between an organisation’s networks and public network infrastructure.
Evaluated diodes are used for controlling the data flow of unidirectional gateways
between networks.
A web usage policy is developed, implemented and maintained.
All web access, including that by internal servers, is conducted through web proxies.
The following details are logged for websites accessed via web proxies:
• address
• date and time
• user
• amount of data uploaded and downloaded
• internal and external IP addresses.
Web proxy event logs are stored centrally.

Web content filtering is implemented to filter potentially harmful web-based content.
Client-side active content is restricted by web content filters to an organisation-

approved list of domain names.
Web content filtering is applied to outbound web traffic where appropriate.
TLS traffic communicated through gateways is decrypted and inspected.
An organisation-approved list of domain names, or list of website categories, is

implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol
Secure traffic communicated through gateways.
Malicious domain names, dynamic domain names and domain names that can be
registered anonymously for free are blocked by web content filters.
Attempts to access websites through their IP addresses instead of their domain names
are blocked by web content filters.
Files imported or exported via gateways or CDSs undergo content filtering checks.
Files identified by content filtering checks as malicious, or that cannot be inspected, are
blocked.
Files identified by content filtering checks as suspicious are quarantined until reviewed
and subsequently approved or not approved for release.
Encrypted files imported or exported via gateways or CDSs are decrypted in order to
undergo content filtering checks.
Archive files imported or exported via gateways or CDSs are unpacked in order to
undergo content filtering checks.
Archive files are unpacked in a controlled manner to ensure content filter performance
or availability is not adversely affected.
Files imported or exported via gateways or CDSs undergo antivirus scanning using
multiple different scanning engines.
Executable files imported via gateways or CDSs are automatically executed in a
sandbox to detect any suspicious behaviour.
Files imported or exported via gateways or CDSs are filtered for allowed file types.
Files imported or exported via gateways or CDSs undergo content validation.
Files imported or exported via gateways or CDSs undergo content conversion.
Files imported or exported via gateways or CDSs undergo content sanitisation.
