Compliance with the 2021 ISM Protective Marking Controls

The use of security protective markings as an effective means to maintain data confidentiality and prevent data leakage is well established in national government circles, especially when dealing with hardcopy material. These same principles can also be applied to electronic information.

The Protective Marking Security Framework (PSPF)1 was developed by the Australian Federal Government to protect people, information and assets. One of the mandatory requirements of the PSPF Information Security Policy 8: ’Sensitive and classified information’2 states that: “Each entity must:

  1. identify information holdings
  2. assess the sensitivity and security classification of information holdings
  3. implement operational controls for these information holdings proportional to their value, importance and sensitivity.”

The ASD’s security practices and procedures are guided by whole-of-government standards and guidelines including the Australian Government Information Security Manual (ISM) and the PSPF. To address security classification and control policies and procedures, entities where appropriate are to:

  • ensure all information is protectively marked/security classified in accordance with PSPF policy 8: Sensitive and classified information2
  • implement controls for all security classified information, in accordance with the Information Security Manual (ISM)3

The Australian Government now requires some of its supply chain to adhere to the standards of the ISM and all entities by the requirements of the PSPF. The ISM lists protective marking requirements and refers to the PSPF for further information. It states the requirements apply to ‘All Departments, Statutory Bodies and Shared Service Providers’.

2 PSPF Policy 8: Sensitive and classified information details how entities correctly assess the sensitivity or security classification of their information and how to handle it accordingly.
3 The Australian Signals Directorate (ASD) Australian Government Information Security Manual June 2021


The ISM was updated in June 2021. Many of the controls analysed in the 2017 ISM have been consolidated. Janusnet has written a document to reflect the alignment of the lated controls in the ISM and the use, or configuration of Janusnet software. It's called 'Compliance checklist - Protective Marking Controls of the Information Security Manual 2021'. It shows how Janusnet can help with compliance to many of the controls required in the 'Guidelines for Email' section of the updated ISM, including the following: 0270, 0271, 0272, 1089, 0565, 1023, 0269.  It also highlights new capabilities in Janusseal and Janusgate.

While this is intended as a review document for Janusnet’s extensive customer base of Commonwealth departments and agencies, it is also relevant for organisations that handle Commonwealth information, and some state government departments and agencies that want to apply similar controls as the Commonwealth.

Our 'Compliance checklist - Protective Marking Controls of the ISM 2021' document is a guide to assist service providers, ITSAs and their colleagues on the utilisation of Janusnet software to comply with the controls. To obtain a copy of it, please fill in the form below and we'll email it to you.