OSCAL and the ACSC Information Security Manual
BLUF: Web enabled ISM for automated security trace and validation
The following links are the top level ISM controls sets as input to automated security control allocation and automation.
Overview
To obtain an Authority to Operate (ATO), systems must demonstrate reduced operational risks to an acceptable level. This is commonly achieved through the Australian Cyber Security Centre's (ACSC) Information Security Manual (ISM). However, the traditional approach—using Excel spreadsheets and Word documents—complicates reliable control allocation and testing. This makes it challenging to maintain a verifiable security posture over time.
To address this, the U.S. standards body NIST has developed the Open Security Controls Assessment Language (OSCAL). This enables automated control allocation and testing. The ACSC has adapted this by publishing the ISM with an OSCAL schema.
Despite this advancement, additional tools are necessary for practical application. Virtualnation has developed ISM OSCAL parsers in Rust, complemented by a REST API for easy access.
Thus the curl request:
curl https://ism.local/control/ism-0123curl https://ism.local/control/ism-0123returns the following json.
{
"group": "04,1,5",
"id": "ism-0123",
"title": "Control: ism-0123",
"revision": "4",
"updated": "Jun-23",
"applicability": "ALL",
"statement": "<p>Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.</p>",
"essential_eight_applicability": "ML3",
"class": "ISM-control",
"sort_id": "04,1,5,1"
}{
"group": "04,1,5",
"id": "ism-0123",
"title": "Control: ism-0123",
"revision": "4",
"updated": "Jun-23",
"applicability": "ALL",
"statement": "<p>Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.</p>",
"essential_eight_applicability": "ML3",
"class": "ISM-control",
"sort_id": "04,1,5,1"
}Similarly the following curl requests produce all the controls as a single document, and the different security control groups.
curl https://ism.local/control
curl https://ism.local/control/all
curl https://ism.local/groupcurl https://ism.local/control
curl https://ism.local/control/all
curl https://ism.local/groupReading JSON can tedious, so markdown versions of the controls are also produced that may be displayed using a static web site generator such as Vitepress. Generated html versions of the controls may be found at the following links.