Files imported or exported via gateways or CDSs that have a digital signature or
cryptographic checksum are validated.
Evaluated peripheral switches are used when sharing peripherals between systems.
Data transfer processes, and supporting data transfer procedures, are developed,
Users transferring data to and from systems are held accountable for data transfers
they perform.
When manually importing data to systems, the data is scanned for malicious and active
content.
When manually importing data to systems, all data that fails security checks is
quarantined until reviewed and subsequently approved or not approved for release.
When manually exporting data from systems, the data is checked for unsuitable
protective markings.
When manually exporting data from systems, all data that fails security checks is
quarantined until reviewed and subsequently approved or not approved for release.
Data transfer logs are used to record all data imports and exports from systems.
Data transfer logs for systems are partially verified at least monthly.
Control Implementation If control is applicable but not implement
Current implementation Implementation details Implementation plan
status (e.g. document or description)
or
able but not implemented or partially implemented Essential Eight (reference only)
Implementation date Person responsible Maturity Level 2 Maturity Level 3
(dd/mm/yyyy)
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No Yes
No Yes
No Yes
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
Yes Yes
No No
No Yes
Yes Yes
No Yes
No Yes
No No
No No
Yes Yes
No Yes
Yes Yes
No Yes
No No
No No
No No
Yes Yes
No No
Yes Yes
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No Yes
No No
No No
No No
No No
No No
No No
No No
No No
No Yes
No Yes
No No
No No
No No
No No
No No
No No
Yes Yes
Yes Yes
No Yes
Yes Yes
No Yes
No No
No Yes
No No
No No
No No
No Yes
No Yes
No No
Yes Yes
Yes Yes
No Yes
No Yes
No Yes
No Yes
No No
No No
Yes Yes
No Yes
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
Yes Yes
No No
No No
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes No
Yes Yes
Yes Yes
Yes Yes
No No
No No
No No
Yes Yes
Yes Yes
Yes Yes
Yes Yes
No Yes
No Yes
No Yes
No Yes
Yes Yes
Yes Yes
No Yes
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
No Yes
Yes Yes
No Yes
No No
Yes Yes
No Yes
No No
No No
No No
No No
No No
No No
No No
No No
Yes Yes
No No
No No
No No
No No
No No
No No
No No
No Yes
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
Yes Yes
Yes Yes
Yes Yes
Yes Yes
No No
No No
No No
Yes Yes
No No
No No
No No
No No
No No
No No
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
