Maximum file size: 5 MB (.xlsx only)
Select Applicable ISM Guidelines
Select every ISM Guideline that is in scope for this assessment. Pre-selected Guidelines apply to nearly every system — unselect any that genuinely do not apply and provide a justification. All controls under an unselected Guideline will be marked Not Applicable in the generated SSP-A.
Generate
Controls are marked Not Applicable based on your classification and scope selections. All other controls remain as Not Assessed. The Principles tab is not updated.
About the SSP-A Generator
About the SSP-A Generator
How this tool works
Select your system's information classification, load an SSP-A template (bundled or your own upload), then download. The tool writes Not Applicable and a standard justification into every control excluded by your classification or scope. The implementation status of all other ISM controls remains as Not Assessed — for you or the IRAP assessor to update manually.
1. Inputs
- SSP-A template: bundled (current quarter, auto-fetched) or your own ASD template
- Classification: NC / OFFICIAL: Sensitive / PROTECTED / SECRET / TOP SECRET
- Scope: which of the 22 ISM Guidelines apply to the assessed system
2. Process
- Classification check: any control where the applicability column for your classification is "No" is marked Not Applicable
- Scope check: any control under an unticked Guideline is marked Not Applicable; classification takes precedence where both apply
- Comment written: a standard justification sentence is added to the Comments column for each marked control
3. Outputs
- Pre-populated SSP-A (.xlsx): Updated spreadsheet with Not Applicable and justification added; all other ISM controls remain as Not Assessed without any comment
- Principles sheet: not updated; all principles always apply
- Info sheet: not updated; unfortunately, the tool can't always retain the format of the original file
What this tool does not do
This tool attempts to discern which ISM controls are not applicable to the assessed system. However, it cannot determine whether a control is genuinely applicable or not. You and the assessor still need to:
- Assess every remaining control and record whether it is Implemented, Partially Implemented, Planned, or Not Implemented
- Verify that every Not Applicable decision made here is defensible in the context of the actual system
- Complete the Principles sheet/tab; it is not updated by this tool
- Review and adjust scope or classification selections before finalising the SSP-A
Classification and scope selections are guiding principles — the outputs of this tool are starting points, not conclusions.
Assumptions the tool makes about the template
| Assumption | What goes wrong if untrue |
|---|---|
| The template follows the ASD SSP-A structure — a spreadsheet with ISM-XXXX identifiers and NC / OS / P / S / TS applicability columns. | Column detection fails and the download button shows an error rather than producing an incorrect file. |
| Guideline names in the template match the names shown in the scope checklist exactly. | Controls under mismatched Guideline names will not be marked Not Applicable even if the Guideline is unticked. |
| The template is blank — Implementation column values are "Not Assessed". | Any cells already containing assessment decisions will be overwritten where a classification or scope exclusion applies. |
Disclaimer and limitation of liability
This tool is provided on an “as is” and “as available” basis, without warranty of any kind. The output is a decision-support aid, not professional, legal, compliance, assurance or IRAP advice. Every Not Applicable decision produced by this tool must be reviewed and confirmed against the actual system under assessment. You remain solely responsible for the accuracy and defensibility of all Not Applicable determinations and for ensuring the final SSP-A meets your organisation’s assurance, accreditation and record-keeping obligations. To the maximum extent permitted by law, in no event shall Cybernion be liable for any direct, indirect, incidental, special, consequential or punitive damages arising from your use of this tool.
Security and transparency
This is a static, client-side web tool with no backend, no account, and no server-side processing. The HTML file contains the application source; bundled workbook and PDF assets and pinned JavaScript libraries are loaded as static resources. Everything runs in your browser.
- No data leaves your machine. Your SSP-A template and all selections are processed entirely in-browser. Nothing is transmitted to any server — not even Cybernion’s. Apart from loading the pinned JavaScript libraries and the bundled SSP-A template, your uploaded files and entered data are not transmitted anywhere.
- Third-party libraries. Four open-source JavaScript libraries are loaded at startup: xlsx-js-style v1.2.0 (Excel read/write) from jsDelivr, PDF.js v3.11.174 (PDF parsing) from Cloudflare CDN, Chart.js v4.4.4 (ISM Version Compare charts) from jsDelivr, and chartjs-plugin-datalabels v2.2.0 (chart data labels) from jsDelivr. All four are version-pinned with SHA-384 Subresource Integrity (SRI) hashes — the browser will refuse to execute any file that does not match the pinned hash. The PDF.js worker is loaded as a Web Worker (not a script tag) so browser-native SRI does not apply; the tool fetches it, verifies its SHA-384 hash in JavaScript before use, and rejects any mismatch. A fifth library, fflate v0.8.2 (a small, zero-dependency ZIP library, MIT licensed), is not loaded from any CDN — it is compiled directly into the application source at build time and used by the Create CCM tab to edit the spreadsheet losslessly, so dropdown lists and all other workbook features are preserved.
- Vulnerability scanning. This html tool and all four JavaScript libraries were scanned against public vulnerability databases prior to release. No known vulnerabilities were identified at the versions pinned above.
