Template details
Step 1 — Classification
Step 2 — Scope
Tick every ISM Guideline that is in scope for this assessment. Pre-ticked Guidelines apply to nearly every system — untick any that genuinely do not apply and provide a justification. All controls under an unticked Guideline will be marked Not Applicable.
Step 3 — Generate
Controls are marked Not Applicable based on your classification and scope selections. All other controls remain as Not Assessed. The Principles tab is not updated.
About this tool
About this tool
How this tool works
Load a blank ASD SSP-A template (bundled or your own upload), select your system classification and assessment scope, then download. The tool writes Not Applicable and a standard justification into every control excluded by your classification or scope. The implementation status of all other ISM controls remains as Not Assessed — for you or the IRAP assessor to update manually.
1. Inputs
- SSP-A template: bundled (current quarter, auto-fetched) or your own ASD template
- Classification: NC / OFFICIAL: Sensitive / PROTECTED / SECRET / TOP SECRET
- Scope: which of the 22 ISM Guidelines apply to the assessed system
2. Process
- Classification check: any control where the applicability column for your classification is "No" is marked Not Applicable
- Scope check: any control under an unticked Guideline is marked Not Applicable; classification takes precedence where both apply
- Comment written: a standard justification sentence is added to the Comments column for each marked control
3. Outputs
- Pre-populated SSP-A (.xlsx): Updated spreadsheet with Not Applicable and justification added; all other ISM controls remain as Not Assessed without any comment
- Principles sheet: not updated; all principles always apply
- Info sheet: not updated; unfortunately, the tool can't always retain the format of the original file
What this tool does not do
This tool attempts to discern which ISM controls are not applicable to the assessed system. However, it cannot determine whether a control is genuinely applicable or not. You and the assessor still need to:
- Assess every remaining control and record whether it is Implemented, Partially Implemented, Planned, or Not Implemented
- Verify that every Not Applicable decision made here is defensible in the context of the actual system
- Complete the Principles sheet/tab; it is not modified by this tool
- Review and adjust scope or classification selections before finalising the SSP-A
Classification and scope selections are guiding principles — the outputs of this tool are starting points, not conclusions.
Assumptions the tool makes about the template
| Assumption | What goes wrong if untrue |
|---|---|
| The template follows the ASD SSP-A structure — a spreadsheet with ISM-XXXX identifiers and NC / OS / P / S / TS applicability columns. | Column detection fails and the download button shows an error rather than producing an incorrect file. |
| Guideline names in the template match the names shown in the scope checklist exactly. | Controls under mismatched Guideline names will not be marked Not Applicable even if the Guideline is unticked. |
| The template is blank — Implementation column values are "Not Assessed". | Any cells already containing assessment decisions will be overwritten where a classification or scope exclusion applies. |
Disclaimer and limitation of liability
This tool is provided on an “as is” and “as available” basis, without warranty of any kind. The output is a decision-support aid, not professional, legal, compliance, assurance or IRAP advice. Every Not Applicable decision produced by this tool must be reviewed and confirmed against the actual system under assessment. You remain solely responsible for the accuracy and defensibility of all Not Applicable determinations and for ensuring the final SSP-A meets your organisation’s assurance, accreditation and record-keeping obligations. To the maximum extent permitted by law, in no event shall Cybernion be liable for any direct, indirect, incidental, special, consequential or punitive damages arising from your use of this tool.
Security and transparency
This tool is a single HTML file with no server component, no backend, and no account or login requirement. Everything runs in your browser.
- No data leaves your machine. Your SSP-A template and all selections are processed entirely in-browser. Nothing is transmitted to any server — not even Cybernion’s. The pre-loaded SSP-A template is fetched from a static file host at startup; no other network calls are made.
- Third-party libraries. Two open-source JavaScript libraries are loaded at startup: xlsx-js-style v1.2.0 (Excel read/write) from jsDelivr, and PDF.js v3.11.174 (PDF parsing) from Cloudflare CDN. Both are pinned to exact versions with Subresource Integrity (SRI) hashes, so your browser will refuse to run them if the CDN serves a modified file.
- Vulnerability scanning. This html tool and both JavaScript libraries were scanned against public vulnerability databases prior to release. No known vulnerabilities were identified at the versions pinned above.
- Static resource review. The tool and its bundled assets were reviewed as static resources prior to publication. No active content, no dynamic code evaluation, and no third-party tracking scripts are present.
- Source transparency. The full source of this tool is contained in this single HTML file. You can inspect it at any time in your browser’s developer tools or by opening the file in a text editor.