No No
No No
Yes Yes
Yes Yes
No Yes
Yes Yes
Yes Yes
Yes Yes
No Yes
No No
No No
Yes Yes
No Yes
Yes Yes
No No
No No
No No
No No
No No
Yes Yes
Yes Yes
Yes Yes
Yes Yes
No Yes
Yes Yes
No Yes
Yes Yes
Yes Yes
No Yes
Yes Yes
No No
No No
No Yes
No Yes
No No
No Yes
No Yes
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
No No
ISM update (reference only)
Revision Updated
5 Oct-20
1 Oct-20
0 Oct-20
2 Oct-20
3 Dec-21
2 Oct-20
3 Mar-22
2 Oct-20
0 Oct-20
3 Jun-21
2 Dec-22
2 Oct-20
2 Oct-20
2 Oct-20
3 Dec-22
1 Sep-18
1 Jan-21
0 Jan-21
1 Jun-22
2 Jun-22
1 Jun-22
4 Jan-21
2 Jun-22
0 Aug-20
9 Dec-22
0 Sep-22
6 Dec-22
0 Dec-22
1 Dec-22
0 Nov-20
5 May-20
3 Sep-18
6 May-19
0 Mar-23
2 Jun-21
7 Oct-19
4 Dec-21
2 Dec-21
0 Dec-21
0 Dec-21
2 Dec-21
5 Mar-23
2 Dec-22
4 Sep-22
2 Sep-22
4 Mar-23
2 Sep-22
2 Sep-22
1 Dec-22
1 Dec-22
1 Dec-22
1 Dec-22
1 Dec-22
0 Sep-22
0 Sep-22
0 Sep-22
1 Dec-22
1 Sep-22
0 Sep-22
2 Dec-22
3 Sep-22
1 Jun-22
7 Dec-22
9 Dec-22
3 Dec-22
1 Dec-22
0 Dec-22
7 Dec-22
1 Dec-22
4 Dec-22
2 Dec-22
3 Dec-22
3 Dec-22
1 Dec-22
5 Jun-21
2 Mar-22
6 Dec-22
4 May-19
0 Mar-22
5 May-19
0 Aug-20
5 Jun-22
4 Dec-21
8 Mar-23
1 Jun-22
0 May-20
5 Dec-21
3 Dec-21
1 Dec-21
4 Dec-21
3 Dec-21
4 Jun-22
3 Dec-21
5 Mar-19
7 Mar-22
0 Jun-20
0 Mar-22
4 Jan-20
5 Jan-20
2 Sep-18
3 Oct-19
2 Sep-18
7 Dec-21
7 Mar-22
3 Aug-19
4 Aug-19
3 Aug-19
0 Aug-20
7 Dec-21
2 Dec-21
1 Dec-22
2 Sep-21
0 Dec-21
2 Sep-21
4 Sep-21
0 Sep-21
0 Sep-21
6 Sep-18
4 Mar-23
2 Dec-22
1 Dec-22
1 Dec-22
1 Dec-22
7 Sep-19
0 Aug-20
3 Dec-21
0 Sep-21
0 Dec-21
0 Sep-21
0 Dec-21
4 Sep-18
8 Jun-22
0 Aug-20
0 Aug-20
0 Aug-20
0 Aug-20
0 Aug-20
1 Dec-21
1 Dec-22
3 Mar-21
3 Mar-21
7 Dec-22
6 Jun-21
2 Dec-22
0 Jun-21
7 Dec-22
2 Oct-19
0 Mar-21
0 Mar-21
0 Mar-23
9 Dec-21
3 Dec-21
2 Dec-21
4 Mar-23
4 Dec-21
3 Dec-21
4 Dec-19
5 Dec-21
0 Mar-23
5 Dec-21
3 Dec-19
3 Dec-21
3 Dec-21
3 Dec-21
6 Dec-21
4 Dec-21
4 Jun-22
4 Dec-21
4 Dec-22
3 Sep-18
3 Sep-18
2 Dec-21
3 Sep-18
4 Mar-23
4 Dec-21
5 Dec-21
6 Dec-21
0 Dec-19
9 Jun-22
4 Dec-21
4 Dec-21
1 Sep-18
3 Sep-18
3 Dec-19
7 Jan-20
4 Oct-19
5 Oct-19
6 Dec-21
5 Dec-21
2 Dec-21
9 Dec-22
0 Dec-22
4 Dec-22
2 Sep-18
4 Dec-21
2 Dec-21
7 Jun-22
5 Dec-19
6 Mar-22
3 Sep-18
3 Dec-22
1 Sep-18
4 Dec-21
7 Sep-22
6 Sep-22
5 Dec-21
4 Dec-21
2 Jun-22
5 Jun-22
2 Jun-22
3 Jun-22
4 Dec-21
4 Dec-21
2 Dec-21
5 Dec-21
4 Dec-21
3 Dec-22
2 Sep-18
7 Dec-21
5 Jun-21
0 Jun-21
3 Apr-19
3 Apr-19
4 Dec-21
6 Dec-22
2 Oct-19
1 Dec-21
1 Dec-21
3 Dec-21
5 Dec-21
6 Dec-22
2 Dec-22
8 Mar-23
1 Sep-18
2 Sep-18
1 Dec-22
7 Dec-22
4 Sep-18
5 Jun-21
0 Aug-20
6 Dec-21
2 Sep-18
5 Jun-21
7 Mar-22
0 Aug-20
6 Dec-22
