ISM Controls and Risks

2025/03/09

No Name

Understanding Risk in Cybersecurity: The Role of ISM Controls and the NIST RMF

In today’s evolving threat landscape, organizations are constantly working to align with cybersecurity frameworks that help reduce risk to acceptable levels. In Australia, the Australian Cyber Security Centre (ACSC) provides the Information Security Manual (ISM)—a set of baseline security controls that organizations can implement to strengthen their cyber resilience. However, a common misunderstanding persists in many compliance assessments: treating non-compliance with ISM controls as risks themselves, rather than recognizing these controls as mechanisms to mitigate pre-existing inherent risks.

To clear this confusion, we need to align our understanding of ISM controls with the risk management philosophy outlined in frameworks like the NIST Risk Management Framework (RMF). Let’s unpack how the two fit together and why recognizing inherent and residual risk is vital for effective cybersecurity.

The Role of ISM Controls

The ACSC’s ISM offers a comprehensive set of security controls, ranging from identity and access management to physical and personnel security. These controls are not ends in themselves—they are mitigations designed to reduce the likelihood or impact of potential threats to an organization’s information systems.

Put simply, the ISM controls are tools to help you manage risk—not risk statements themselves.

For example, not implementing multi-factor authentication (MFA) should not be considered a “risk” in isolation. Rather, the inherent risk is unauthorized access to critical systems or data, and the absence of MFA increases the likelihood of that risk materializing. In this context, MFA is a control used to mitigate that risk.

Inherent vs. Residual Risk

Before diving deeper, it’s important to define two key terms:

  • Inherent Risk: The level of risk that exists before any controls or mitigation strategies are applied. This is the “raw” or natural risk associated with an asset or system.

  • Residual Risk: The level of risk that remains after security controls have been implemented. This is what organizations need to monitor and accept, transfer, or further mitigate.

Failure to differentiate between these leads to a skewed perception of risk. If every gap in ISM compliance is treated as a standalone risk, the organization may lose sight of the actual threats and vulnerabilities that matter most.

NIST RMF and Risk Identification

The NIST Risk Management Framework (RMF) provides a structured approach to managing cybersecurity risk through seven steps:

  1. Prepare for the activities
  2. Categorize the system
  3. Select security controls
  4. Implement the controls
  5. Assess the controls
  6. Authorize the system
  7. Monitor ongoing risk

The critical juncture for identifying inherent risk occurs early—Step 2: Categorize.

This stage involves determining the value of information systems and the potential impact of a security breach. It should include a comprehensive risk assessment that identifies inherent risks tied to system confidentiality, integrity, and availability. At this point, the organization is not yet concerned with which controls are or aren’t in place—it is simply trying to understand what’s at stake and what could go wrong.

ISM controls come into play in Steps 3 and 4 (Select and Implement). The controls are chosen to address the specific risks identified in the categorization and assessment process. Only after controls have been selected and implemented does the organization assess what residual risks remain (Step 5).

Misalignment with ISM = Residual Risk

Once controls are implemented, auditors and assessors will often note where there are gaps or misalignments with the ISM. These gaps do not represent new risks; rather, they indicate how much of the original, inherent risk remains unmitigated.

Let’s illustrate this with an example:

  • Inherent Risk: Sensitive customer data could be stolen through unauthorized access.
  • ISM Control: Implement MFA and audit logging.
  • Assessment Result: MFA is in place, but audit logging is missing.
  • Residual Risk: There remains an elevated risk of undetected malicious access due to lack of logs.

By this logic, the misalignment with ISM (missing audit logging) does not represent a new risk—it represents a partial mitigation of the original, identified risk.

This distinction is more than academic—it has practical implications for how organizations prioritize remediation and how risk is communicated to senior leadership.

Why the Distinction Matters

  1. Better Risk Prioritization By focusing on the root causes of risk rather than the absence of controls, organizations can better prioritize security efforts and resource allocation.

  2. Clearer Executive Reporting Risk registers that list actual business risks (“unauthorized access to sensitive data”) rather than technical control gaps (“MFA not implemented”) resonate more clearly with executives and boards.

  3. Informed Acceptance of Risk During the authorization step (NIST RMF Step 5), authorizing officials need to understand the true residual risk they are accepting—not just a checklist of ISM control compliance.

  4. Avoiding Misguided Compliance Focus Treating misalignments as risks themselves encourages a compliance-first mindset rather than a risk-based one. The goal should not be blind alignment to ISM, but effective risk reduction tailored to the system’s context.

Conclusion

The ISM is a powerful toolset for managing cybersecurity risk, but its effectiveness is undermined when misused as a checklist of standalone risks. By returning to the fundamentals of risk management—particularly as described in frameworks like the NIST RMF—organizations can ensure that:

  • Inherent risks are identified early,
  • ISM controls are applied as mitigations, and
  • Misalignments are properly classified as residual risks.

This shift in mindset leads to smarter security investments, clearer accountability, and a stronger overall cybersecurity posture.

Cybersecurity is about managing uncertainty—not just ticking boxes. By understanding the real function of ISM controls and their place in the risk lifecycle, organizations can move from reactive compliance to proactive resilience.