- Static resource review. The tool and its bundled assets were reviewed as static resources prior to publication. No active content, no dynamic code evaluation, and no third-party tracking scripts are present.
- Source transparency. The application source is contained in the HTML file and can be inspected at any time in your browser’s developer tools or by opening the file in a text editor. Bundled assets (workbooks, PDF) and JavaScript libraries are separate static resources loaded at runtime.
- Bundled file integrity. Each time the tool loads, it computes a SHA-256 hash of the bundled SSP-A template in your browser and compares it against a known-good hash embedded in the HTML at release time. A “Verified” result confirms the file served to you is byte-for-byte identical to the file tested by Cybernion. A hash mismatch blocks the template from loading — the tool will not proceed with a file it cannot verify. The expected hashes are updated in the source with each quarterly release.
If you identify a security concern, please Contact Us.
Licence and attribution
© 2026 Cybernion. All rights reserved. This tool is provided free of charge for use by security practitioners. No part of this tool may be reproduced, redistributed, or used to create derivative works without prior written permission from Cybernion. “ISM”, “IRAP” and related terms refer to work published by the Australian Signals Directorate / ACSC. This tool is an independent utility and is not endorsed by, affiliated with, or sponsored by ASD, ACSC or the Australian Government.
Maximum file size: 5 MB (.xlsx only)
Select Applicable ISM Guidelines
Select every ISM Guideline that is in scope for this assessment. Pre-selected Guidelines apply to nearly every system — unselect any that genuinely do not apply and provide a justification. All controls under an unselected Guideline will be marked Not Applicable in the generated CCM.
Generate
Controls are marked Not Applicable based on your classification and scope selections, across both the provider and consumer columns. All other controls remain as Not Assessed. The Principles tab is not updated.
About the CCM Generator
About the CCM Generator
How this tool works
Select your system's information classification, load a Cloud Controls Matrix template (bundled or your own upload), then download. The tool writes Not Applicable and a standard justification into every control excluded by your classification or scope, across both the provider and consumer columns. The implementation status of all other ISM controls remains as Not Assessed — for you or the IRAP assessor to update manually.
1. Inputs
- CCM template: bundled (current quarter, auto-fetched) or your own ASD CCM
- Classification: NC / OFFICIAL: Sensitive / PROTECTED / SECRET / TOP SECRET
- Scope: which of the 22 ISM Guidelines apply to the assessed system
2. Process
- Classification check: any control where the applicability column for your classification is "No" is marked Not Applicable
- Scope check: any control under an unticked Guideline is marked Not Applicable; classification takes precedence where both apply
- Comment written: a standard justification sentence is added to the provider and consumer Comments columns for each marked control
3. Outputs
- Pre-scoped CCM (.xlsx): only the Controls tab (ISM-XXXX) is changed — excluded controls get Not Applicable in the provider and consumer status columns, None in the Responsibility columns, and the justification in both Comments columns; all other ISM controls remain as Not Assessed without any comment
- Principles sheet: left exactly as supplied; all principles always apply
- Info sheet: left exactly as supplied
What this tool does not do
This tool attempts to discern which ISM controls are not applicable to the assessed system. However, it cannot determine whether a control is genuinely applicable or not. You and the assessor still need to:
- Assess every remaining control and record whether it is Implemented, Partially Implemented, Planned, or Not Implemented
- Verify that every Not Applicable decision made here is defensible in the context of the actual system
- Complete the Principles sheet/tab; it is not updated by this tool
- Review and adjust scope or classification selections before finalising the CCM
Classification and scope selections are guiding principles — the outputs of this tool are starting points, not conclusions.
Assumptions the tool makes about the template
| Assumption | What goes wrong if untrue |
|---|---|
| The template follows the ASD CCM structure — a Controls sheet with ISM-XXXX identifiers, NC / OS / P / S / TS applicability columns, and provider and consumer Implementation / Responsibility / Comments columns. | Column detection fails and the download button shows an error rather than producing an incorrect file. |
| Guideline names in the template match the names shown in the scope checklist exactly. | Controls under mismatched Guideline names will not be marked Not Applicable even if the Guideline is unticked. |
| The template is blank — Implementation column values are "Not Assessed". | Any cells already containing assessment decisions will be overwritten where a classification or scope exclusion applies. |
Disclaimer and limitation of liability
This tool is provided on an “as is” and “as available” basis, without warranty of any kind. The output is a decision-support aid, not professional, legal, compliance, assurance or IRAP advice. Every Not Applicable decision produced by this tool must be reviewed and confirmed against the actual system under assessment. You remain solely responsible for the accuracy and defensibility of all Not Applicable determinations and for ensuring the final CCM meets your organisation’s assurance, accreditation and record-keeping obligations. To the maximum extent permitted by law, in no event shall Cybernion be liable for any direct, indirect, incidental, special, consequential or punitive damages arising from your use of this tool.
* Required.