1 Dec-22
6 Mar-22
0 Mar-22
3 Sep-18
2 Dec-21
2 Dec-21
1 Sep-18
3 Sep-18
0 Sep-18
2 Sep-18
1 Sep-18
6 Dec-21
2 Sep-18
2 Sep-18
2 Dec-22
2 Dec-21
3 Dec-21
1 Dec-22
4 Dec-22
2 Dec-22
4 Sep-18
8 Dec-21
6 Dec-21
6 Apr-21
7 Mar-22
5 Sep-18
4 Dec-21
1 Apr-21
0 Apr-21
5 Apr-21
6 Apr-21
5 Dec-22
6 Dec-21
6 Dec-21
3 Dec-21
4 Dec-21
5 Dec-21
3 Dec-21
4 Dec-21
0 Dec-21
4 Dec-22
5 Dec-21
3 Jun-22
2 Aug-20
0 Sep-18
1 Mar-22
1 Mar-22
1 Mar-22
1 Mar-22
1 Mar-22
1 Mar-22
8 Mar-22
4 Dec-21
4 Mar-22
2 Mar-22
5 Dec-21
4 Dec-21
5 Dec-21
4 Dec-21
3 Dec-21
4 Jun-22
4 Dec-22
4 Dec-21
6 Dec-21
1 Mar-23
5 Dec-22
5 Dec-22
2 Aug-20
1 Mar-22
0 Aug-20
1 Sep-18
9 Mar-22
8 Dec-22
4 Dec-21
0 Sep-21
0 Sep-21
2 Mar-22
0 Mar-22
1 Sep-21
3 Mar-22
1 Mar-22
7 Mar-22
9 Sep-21
3 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
6 Apr-20
1 Sep-21
2 Apr-20
4 Mar-23
1 Mar-23
2 Sep-21
0 Sep-21
8 Mar-22
1 Dec-22
1 Dec-22
1 Dec-22
1 Dec-22
1 Sep-21
0 Oct-20
0 Oct-20
0 Oct-20
1 Dec-22
1 Dec-22
2 Sep-18
7 Mar-22
3 Mar-22
4 Mar-22
4 Mar-22
6 Mar-22
6 Dec-21
7 Mar-22
1 Dec-22
6 Mar-23
3 Mar-22
1 Mar-23
3 Sep-21
5 Mar-22
4 Mar-22
0 Sep-21
0 Sep-21
0 Sep-21
0 Jan-19
0 Mar-23
1 Sep-21
1 Sep-21
0 Sep-21
2 Mar-23
0 Sep-21
0 Mar-23
1 Mar-22
1 Mar-23
0 Mar-23
0 Sep-21
1 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
1 Sep-21
0 Sep-21
0 Sep-21
0 Sep-18
1 Dec-22
1 Dec-22
0 Mar-23
2 Mar-23
3 Mar-23
4 Mar-23
4 Mar-23
3 Mar-23
3 Mar-23
2 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
0 Mar-23
1 Mar-23
0 Mar-23
0 Mar-23
0 Aug-19
0 Aug-20
4 Oct-20
6 Sep-21
4 Sep-21
1 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
1 Sep-21
5 Sep-21
1 Mar-23
2 Mar-22
1 Dec-22
1 Dec-22
5 Oct-19
8 Dec-21
2 Mar-22
1 Mar-22
5 Mar-22
1 Mar-22
1 Mar-22
2 Dec-22
1 Dec-22
0 Oct-20
0 Sep-22
1 Mar-22
0 Mar-23
6 Dec-22
0 Aug-20
6 Mar-22
0 Sep-21
0 Mar-22
2 Oct-19
3 Sep-22
9 Dec-22
4 Sep-18
4 Sep-18
4 Mar-23
0 Aug-20
1 Mar-22
1 Mar-22
0 Mar-23
0 Aug-20
6 Dec-22
5 Mar-22
5 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
3 Mar-22
0 Mar-22
5 Mar-22
2 Sep-21
3 Mar-22
2 Mar-22
9 Dec-22
8 Mar-22
4 Dec-22
0 Jun-21
0 Dec-22
0 Dec-22
0 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
0 Mar-22
0 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
0 Sep-21
0 Mar-22
0 Sep-21
0 Sep-21
6 Sep-21
1 Sep-21
0 Mar-22
0 Dec-22
2 Dec-22
2 Dec-22
2 Dec-22
3 Dec-22
0 Dec-22
0 Dec-22
0 Dec-22
0 Dec-22
1 Dec-22
1 Dec-22
0 Dec-22
1 Dec-22
1 Dec-22
3 Dec-22
7 Dec-22
5 Mar-22
3 Dec-22
0 Dec-22
6 Mar-22
8 Mar-22
3 Mar-22
4 Mar-23
6 Mar-23
5 Aug-20
1 Sep-18
4 Mar-22
3 Sep-18
0 Dec-22
6 Mar-23
0 Jun-22
4 Mar-22
0 Sep-22
0 Sep-22
0 Sep-22
