ISM vs Essential Eight: what's the difference?
Both come from the Australian Signals Directorate (ASD), both turn up in the same conversations, and they are often confused. But the Information Security Manual and the Essential Eight Maturity Model do two different jobs. Here is how they relate.
The short version
- The ISM is a comprehensive catalogue of cyber security controls across 22 domains. Which controls apply is driven by the classification of the data a system handles.
- The Essential Eight is a prioritised set of eight mitigation strategies, measured by maturity level. It is about getting the highest-impact controls in place against escalating attacker tradecraft.
Put simply: the ISM is the full control set scoped by data sensitivity; the Essential Eight is a focused baseline scoped by how capable an adversary you want to stop.
The Information Security Manual (ISM)
The ISM is the framework an organisation applies, using its own risk management process, to protect IT and operational technology systems from cyber threats. Applicability is based on classification — OFFICIAL: Sensitive, PROTECTED, SECRET — so a system holding more sensitive data attracts more controls. It is the framework IRAP assessors evaluate systems against.
The Essential Eight Maturity Model
The Essential Eight is eight mitigation strategies — including patching applications and operating systems, application control, restricting administrative privileges, multi-factor authentication, and regular backups. The Maturity Model rates implementation across levels (zero through three), where higher levels defend against more capable adversaries. It is deliberately small and prioritised, which is why it is often the starting point for organisations early in their security program.
How they overlap
The two are explicitly connected. The ASD publishes a mapping between the Essential Eight Maturity Model and the ISM, so the Essential Eight controls trace directly into ISM requirements. The difference is intent: the ISM scopes by the classification of the data, while the Essential Eight prioritises by the tradecraft and targeting of malicious actors. They answer different questions about the same system.
The Essential Eight is a strong baseline. The ISM is the full picture. Most mature programs end up doing both — Essential Eight as the floor, the ISM as the scope.
Which one applies to you?
- Handling Australian Government data at a classification? You are in ISM territory, and likely an IRAP assessment.
- Building up cyber maturity or reporting against a government uplift program? Essential Eight maturity is usually the measure.
- Doing both? Expect to assess the Essential Eight as part of, and mapped into, your broader ISM work.
Assessing both in one place
OakAttest handles both. The ASD ISM framework supports cumulative classification scoping with an Essential Eight Maturity Model overlay, so an engagement can carry the full ISM scope and the Essential Eight view together — from scoping through evidence to a defensible certification record, with Australian data residency.