Compliance Mapping
This table maps ADRs to specific controls and requirements in Western Australian and Australian compliance frameworks.
ACSC Information Security Manual (ISM)
| ADR | Topic | ISM Guidelines & Control IDs | Key Controls |
|---|---|---|---|
| 001 Isolation | Application isolation | Guidelines for Networking (ISM-1182, ISM-0535, ISM-1277, ISM-1517) | Network segmentation, micro-segmentation, preventing bypass of controls |
| 002 Workloads | Cloud workloads | Cloud Computing Security (ISM-1588, ISM-1589, ISM-1452, ISM-0499) | Cloud security assessment, multi-tenant isolation, virtualisation hardening |
| 004 CI/CD | Build and release | Guidelines for Software Development (ISM-1256, ISM-0400, ISM-1419, ISM-2032) | Secure development lifecycle, environment segregation, automated testing |
| 005 Secrets | Secrets management | Guidelines for Cryptography (ISM-0507, ISM-0488, ISM-0518, ISM-1090) | Key management, secure storage of secrets, key rotation |
| 007 Logging | Security logging | Guidelines for System Monitoring (ISM-0580, ISM-1405, ISM-1985, ISM-0988) | Event logging policy, centralised logging, log protection, time synchronisation |
| 008 Email Auth | Email authentication | Guidelines for Email (ISM-0574, ISM-1151, ISM-1540, ISM-0259) | SPF, DKIM, DMARC, email encryption |
| 010 IaC | Infrastructure as code | Guidelines for System Hardening (ISM-1211, ISM-1409, ISM-1383) | Configuration management, automated deployment, drift detection |
| 011 AI Tool and Agent Governance | AI tool and agent governance | Guidelines for Software Development (ISM-2074, ISM-1755, ISM-0226) | AI usage policy, supply chain risk management, software assessment |
| 012 Privileged Access | Privileged access | Guidelines for System Management (ISM-1175, ISM-1507, ISM-1483, ISM-1173) | Restricting privileged access, JIT access, jump servers, MFA for admins |
| 013 Identity | Identity federation | Guidelines for Personnel Security (ISM-0418, ISM-1173, ISM-1420, ISM-1505) | Authentication, MFA, federated identity trust, credential management |
| 016 Edge Protection | WAF and CDN | Guidelines for Gateways (ISM-1192, ISM-1262, ISM-1460) | Web application firewalls, traffic inspection, DDoS protection |
ACSC Agentic AI Guidance
The ACSC Careful adoption of agentic AI services guidance recommends aligning agentic AI risks with existing security models, avoiding broad access to sensitive data or critical systems, and starting with low-risk, non-sensitive tasks.
| ADR | Guidance Alignment |
|---|---|
| 011 AI Tool and Agent Governance | Low-risk adoption, least privilege, human approval gates, sandbox testing, monitoring and audit logs, trusted component inventories, isolation of high-risk agents |
WA Government Cyber Security Policy (WA CSP)
The 2024 WA Government Cyber Security Policy defines baseline cyber security requirements for WA Government entities.
| ADR | WA CSP Requirement | Section |
|---|---|---|
| 001 Isolation | Cyber security context & risk management | 2.1, 2.2 |
| 002 Workloads | Supply chain risk, data offshoring | 2.3, 1.5 |
| 005 Secrets | Information security (Cryptography) | 3.1 |
| 006 Policy Enforcement | Cyber security governance | 1.4 |
| 007 Logging | Continuous monitoring | 4.2 |
| 011 AI Tool and Agent Governance | Supply chain risk management | 2.3 |
| 012 Privileged Access | Identity and access management | 3.6 |
| 013 Identity | Identity and access management | 3.6 |
Implementation Guidance:
- 1.1 Accountable Authority - See Policy Implementation section
- 1.3 Cyber Security Operations - WA SOC Guidelines
WA Government AI Policy
The WA Government AI Policy and Assurance Framework requires AI Accountable Officers and self-assessments for AI projects.
| ADR | WA AI Policy Requirement |
|---|---|
| 011 AI Tool and Agent Governance | AI Accountable Officer, AI Assurance Framework self-assessment |
| 015 Data Governance | Data quality validation for AI systems |
Key Requirements:
- Nominate: AI Accountable Officer per entity
- Assess: Complete AI Assurance Framework self-assessment (downloadable template available on policy page)
- Submit: Refer high-risk projects (or >$5M) to the Office of Digital Government
Privacy and Responsible Information Sharing (PRIS)
The Privacy and Responsible Information Sharing (PRIS) framework governs personal information handling and upcoming statutory requirements.
| ADR | PRIS Alignment |
|---|---|
| 007 Logging | Minimise PII in logs (Data Minimisation) |
| 013 Identity | Data minimisation, consent protocols |
| 015 Data Governance | Information classification, retention schedules |
Digital ID Act 2024 (Commonwealth)
The Digital ID Act 2024 establishes privacy safeguards for the Australian Government Digital ID System (AGDIS).
| ADR | Digital ID Act Requirement |
|---|---|
| 013 Identity | Data minimisation (s15), no single identifiers (s16), voluntary participation (s18), biometric safeguards (Part 4) |
Key Privacy Safeguards:
- Prohibit collection beyond identity verification requirements
- Prevent tracking across services using persistent identifiers
- Users cannot be required to create a Digital ID for service access (voluntary)
- Strict restrictions on collection, use, and disclosure of biometric information
Additional Resources
- ACSC Essential Eight
- WA SOC Cyber Security Guidelines
- WA Government Cyber Security Policy - includes Data Offshoring Position
- National Framework for AI Assurance in Government