Accelerate your Information Security Manual (ISM) compliance with AWS Managed Services (AMS)

The Australian Government’s Information Security Manual (ISM) is a framework produced by the Australian Cyber Security Centre (ACSC) that defines cybersecurity standards for Australian organizations. Although some organizations must apply the controls defined by the framework, the artifacts are relevant to all organizations wishing to improve their overall cybersecurity posture and resilience.

Amazon Web Services (AWS) customers—particularly those in the Australian public sector—engage with their AWS account team, seeking guidance on how to implement the principles, functions, and controls described in ISM. Although AWS has published guidance on this topic, managing cyber risk remains a challenging task for many organizations. To succeed, you must hire, develop, and retain talent in a competitive labor market, procure and configure tools and technology capabilities to assess and manage cyber risk, establish processes and procedures, and champion a culture of security broadly throughout the organization. This is often a multiyear journey, and after it’s established, requires ongoing uplift.

To help you accelerate your compliance journey and improve your security posture, AWS Support offers AWS Managed Services (AMS). AMS is a support offering that provides hands-on infrastructure and security operations within your AWS environments. Rather than building these capabilities from scratch, AMS augments your existing capabilities with a team of security operations engineers, a library of automated incident response capabilities, and runbooks to deliver an end-to-end operational solution around the clock. In this post, we explore how AMS security operations capabilities complement your existing teams and processes to accelerate your ISM compliance and optimize your cloud security posture overall.

ISM fundamentals

The ISM provides strategic guidance on protecting organizational assets from cyber threats through a comprehensive risk management approach with six steps (define the system, select controls, implement controls, assess controls, authorize the system, and monitor the system). ISM defines six cybersecurity principles (govern, identify, protect, detect, respond, and recover). Finally, it provides a comprehensive set of guidelines that span people, processes, and technology across multiple domains (such as communications infrastructure, enterprise mobility, and cryptography) and functional areas (such as physical security, cybersecurity roles, procurement, and outsourcing). Each set of guidelines details a list of applicable controls.

ISM’s risk management approach draws from NIST Special Publication (SP) 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations, ensuring consistency with internationally recognized cybersecurity practices. When adopting ISM controls, organizations can use existing NIST-based implementations. For organizations working across multiple compliance frameworks or operating internationally, meeting ISM requirements provides a strong foundation for implementing the NIST Cybersecurity Framework (CSF) 2.0 because both frameworks share the same six core principles.

The following graphic illustrates the workflow of the six ISM cybersecurity principles.

Figure 1: ISM risk management approach and cybersecurity principles

How AMS accelerates ISM compliance

AWS customers choose AMS so that they can focus on security tasks that differentiate their organization while AMS handles operational security. In this section, we explain how AMS Security Management capabilities align with ISM’s six cybersecurity principles.

Govern: Develop and maintain a strong and resilient cybersecurity culture

AMS addresses the critical governance challenge of cybersecurity resourcing. Rather than competing for scarce security talent, you gain immediate access to a round-the-clock team of security operations engineers and incident responders. You can maintain continuous security operations without the multiyear effort of building these capabilities internally. Each AMS customer is assigned a designated cloud service delivery manager (CSDM) and cloud architect (CA) who act as trusted advisors, advocating for security best practices and collaborating with your internal teams to strengthen your organization’s security posture.

The CSDM is accountable for the performance of all AMS capabilities and provides dashboards and reporting to your security leaders so they have visibility into the cybersecurity position and accountability at all organizational levels. For example, AMS performs operating system patching, and the CSDM delivers patch compliance reports attesting that patching meets your standards. The CSDM collaborates with your security, platform, and engineering teams to establish effective patching practices. When patching lapses occur, the CSDM escalates hierarchically within your organization until patching resumes or your risk management framework takes over. This reporting and escalation culture extends to the AMS backup and restore capabilities and the security compliance monitoring and remediation.

To reinforce security culture, AMS conducts Security Gamedays and Operational Gamedays with you. These events test real-world scenarios, which helps teams practice and fully understand processes such as security incident response. Where gaps in knowledge, capacity, capability, or processes emerge, the CSDM works with you or AMS internal teams to close them.

AMS operates a Customer Security Risk Management (CSRM) process that requires formal risk acceptance from customers for changes that introduce high or very high security risks, such as modifications to AWS Identity and Access Management (IAM) policies, network security configurations, or logging infrastructure. This process integrates AMS security risk management activities into your organizational risk management framework, with clear documentation and approval workflows for risk acceptance decisions.

These AMS capabilities directly support key ISM govern principles, including security risk management (GOV-03), cybersecurity resourcing (GOV-04), security risk communication (GOV-06), and security risk insights (GOV-07).

