ASD's Blueprint for Secure Cloud

Organisational policies and strategies

Estimated reading time: 2 minutes

ASD’s Information Security Manual (ISM) requires organisations to develop and maintain a range of organisational policies or strategies. ASD’s Blueprint for Secure Cloud (the Blueprint) does not provide guidance or templates for these important artefacts. The Blueprint does provide the following checklist that organisations can refer to when reviewing, developing and updating their documentation associated with a system or systems built using the Blueprint.

Cyber Security Strategy

A Cyber Security Strategy is a requirement of ISM control ISM-0039.

Cyber Security Incident Management Policy

A Cyber Security Incident Management Policy is a requirement of ISM control ISM-0576.

ISM control ISM-1784 is also relevant to this policy and states the following requirements:

  • an associated Cyber Security Incident Response Plan is also developed
  • the Cyber Security Incident Management Policy and Cyber Security Incident Response Plan are to be exercised annually by the organisation.

Digital Preservation Policy

A Digital Preservation Policy is a requirement of ISM control ISM-1510.

Email Usage Policy

A Email Usage Policy is a requirement of ISM control ISM-0264.

Event Logging Policy

A Event Logging Policy is a requirement of ISM control ISM-0580.

Fax Machine and MFD Usage Policy

A Fax Machine and MFD Usage Policy is a requirement of ISM control ISM-0588.

ICT Equipment Management Policy

A ICT Equipment Management Policy is a requirement of ISM control ISM-1551.

Media Management Policy

A Media Management Policy is a requirement of ISM control ISM-1549.

Mobile Device Management Policy

A Mobile Device Management Policy is a requirement of ISM control ISM-1533.

Mobile Device Usage Policy

A Mobile Device Usage Policy is a requirement of ISM control ISM-1082.

Removable Media Usage Policy

A Removable Media Usage Policy is a requirement of ISM control ISM-1359.

ISM control ISM-1713 is also relevant to this policy and states the following requirements:

  • An associated Removal Media Register is also developed, implemented, maintained and verified on a regular basis.

Supplier Relationship Management Policy

A Supplier Relationship Management Policy is a requirement of ISM control ISM-1785.

System Usage Policy

A System Usage Policy is a requirement of ISM control ISM-1864.

Telephone System Usage Policy

A Telephone System Usage Policy is a requirement of ISM control ISM-1078.

Vulnerability Disclosure Policy

A Vulnerability Disclosure Policy is a requirement of ISM control ISM-1755.

Web Usage Policy

A Web Usage Policy is a requirement of ISM control ISM-0258.

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra