https://www.cyberoxide.com/blog/exploring-the-origins-and-significance-of-the-essential-8
(DSD became ASD, but the ISM goes back at least as far as 2009)
ASD first published its list of 35 controls as “Strategies to Mitigate Targeted Cyber Intrusions” in 2010 based on its experience in responding to cyber security incidents. The strategies were updated in 2012 and 2014. In 2011, the ASD found that the Top Four controls, when properly implemented, effectively mitigates 85% of targeted cyber attacks.
The revised documents present 37 controls as mitigation strategies against a list of six threats and expands the Top Four controls to the Essential Eight. The strategies have been updated to address changes to the threat landscape, current attack patterns and defensive technologies and capabilities to cover a wider threat range than just “targeted attacks”.
The Strategies to Mitigate Cyber Security Incidents was a document created by the Australian Signals Directorate (ASD). The document had a list of 37 strategies that Australian Government Agencies must or should implement to reduce risk of targeted cyber intrusions. The list was informed by ASD’s experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian Government Agencies.
The list is ranked according to each strategy’s effectiveness in preventing targeted cyber intrusions. Control number one is the most effective and control 35 being the least effective.
As a result, there was great emphasis placed on the top 4 strategies in the document. The ASD stated “While no single strategy can prevent malicious activity, the effectiveness of implementing the Top 4 Strategies remains very high. At least 85% of intrusion techniques that ASD responds to involves adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package”.
The Top 4 mitigations were:
In 2017, the Prime Minister at the time Malcolm Turnbull, released the unclassified version of the 2017 Independent Intelligence Review, which made recommendations for the reorganisation of intelligence agencies in Australia. One of the recommendations was that the ACSC should become part of ASD. This recommendation was implemented through the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018, which was passed into law in April 2018. As a result, the ACSC is now part of ASD and the two agencies work closely together to protect Australia's cyber security interests.
Essential Eight (Top 4 plus these 4 New Ones)
(2017) The ASD has also revised its listing of mitigation strategies – five strategies comprising 37 mitigation controls. These are not just technical steps but involve the whole organization in modifying behaviour.
(2017) They have now been escalated to "essential" status, but do not become mandatory until - and if - the government decides to include them alongside the existing top four in its protective security policy framework (PSPF). → this mandate came in 2022
ASD is shifting to a broader, principles-based ‘Essentials’ series, evolving the existing Essential Eight to the Essentials for enterprise IT. The evolved framework moves away from requiring prescriptive technical controls, and instead provides a series of cyber security principles, with respective implementation approaches to address these principles.
The proposed framework has been designed around five structural shifts:
Each mitigation strategy under the Essential Eight maturity model can be mapped to at least one cyber security principle in the Essentials for enterprise IT. In most cases, a mitigation strategy maps to a cyber security principle that is broader in scope, meaning existing controls contributes to, but may not fully satisfy, the corresponding implementation approaches.