Compliance Mapping
This table maps ADRs to specific controls and requirements in Western Australian and Australian compliance frameworks.
ACSC Information Security Manual (ISM)
| ADR | Topic | ISM Guidelines & Control IDs | Key Controls |
|---|---|---|---|
| 001 Isolation | Application isolation | Guidelines for Networking (ISM-1182, ISM-0535, ISM-1277, ISM-1517) | Network segmentation, micro-segmentation, preventing bypass of controls |
| 002 Workloads | Cloud workloads | Cloud Computing Security (ISM-1588, ISM-1589, ISM-1452, ISM-0499) | Cloud security assessment, multi-tenant isolation, virtualisation hardening |
| 004 CI/CD | Build and release | Guidelines for Software Development (ISM-1256, ISM-0400, ISM-1419, ISM-2032) | Secure development lifecycle, environment segregation, automated testing |
| 005 Secrets | Secrets management | Guidelines for Cryptography (ISM-0507, ISM-0488, ISM-0518, ISM-1090) | Key management, secure storage of secrets, key rotation |
| 007 Logging | Security logging | Guidelines for System Monitoring (ISM-0580, ISM-1405, ISM-1985, ISM-0988) | Event logging policy, centralised logging, log protection, time synchronisation |
| 008 Email Auth | Email authentication | Guidelines for Email (ISM-0574, ISM-1151, ISM-1540, ISM-0259) | SPF, DKIM, DMARC, email encryption |
| 010 IaC | Infrastructure as code | Guidelines for System Hardening (ISM-1211, ISM-1409, ISM-1383) | Configuration management, automated deployment, drift detection |
| 011 AI Governance | AI tool governance | Guidelines for Software Development (ISM-2074, ISM-1755, ISM-0226) | AI usage policy, supply chain risk management, software assessment |
| 012 Privileged Access | Privileged access | Guidelines for System Management (ISM-1175, ISM-1507, ISM-1483, ISM-1173) | Restricting privileged access, JIT access, jump servers, MFA for admins |
| 013 Identity | Identity federation | Guidelines for Personnel Security (ISM-0418, ISM-1173, ISM-1420, ISM-1505) | Authentication, MFA, federated identity trust, credential management |
| 016 Edge Protection | WAF and CDN | Guidelines for Gateways (ISM-1192, ISM-1262, ISM-1460) | Web application firewalls, traffic inspection, DDoS protection |
WA Government Cyber Security Policy (WA CSP)
The 2024 WA Government Cyber Security Policy defines baseline cyber security requirements for WA Government entities.
| ADR | WA CSP Requirement | Section |
|---|---|---|
| 001 Isolation | Cyber security context & risk management | 2.1, 2.2 |
| 002 Workloads | Supply chain risk, data offshoring | 2.3, 1.5 |
| 005 Secrets | Information security (Cryptography) | 3.1 |
| 006 Policy Enforcement | Cyber security governance | 1.4 |
| 007 Logging | Continuous monitoring | 4.2 |
| 011 AI Governance | Supply chain risk management | 2.3 |
| 012 Privileged Access | Identity and access management | 3.6 |
| 013 Identity | Identity and access management | 3.6 |
Implementation Guidance:
- 1.1 Accountable Authority - See Policy Implementation section
- 1.3 Cyber Security Operations - WA SOC Guidelines
WA Government AI Policy
The WA Government AI Policy and Assurance Framework requires AI Accountable Officers and self-assessments for AI projects.
| ADR | WA AI Policy Requirement |
|---|---|
| 011 AI Governance | AI Accountable Officer, AI Assurance Framework self-assessment |
| 015 Data Governance | Data quality validation for AI systems |
Key Requirements:
- Nominate: AI Accountable Officer per entity
- Assess: Complete AI Assurance Framework self-assessment (downloadable template available on policy page)
- Submit: Refer high-risk projects (or >$5M) to the Office of Digital Government
Privacy and Responsible Information Sharing (PRIS)
The Privacy and Responsible Information Sharing (PRIS) framework governs personal information handling and upcoming statutory requirements.
| ADR | PRIS Alignment |
|---|---|
| 007 Logging | Minimise PII in logs (Data Minimisation) |
| 013 Identity | Data minimisation, consent protocols |
| 015 Data Governance | Information classification, retention schedules |
Digital ID Act 2024 (Commonwealth)
The Digital ID Act 2024 establishes privacy safeguards for the Australian Government Digital ID System (AGDIS).
| ADR | Digital ID Act Requirement |
|---|---|
| 013 Identity | Data minimisation (s15), no single identifiers (s16), voluntary participation (s18), biometric safeguards (Part 4) |
Key Privacy Safeguards:
- Prohibit collection beyond identity verification requirements
- Prevent tracking across services using persistent identifiers
- Users cannot be required to create a Digital ID for service access (voluntary)
- Strict restrictions on collection, use, and disclosure of biometric information
Additional Resources
- ACSC Essential Eight
- WA SOC Cyber Security Guidelines
- WA Government Cyber Security Policy - includes Data Offshoring Position
- National Framework for AI Assurance in Government