- Bundled file integrity. Each time the tool loads, it computes a SHA-256 hash of the bundled SSP-A template in your browser and compares it against a known-good hash embedded in the HTML at release time. A “Verified” result confirms the file served to you is byte-for-byte identical to the file tested by Cybernion. A mismatch is flagged visibly. The expected hashes are updated in the source with each quarterly release.
If you identify a security concern, please Contact Us.
Licence and attribution
© 2026 Cybernion. All rights reserved. This tool is provided free of charge for use by security practitioners. No part of this tool may be reproduced, redistributed, or used to create derivative works without prior written permission from Cybernion. “ISM”, “IRAP” and related terms refer to work published by the Australian Signals Directorate / ACSC. This tool is an independent utility and is not endorsed by, affiliated with, or sponsored by ASD, ACSC or the Australian Government.
Review details
* Required.
Change register
Quarterly themes and cross-validation notes
Browser preview of your Change Register. Use the download buttons above to save a local copy.
| ISM ID | Change | Guideline / Function | Topic | Applicability | Old vs. new ISM requirement | Baseline implementation status | Applicable |
|---|
About this tool
About this tool
How this tool works
Upload your SSP-A or CCM — the tool compares it against the current-quarter CCM (pre-loaded from the server) and fills in the parts of the review that can be determined mechanically, so the reviewer can focus on the judgement calls.
1. Inputs
- Your SSP-A or CCM — uploaded by you as the baseline
- Current-quarter CCM — pre-loaded automatically
- ISM Changes PDF — pre-loaded automatically
2. Process
- Detect quarters from sheet names or column fingerprints
- Diff IDs → New / Modified / Rescinded (Modified means the requirement wording changed; applicability and E8 drift are surfaced separately)
- Enrich each row with baseline scoping
- Pre-fill In-scope + Triage (rules below)
3. Outputs
- Dashboard — filter and search the delta in your browser
- Change Register (.xlsx) — Summary, Controls, Principles, Methodology, E8 Snapshot
- Updated SSP-A or CCM (.xlsx) — baseline with your triage applied
- Stakeholder note + share summary
Assumptions the tool makes about the inputs
The delta and pre-fills rest on a few assumptions about how your baseline file and the CCM are structured. If any are untrue the output will still look plausible but won't be trustworthy — worth a glance before you upload.
| Assumption | What goes wrong if it’s untrue |
|---|---|
The SSP-A lists every ISM control in force when it was last finalised, including rows marked Not Applicable. |
If Not-Applicable rows were deleted instead of marked NA, they reappear in the current CCM and get counted as New. |
| Control identifiers are stable across quarters unless ASD rescinds and re-issues. | A rename surfaces as one Rescinded + one New item. Likely pairs are flagged as hints but not auto-linked. |
| Material updates to a control change its description text (not just its applicability labels). | Applicability-only changes aren’t flagged as Modified. The applicability-drift HINT catches them separately. |
| The scope of the system and ISM Guidelines has not changed materially since the last SSP-A was finalised. | Pre-fills come straight from the baseline file. After an architectural change, pre-filled Not-Applicable decisions may be stale. |
Essential Eight maturity lives in the CCM’s ML1 / ML2 / ML3 columns. |
If ASD restructures those columns the E8 snapshot populates as empty. The startup self-test catches gross drift. |
Pre-fill rules (applied to the downloaded Change Register)
| Priority | Trigger condition | In scope | Triage | Applies to |
|---|---|---|---|---|
| 1 | Every control under a Guideline is marked Not Applicable in the baseline file |
No | No Action | New and Modified |
| 2 | This specific row is marked Not Applicable in the baseline file |
No | No Action (mod only) | Modified and Rescinded |
| 3 | Row exists in baseline and is not flagged out-of-scope | Yes | blank — reviewer decides | Modified and Rescinded |
| — | Brand-new control with no baseline entry and rule 1 doesn't apply | blank | blank | New |
Known limitations and edge cases
- Column layout assumptions. The tool assumes the CCM and SSP-A use the column headers in use at the time of publication (Identifier, Revision, Updated, Guideline, Topic, Provider Responsibility, Implementation Status, etc.). If ASD restructures the CCM, you may need to tweak the code — spot-check a few rows the first time you use it against a new quarter's release.
- Sheet name convention. The tool first tries to match sheets named "Controls…" or "Principles…". If no match is found it falls back to scanning column headers for "Identifier" + "Guideline" (controls) or "Identifier" + "Function" (principles). If neither pass finds a sheet, the file will be rejected.