0 Dec-21
5 Mar-23
0 Mar-22
0 Aug-20
1 Dec-22
1 Dec-22
1 Mar-22
8 Mar-23
0 Mar-23
0 Mar-23
4 Mar-22
0 Oct-19
1 Mar-23
1 Mar-23
0 Mar-23
3 Mar-22
4 Mar-22
4 Mar-22
1 Mar-22
1 Dec-22
3 Mar-22
4 Mar-22
3 Mar-22
2 Jan-20
1 Sep-18
3 Mar-22
6 Dec-22
3 Sep-18
8 Jun-21
4 Mar-22
1 Sep-18
6 Mar-22
1 Sep-18
3 Mar-23
4 Mar-23
3 Jun-22
1 Dec-22
4 Dec-22
7 Mar-19
6 Jun-21
3 Mar-19
4 Mar-19
5 Mar-22
4 Mar-19
6 Mar-22
5 Jun-22
7 Jun-22
4 Sep-18
5 Sep-22
4 Sep-21
2 Sep-22
6 Sep-22
2 Sep-22
3 Oct-19
3 Sep-22
5 Jan-20
4 Sep-18
2 Sep-22
0 Sep-22
5 Dec-22
2 Sep-22
5 Mar-22
5 Dec-22
5 Mar-22
3 Sep-18
0 Jun-22
5 Mar-22
1 Mar-22
3 Mar-22
6 Dec-21
6 Dec-21
6 Dec-21
3 Dec-21
6 Mar-22
4 Mar-22
2 Mar-22
3 Mar-22
3 Mar-22
6 Sep-18
4 Mar-22
6 Sep-18
0 Sep-18
6 Sep-18
3 Dec-22
3 Mar-22
8 Mar-22
8 Mar-22
0 Nov-20
0 Nov-20
1 Dec-22
0 Sep-22
4 Dec-22
2 Sep-18
0 Sep-22
2 Sep-21
7 Mar-22
2 Sep-18
1 Mar-22
3 Mar-22
3 Mar-22
3 Mar-22
2 Sep-18
2 Sep-18
3 Sep-21
2 Sep-21
0 Sep-21
4 Sep-21
4 Mar-22
3 Sep-21
2 Sep-21
1 Sep-18
1 Mar-22
2 Sep-21
2 Sep-18
1 Sep-18
2 Mar-22
5 Mar-22
2 Mar-22
1 Dec-21
1 Dec-21
3 Dec-21
2 Mar-22
2 Dec-21
3 Mar-22
4 Mar-22
2 Dec-21
2 Dec-21
2 Dec-21
2 Dec-21
1 Dec-21
5 Dec-22
5 Jun-22
9 Mar-22
4 Dec-21
6 Jun-22
9 Mar-22
3 Mar-22
7 Mar-22
6 Mar-22
4 Dec-21
6 Dec-21
7 Dec-21
6 Dec-21
6 Mar-22
1 Dec-21
5 Dec-20
2 Mar-22
2 Dec-21
6 Mar-22
6 Mar-22
7 Mar-22
8 Mar-22
0 Mar-22
0 Mar-22
5 Dec-21
6 Dec-21
6 Mar-22
3 Mar-22
3 Mar-22
3 Mar-22
2 Mar-22
2 Mar-22
3 Mar-22
4 Mar-22
1 Mar-22
1 Sep-18
1 Mar-22
6 Dec-21
3 Sep-18
1 Sep-18
4 Mar-22
4 Mar-22
5 Mar-22
4 Mar-22
3 Sep-18
5 Mar-22
2 Mar-22
0 Mar-22
0 Mar-22
5 Mar-22
6 Mar-22
4 Mar-22
4 Sep-18
6 Mar-22
6 Mar-22
7 Mar-22
3 Mar-22
3 Mar-22
2 Mar-22
5 Mar-22
5 Mar-22
5 Mar-22
0 Mar-22
4 Mar-22
6 Mar-22
6 Mar-22
0 Jun-22
9 Jun-22
1 Dec-22
6 Jun-22
11 Jun-22
3 Mar-22
9 Mar-22
7 Mar-22
5 Mar-22
4 Dec-22
3 Mar-22
5 Mar-22
1 Dec-22
7 Dec-22
8 Mar-22
2 Mar-22
8 Mar-22
8 Mar-22
2 Mar-22
2 Mar-22
6 Mar-22
5 Mar-22
3 Mar-22
2 Mar-22
2 Mar-22
2 Mar-22
2 Mar-22
2 Mar-22
8 Mar-22
3 Mar-22
2 Mar-22
2 Mar-22
7 Mar-23
8 Mar-22
7 Dec-22
8 Mar-22
6 Mar-22
0 Mar-22
3 Mar-22
0 Mar-22
0 Aug-20
5 Mar-22
Please note this is for Category 1 Providers only who require an independent ISO27
ISO27001 Annex A controls Version: <choose from ISO27001:2013 or ISO27001:2022>
Category Sub-category Control
identifier
<copy from Annex A of the sta <copy from Annex A of the sta <copy from Anne
only who require an independent ISO27001 assessment.
013 or ISO27001:2022> Control Implementa
Control description Current implementation
status
<copy from Annex A of the standard>

