So after the 2016 version dropped and I updated the Checklist builder, I figured I should go back and edit my old ASD-XML document format version of the ISM, into my newer XML-Data format.
You can check it out the ISM2013-04 edition on my website; and it's even been added into the ISM Comparison Tool. So now you can even compare 2013 to 2016 for full coverage.
Document Structure
| Parts |
Chapters |
Sections |
Topics |
Context Topics |
Control Topics |
| 6 |
24 |
91 |
712 |
171 |
541 |
Authority Breakdown
| Agency Head |
Accreditation Authority |
Director of DSD |
Agency Minister |
| 474 |
412 |
18 |
16 |
Controls Breakdown
| Total |
BASELINE |
PROTECTED |
CONFIDENTIAL |
SECRET |
TOP-SECRET |
| 920 |
774 |
805 |
801 |
806 |
820 |
Controls Updated on Date
| Apr-13 |
Sep-12 |
Sep-11 |
Nov-10 |
Sep-09 |
Sep-08 |
| 51 |
357 |
231 |
228 |
29 |
24 |
Compliance Breakdown
| Must |
Must Not |
Should |
Should Not |
| 453 |
55 |
381 |
31 |
Why The Change?
The Original transcription of the 2013 edition was the same as the last XML format DSD released, which was for lack of a better description a file/save-as of the document.
The newer XML format I created for storing the ISM is hirachial, and allows for good solid data xpath queries to be performed, or just transform the document with a template.
For comparison with my original post, this is what the head of the new XML file looks like:
<document>
<detail>
<title>Australian Government Information Security Manual</title>
<name>AusGov. ISM2013 (April)</name>
<shortname>ISM2013-04</shortname>
<prefix>AusGov-ISM</prefix> <!-- PREFIX is Important - do not change between versions -->
<release>a</release>
<comment></comment>
<blame></blame>
<notes>Where new Control Sections have been added, the reference material has been included to reflect original layout and formatting.</notes>
<about>
This project continues an evolution of a debugging tool I started developing in 2012, which helped me identify errors in DSD's XML ISM format. It soon became a tool to help me identify transcription flaws in my own conversion of the ISM PDF back into an XML format for use in several compliance projects.<br/>
It became an increasingly useful reference tool when it integrated a full HTML output, replicating the ISM document. This was expanded over the next year to include over fifteen data transformations form the source XML format, including Graphs, Tables, CSV, JSON, SQL and propritory data packs.<br/>
In 2014 I started developing a mobile version of the ISM project 'Guidance Browser'. After developing 2 prototypes and 3 application revisions of the 'GuiBro' tool for android I found it too difficult to maintain useability with such a rich document; I returned to further extending the functionality of this tool for desktop use.
</about>
</detail>
<leading>
<title>Introduction</title>
<chapter>
<title>Australian Government Information Security Manual 2013</title>
<section>
<title>Foreword</title>
<topic>
<para>Advances in information technology have greatly benefited the conduct of government and commercial business, and have become essential to everyday communication. Information technology is providing greater accessibility, mobility, convenience and, importantly, efficiency and productivity. Australia’s prosperity is dependent on taking full advantage of the digital revolution and all it offers.</para>
<para>But advances in information technology can be a double-edged sword. Australian networks, whether government, commercial or personal, are facing an unprecedented level of intrusion activities. Threats to information can come from a wide range of sources, including individuals, issue motivated groups, organised criminal syndicates and nation states.</para>
<para>It is important to know that things can be done to mitigate the security risks presented by this evolving threat environment. The Defence Signals Directorate supports agencies in embracing the latest technology by providing the information and tools which enable them to minimise the risks involved. Ultimately, technology will change faster than people’s behaviour around it. Helping people make better decisions about new technology will allow us to stay ahead of the curve.</para>
<para>The Australian Government Information Security Manual forms an important part of the Government’s strategy to enhance its information security capability. The Manual comprises three complementary documents designed to provide greater accessibility and understanding at all levels of government. The controls manual provides a set of detailed measures which can be implemented to help mitigate security risks to agencies’ information and systems.</para>
<para>I encourage you to apply the controls described here and to ensure you have effective security governance arrangements in place. Doing so will provide assurance that the information entrusted to you is properly protected.</para>
<para>Ian McKenzie, Director, Defence Signals Directorate</para>
</topic>
</section>
</chapter>
</leading>
<framework>
<title>Australian Government Information Security Manual</title>
<part>
<title>About Information Security</title>
<chapter>
<title>Using This Manual</title>
<section>
<objective>
<para>The Australian Government Information Security Manual (ISM) is used for the risk-based application of information security to information and systems.</para>
</objective>
<scope>
<para>This section describes how to interpret the content and layout of this manual.</para>
</scope>
<context>
<topic>
<title>Purpose of the Australian Government Information Security Manual</title>
<para>The purpose of this manual is to assist Australian government agencies in applying a risk-based approach to protecting their information and systems. While there are other standards and guidelines designed to protect information systems, the advice in this manual is specifically based on activity observed by the Defence Signals Directorate (DSD) on Australian government networks. The security controls are therefore designed to mitigate the most significant threats to Australian government agencies.</para>
</topic>
