2. ACSC 18 Principles – Protecting ISM
David Pierce PM
www.davidpiercepm.com
Adapted form ASD> https://acsc.gov.au/publications/Australian_Cyber_Security_Principles_Initial_Draft.pdf
Principles - Domain Categorised 1 of 5
Leadership
1. Cyber security leadership within organisations is provided by a Chief
Information Security Officer (CISO).
Access
2. Only trusted suppliers are used to deliver and support information and
communications technology services.
3. Only trusted, and vendor-supported, applications are allowed to execute
on systems.
3. ACSC 18 Principles – Protecting ISM
David Pierce PM
www.davidpiercepm.com
Adapted form ASD> https://acsc.gov.au/publications/Australian_Cyber_Security_Principles_Initial_Draft.pdf
Principles - Domain Categorised 2 of 5
Access (cont)
4. Only trusted suppliers are used to deliver and support information and
communications technology services.
5. Only trusted, and vendor-supported, applications are allowed to execute
on systems.
6. 5. Personnel are educated and trained in cyber security matters.
7. 6. Personnel are granted the minimum access to information,
applications and systems required for their duties.
4. ACSC 18 Principles – Protecting ISM
David Pierce PM
www.davidpiercepm.com
Adapted form ASD> https://acsc.gov.au/publications/Australian_Cyber_Security_Principles_Initial_Draft.pdf
Principles - Domain Categorised 3 of 5
Access (cont)
8. Unauthorised access to systems, supporting infrastructure and facilities is
restricted.
Deployment
9. Cyber security risks are identified, managed and accepted before systems
are used in production environments.
10. Applications, services and systems are designed, developed and deployed
using secure practices.
5. ACSC 18 Principles – Protecting ISM
David Pierce PM
www.davidpiercepm.com
Adapted form ASD> https://acsc.gov.au/publications/Australian_Cyber_Security_Principles_Initial_Draft.pdf
Principles - Domain Categorised 4 of 5
Deployment (cont)
11. Applications and services are configured in a secure manner to reduce
their attack surface.
Maintenance and Control
12. Cyber security risks are identified, managed and accepted before systems
are used in production environments.
13. Applications, services and systems are designed, developed and deployed
using secure practices.
6. ACSC 18 Principles – Protecting ISM
David Pierce PM
www.davidpiercepm.com
Adapted form ASD> https://acsc.gov.au/publications/Australian_Cyber_Security_Principles_Initial_Draft.pdf
Principles - Domain Categorised 5 of 5
Maintenance and Control
12. Important information is backed up in a secure and resilient manner on a
regular basis.
13. Sensitive information is encrypted at rest and in transit between different
systems.
14. Information transferred between different systems is done so in a
controlled and auditable manner.
15. Measures are implemented to detect and respond to cyber threats and
cyber security incidents.