Identify: Identify assets and associated risks

AMS establishes comprehensive visibility into your AWS environment from day one. During onboarding, AMS configures AWS Systems Manager, which underpins inventory collection and reporting of your infrastructure, operating systems, and packages installed on Amazon Elastic Compute Cloud (Amazon EC2) instances. This inventory supports incident operations, patching workflows, and compliance reporting, providing continuous visibility into assets in your environment.

AMS deploys 96 AWS Config rules aligned with industry frameworks, including Center for Internet Security (CIS), National Institute of Standards and Technology (NIST) Cloud Security Framework (CSF), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS). To learn more, visit the AMS Accelerate User Guide. These rules continually monitor your resource configurations and identify critical security risks such as publicly accessible Amazon Simple Storage Service (Amazon S3) buckets, overly permissive security groups, and Amazon Relational Database Service (Amazon RDS) resources with public IP addresses. The CSDM collaborates with you to review compliance findings and prioritize remediation using a rotating critical risk prioritization strategy, focusing efforts on the most critical security gaps while maintaining business operations.

To support business criticality identification, AMS uses resource tagging to drive managed services behavior throughout your environment. You can use tags to classify workloads by criticality, which AMS then uses to apply appropriate operational controls. For example, tags determine which level of AWS Backup backup plan is applied to your workloads, with AMS offering a library of backup plans aligned to different recovery time objectives (RTOs) and recovery point objectives (RPOs). During onboarding, AMS customers flag critical workloads for onboarding to the Incident Detection and Response service, supporting operational focus and aligning response priorities with business priorities.

These AMS capabilities directly support the key ISM identify principles, including asset identification (IDE-01), business criticality identification (IDE-02), and security risk identification (IDE-04).

Protect: Implement and maintain controls to manage security risks

After you’ve identified your assets and associated risks, the next step is implementing controls to continually secure your AWS resources. This requires both secure configurations and systematic remediation processes. AMS onboarding establishes automation and processes designed to protect your resources and maintain compliance with security requirements.

AMS uses several automated tools to keep your configurations secure. The 96 AWS Config rules catch configuration drift, and AMS Trusted Remediator automatically fixes issues flagged by AWS Trusted Advisor and AWS Compute Optimizer. AMS also deploys the AMS Accelerate patching system to patch your instances with an automated and systematic approach to remediate operating system vulnerabilities. All remediation actions, whether automated or manual, flow through the CSRM process described earlier, requiring customer approval for changes and maintaining full audit trails through ticketing and logging systems.

AMS engineers use least-privilege access with just-in-time provisioning activated only when responding to customer requests or automated alarms. All access to EC2 instances uses Session Manager, a capability of AWS Systems Manager, providing secure, auditable access without requiring SSH keys or bastion hosts. All administrative actions are logged and audited, with highly privileged operations restricted to select tenured engineers at each AMS operations site. AMS cloud architects can run IAM Access Analyzer reports and works with you to identify access risks and remediation options, supporting least-privilege principles across your environment.

AMS monitors backup operations, investigating and reporting on backup failures. Backup schedules and retention are configured according to your requirements, and AMS can conduct backup restoration testing during Gamedays through AMS Operations on Demand to validate recovery capabilities.

For evolving compliance requirements, Operations on Demand can help you deploy and remediate additional AWS Config rules required for ISM compliance, providing flexibility as your security needs mature.

These AMS capabilities directly support key ISM protect principles, including attack surface reduction (PRO-04), secure administration (PRO-05), vulnerability management (PRO-06), regular proven backups (PRO-10), least privilege access (PRO-12), and robust access control (PRO-13).

Detect: Detect and analyze cybersecurity events to identify cybersecurity incidents

After protection mechanisms are in place, detecting anomalies and triggering responsive actions is the next critical step. When AMS onboards to your environment, it’s common for the CSDM to observe that you’ve enabled AWS security capabilities but haven’t built an operating model, including people and runbooks, to respond to findings effectively.

AMS establishes centralized event logging by confirming that AWS CloudTrail, AWS Config, and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs remain enabled throughout your environment. Security-relevant event logs, configuration changes, and network traffic metadata are centrally collected and stored securely in S3 buckets or Amazon CloudWatch Logs based on your preference. This foundation provides continuous security monitoring and ongoing asset discovery and risk identification as your environment evolves. AMS can also enable Amazon Route 53 Resolver DNS Firewall to provide visibility into DNS queries and block access to known malicious domains.