Control Implementation If control is applicable but not implemented or partially implemented
Implementation details Implementation plan Implementation date
(e.g. document or description) (dd/mm/yyyy)
or
ed or partially implemented
Person responsible

SoA March 2023

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SoA March 2023

Uploaded by

Copyright:

Available Formats

RFFR Statement of Applicability (SoA) Temp

Document version (must be completed by the Provider)

Implementation Status Definitions

Template and guidance

Category 2A providers must address 2 worksheets ('RFFR Obligations' and ISM).

tion Status Definitions

The control is applicable and implemented.

The control is applicable but only partially implemented.

The control is applicable but not implemented.

The control is not applicable to the ISMS scope.

RFFR Deeds - 1 Prior to offering employment, and on-going requirements to maintain

RFFR Deeds - 3 Prior to offering employment, and on-going requirements to maintain

RFFR Deeds - 4 Prior to offering employment, and on-going requirements to maintain

Guidelines for Cyber Chief Information Coordinating cyber security 0725

Guidelines for Cyber Chief Information Coordinating cyber security 0726

Guidelines for Cyber Chief Information Reporting on cyber security 0718

Guidelines for Cyber Chief Information Overseeing incident response 0733

Guidelines for Cyber Chief Information Overseeing incident response 1618

Guidelines for Cyber Chief Information Contributing to business continuity 0734

Guidelines for Cyber Chief Information Developing a cyber security 0720

Guidelines for Cyber Chief Information Working with suppliers 0731

Guidelines for Cyber Managing cyber Incident management policy 0576

Guidelines for Cyber Managing cyber Incident management policy 1784

Guidelines for Cyber Managing cyber Trusted insider program 1625

Guidelines for Cyber Managing cyber Trusted insider program 1626

Guidelines for Managed services and Assessment of managed service 1793

Guidelines for Managed services and Assessment of outsourced cloud 1570

Guidelines for Managed services and Contractual security requirements 1571

Guidelines for Development and Approval of security documentation 0047

Guidelines for Development and Approval of security documentation 1739

Guidelines for Development and Maintenance of security 0888

Guidelines for System-specific System security plan 0041

Guidelines for System-specific Continuous monitoring plan 1163

Guidelines for System-specific Security assessment report 1563

Guidelines for System-specific Plan of action and milestones 1564

Guidelines for Cyber security Providing cyber security awareness 1565

Guidelines for Access to systems and System access requirements 0435

Guidelines for Access to systems and Suspension of access to systems 1591

Guidelines for Access to systems and Suspension of access to systems 1404

Guidelines for Access to systems and Temporary access to systems 0441

Guidelines for Access to systems and Emergency access to systems 1610

Guidelines for Access to systems and Emergency access to systems 1611

Guidelines for Cabling infrastructure Floor plan diagrams 1645

Guidelines for Cabling infrastructure Cable labelling processes and 0206

Guidelines for Emanation security Emanation security threat 0249

Guidelines for Telephone systems Off-hook audio protection 0236

Guidelines for Video conferencing Traffic separation 0549

Guidelines for Video conferencing Internet Protocol phones in public 0558

Guidelines for Mobile device Organisation-owned mobile devices 1482

Guidelines for Mobile device Storage encryption 0869

Guidelines for Mobile device usage Mobile device emergency 0701

Guidelines for Evaluated product Evaluated product selection 0280

Guidelines for Evaluated product Delivery of evaluated products 0285

Guidelines for ICT ICT equipment Sanitising fax machines 1225

Guidelines for ICT ICT equipment Disposal of ICT equipment 0316

Guidelines for Media Media usage Media management policy 1549

Guidelines for Media Media usage Removable media register 1713

Guidelines for Media Media usage Labelling media 0332

Guidelines for Media Media usage Classifying media 0323

Guidelines for Media Media usage Classifying media 0337

Guidelines for Media Media usage Reclassifying media 0325

Guidelines for Media Media usage Reclassifying media 0330

Guidelines for Media Media usage Handling media 0831

Guidelines for Media Media usage Handling media 1059