- Rescission + re-issue. Occasionally ASD retires one ISM identifier and reintroduces the same requirement under a new identifier. The tool will flag the old ID as Rescinded and the new ID as New but will not connect them — the reviewer has to spot these pairs manually.
- Pre-fill heuristics are typical-case. The guideline-level out-of-scope rule reflects how most SSP-As are structured, but unusual ones (multi-tenant, hybrid, federal-vs-state splits) may need the pre-fills overridden more often. Sanity-check at least one guideline you expect to be in scope before trusting the register.
- Essential Eight flagging. The Essential 8 Maturity Level column is populated from the CCM's ML1/ML2/ML3 columns. Controls that do not map to Essential 8 are shown as "None".
- Info and Pivot tabs are dropped. If your baseline file has an Info / Information tab or a Pivot tab, the Updated baseline export drops them. Info tabs do not round-trip cleanly through the xlsx library; Pivot tabs would show baseline-quarter counts against the new controls. Re-create the pivot against the Updated baseline in Excel (Insert → PivotTable). Other user sheets and hidden sheets still pass through untouched.
- Freeze panes are not preserved. The underlying library (xlsx-js-style) does not write frozen rows. Apply it manually in Excel after download (View → Freeze Top Row).
- Sensitivity labels (MIP / AIP) and DRM. Real-world SSP-As are often protected with Microsoft Purview / Azure Information Protection labels, Microsoft Information Protection encryption, or third-party DRM. The tool can only parse an unprotected
.xlsx— if the file is labelled or encrypted, browserFileReaderreturns ciphertext and the parse will fail with a cryptic error. Before uploading, open your SSP-A in Excel, remove the sensitivity label (or downgrade it to an unprotected equivalent) and save a fresh copy, then feed that copy to the tool. Re-apply the label on your original after the review. Because processing is entirely client-side, the unlabelled copy never leaves your machine. - Password-protected or macro-enabled workbooks. Password-protected
.xlsx,.xlsmand.xlsbfiles are not supported — remove the password or convert to a plain.xlsxbefore uploading.
Disclaimer and limitation of liability
This tool is provided on an “as is” and “as available” basis, without warranty of any kind. The output is a decision-support aid, not professional, legal, compliance, assurance or IRAP advice. You remain solely responsible for reviewing each change, confirming every pre-fill, and ensuring the final artefacts meet your organisation’s assurance, accreditation and record-keeping obligations. To the maximum extent permitted by law, in no event shall Cybernion be liable for any direct, indirect, incidental, special, consequential or punitive damages arising from your use of this tool.
Security and transparency
This tool is a single HTML file with no server component, no backend, and no account or login requirement. Everything runs in your browser.
- No data leaves your machine. Your SSP-A, CCM, and all inputs are processed entirely in-browser. Nothing is transmitted to any server — not even Cybernion’s. The pre-loaded CCM and ISM Changes PDF are fetched from a static file host at startup; no other network calls are made.
- Third-party libraries. Two open-source JavaScript libraries are loaded at startup: xlsx-js-style v1.2.0 (Excel read/write) from jsDelivr, and PDF.js v3.11.174 (PDF parsing) from Cloudflare CDN. Both are pinned to exact versions with Subresource Integrity (SRI) hashes, so your browser will refuse to run them if the CDN serves a modified file.
- Vulnerability scanning. This html tool and both JavaScript libraries were scanned against public vulnerability databases prior to release. No known vulnerabilities were identified at the versions pinned above.
- Static resource review. The tool and its bundled assets were reviewed as static resources prior to publication. No active content, no dynamic code evaluation, and no third-party tracking scripts are present.
- Source transparency. The full source of this tool is contained in this single HTML file. You can inspect it at any time in your browser’s developer tools or by opening the file in a text editor.
- Bundled file integrity. Each time the tool loads, it computes SHA-256 hashes of the bundled CCM and ISM Changes PDF in your browser and compares them against known-good hashes embedded in the HTML at release time. A “Verified” result confirms the files served to you are byte-for-byte identical to the files tested by Cybernion. A mismatch is flagged visibly. The expected hashes are updated in the source with each quarterly release.
If you identify a security concern, please Contact Us.
Licence and attribution
© 2026 Cybernion. All rights reserved. This tool is provided free of charge for use by security practitioners. No part of this tool may be reproduced, redistributed, or used to create derivative works without prior written permission from Cybernion. “ISM”, “Cloud Controls Matrix”, “Essential Eight”, “IRAP” and related terms refer to work published by the Australian Signals Directorate / ACSC. This tool is an independent utility and is not endorsed by, affiliated with, or sponsored by ASD, ACSC or the Australian Government.