AMS enables and monitors Amazon GuardDuty, a threat detection service from AWS that uses AI and machine learning (ML) to continually monitor your AWS environment for security threats, including analysis of Flow Logs and DNS logs. When GuardDuty detects security anomalies, it issues findings that require analysis to determine whether they represent false alarms or genuine threats. AMS can also enable Amazon Macie to detect sensitive data and data security risks. The round-the-clock AMS security operations team augments your mechanisms and teams to analyze GuardDuty and Macie findings, perform triage, and trigger security incidents when threats are identified. When findings require investigation beyond automated response, the AMS security operations team works with your security team on issue resolution, analyzing cybersecurity events in a timely manner and escalating them appropriately.

These AMS capabilities directly support key ISM detect principles, including centralized event logging (DET-01), cybersecurity event detection (DET-02), and cybersecurity incident identification (DET-03).

Respond: Respond to cybersecurity incidents

A well-defined security incident response that clearly prescribes the roles and responsibilities of various teams along with prescriptive guidance is key to containing and resolving security issues after they’re detected. AMS security incident response aligns with the NIST 800-61 Computer Security Incident Handling Guide, which underpins ISM’s incident response requirements. The following diagram illustrates the incident response life cycle, including the eight sequential phases of prepare, detect, analyze, contain, eradicate, recover, report, and remediate.

Figure 2: Incident response lifecycle

AMS prepares for incident response through Security and Operational Gamedays that test real-world scenarios with your teams so that incident response processes are well understood and practiced before actual incidents occur. These exercises validate that roles, responsibilities, and communication channels are clearly defined and effective.

Throughout the incident lifecycle, AMS communicates with your security team through voice calls for critical incidents and the ticketing system for ongoing updates. The AMS team performs data collection, triages and analyzes findings, informs you of the analysis, conducts investigation and containment activities, and provides post-event analysis. AMS works with your security team to determine the correct course of action dynamically so the right outcome occurs.

When detection identifies and generates a security alert or you request security assistance, the AMS security operations team responds. An essential part of response is containment with effective decision-making. For example, shut down a system, isolate a resource from the network, turn off access, or end sessions. These decisions are easier to make if there are predetermined strategies and procedures to contain the incident. AMS provides the containment strategy and then implements the solution after you’ve considered the risk involved with implementing the containment actions. To contain impacted resources, AMS executes automated containment actions to isolate compromised resources while preserving evidence for forensic analysis. When a threat is detected, AMS can automatically isolate affected resources. For example, it can block a compromised IAM user from accessing resources, lock down an S3 bucket, or cut network access to an EC2 instance and preserve the evidence for investigation.

These AMS capabilities directly support key ISM respond principles, including cybersecurity incident planning (RES-01), cybersecurity incident reporting (RES-02), and cybersecurity incident response (RES-03).

Recover: Resume normal business operations following cybersecurity incidents

Following incident containment, AMS works with you to restore systems to normal operations and on strategies to reduce the likelihood of reoccurrence. As an infrastructure service provider, AMS focuses on infrastructure recovery, restoring resources such as EC2 instances, databases, and storage from backups, validating that infrastructure components are operational, and confirming network connectivity is restored. Application-level validation and business process resumption remain the customer’s responsibility, with AMS providing the infrastructure foundation upon which normal business operations can resume.

After the incident, AMS runs an investigation review process and initiates a correction of error (COE) process to address procedural gaps and identify areas for improvement. The COE process helps AMS identify the contributing factors of customer-impacting events and connects those causes to actionable next steps that can prevent similar events from recurring. The process can also help mitigate the duration or level of impact. AMS works with you to continually improve the security investigation experience, helping translate lessons into tangible security enhancements.

Before resuming normal business operations, AMS works with your security team to assess (and treat, where required) residual security risks. Business operations resume when security posture has been validated and risks are treated.

These AMS capabilities directly support key ISM recover principles, including cybersecurity incident insights (RES-04) and business operations resumption (REC-01).

Conclusion

Achieving ISM compliance requires more than understanding the framework. It demands operational expertise, continuous monitoring, and rapid response capabilities that many organizations struggle to build and maintain in-house.

With AMS, Australian public sector organizations (and private organizations that are obliged to implement ISM) can take advantage of around-the-clock security expertise, automated compliance monitoring, and proven incident response capabilities without the multiyear investment in building these capabilities internally. This way, you can focus on mission-critical activities while AMS handles the operational complexity of maintaining a robust security baseline.

Ready to accelerate your ISM compliance journey? Contact your AWS account team to learn how AMS can support your security and cloud operations or visit the AWS Managed Services page to explore capabilities in detail.

Further reading

• How Curtin University enhanced security compliance with AWS Managed Services Trusted Remediator
• How AWS Managed Services helps Australian public sector organizations optimize their cloud operations
• Navigating ISM and Essential Eight compliance with AWS Config for Australian government agencies
• Security and Compliance for Australia and New Zealand