Change register
Quarterly themes and cross-validation notes
Browser preview of your Change Register. Use the download buttons above to save a local copy.
| ISM ID | Change | Guideline / Function | Topic | Applicability | Old vs. new ISM requirement | Baseline implementation status | Applicable |
|---|
About the SSP-A or CCM Update Tool
About the SSP-A or CCM Update Tool
How this tool works
Upload your SSP-A or CCM — the tool compares it against the current-quarter CCM (pre-loaded from the server) and fills in the parts of the review that can be determined mechanically, so the reviewer can focus on the judgement calls.
1. Inputs
- Your SSP-A or CCM — uploaded by you as the baseline
- Current-quarter CCM — pre-loaded automatically
- ISM Changes PDF — pre-loaded automatically
2. Process
- Detect quarters from sheet names or column fingerprints
- Diff IDs → New / Updated / Rescinded (Updated means the description, guideline, maturity level, or applicability changed; the Changed Fields column shows exactly what)
- Enrich each row with baseline scoping
- Pre-fill Applicable indicator + Triage for the downloaded register (rules below)
3. Outputs
- Dashboard — filter and search the delta in your browser
- Change Register (.xlsx) — Summary, Controls, Principles, Methodology, E8 Snapshot
- Updated SSP-A or CCM (.xlsx) — baseline refreshed with current CCM changes: description (where text changed), guideline, applicability, maturity level, and classification-based NA scoping where applicable
- Stakeholder note + share summary
Assumptions the tool makes about the inputs
The delta and pre-fills rest on a few assumptions about how your baseline file and the CCM are structured. If any are untrue the output will still look plausible but won't be trustworthy — worth a glance before you upload.
| Assumption | What goes wrong if it’s untrue |
|---|---|
The SSP-A lists every ISM control in force when it was last finalised, including rows marked Not Applicable. |
If Not-Applicable rows were deleted instead of marked NA, they reappear in the current CCM and get counted as New. |
| Control identifiers are stable across quarters unless ASD rescinds and re-issues. | A rename surfaces as one Rescinded + one New item. Likely pairs are flagged as hints but not auto-linked. |
| A control or principle is classified as Updated only when substantive requirement text or selected assessment-relevant fields change. ASD Updated date, Topic, Section, Function, Revision, and Provider Responsibility are metadata-only fields; they refresh silently in the exported baseline but never independently trigger Updated. Fields that trigger Updated: Description · Applicability (NC, OS, P, S, TS) · Maturity mapping (ML1, ML2, ML3) · Guideline. Metadata-only fields (silent refresh, no trigger): ASD Updated date · Topic · Section · Function · Revision · Provider Responsibility. |
The Changed Fields column in the register shows exactly which of the above fields changed for each Updated row. |
| The scope of the system and ISM Guidelines has not changed materially since the last SSP-A was finalised. | Pre-fills come straight from the baseline file. After an architectural change, pre-filled Not-Applicable decisions may be stale. |
Essential Eight maturity lives in the CCM’s ML1 / ML2 / ML3 columns. |
If ASD restructures those columns the E8 snapshot populates as empty. The startup self-test catches gross drift. |
Pre-fill rules (applied to the downloaded Change Register)
| Priority | Trigger condition | Applicable | Triage | Applies to |
|---|---|---|---|---|
| 1 | Every control under a Guideline is marked Not Applicable in the baseline file |
No | No Action | New and Updated |
| 2 | This specific row is marked Not Applicable in the baseline file |
No | No Action (mod only) | Updated and Rescinded |
| 3 | Row exists in baseline and is not flagged out-of-scope | Yes | blank — reviewer decides | Updated and Rescinded |
| — | Brand-new control with no baseline entry and rule 1 doesn't apply | blank | blank | New |
Known limitations and edge cases
- Column layout assumptions. The tool assumes the CCM and SSP-A use the column headers in use at the time of publication (Identifier, Revision, Updated, Guideline, Topic, Provider Responsibility, Implementation Status, etc.) and maps common variants automatically. Identifiers are normalised so minor formatting differences (extra spaces, non-standard hyphens, mixed case) match correctly. If ASD restructures the CCM, spot-check a few rows the first time you use it against a new quarter's release.
- Sheet name convention. The tool first tries to match sheets named "Controls…" or "Principles…", validated against required headers (Identifier + Description + Guideline/Section for controls; Identifier + Description + Function for principles). If no named match passes validation it falls back to content sniffing with the same header requirements. If neither pass finds a valid sheet, the file will be rejected.
- Rescission + re-issue. Occasionally ASD retires one ISM identifier and reintroduces the same requirement under a new identifier. The tool will flag the old ID as Rescinded and the new ID as New but will not connect them — the reviewer has to spot these pairs manually.
- Pre-fill heuristics are typical-case. The guideline-level out-of-scope rule reflects how most SSP-As are structured, but unusual ones (multi-tenant, hybrid, federal-vs-state splits) may need the pre-fills overridden more often. Sanity-check at least one guideline you expect to be in scope before trusting the register.
- Essential Eight flagging. The Essential 8 Maturity Level column is populated from the CCM's ML1/ML2/ML3 columns. Controls that do not map to Essential 8 are shown as "None".
- Info and Pivot tabs are dropped. If your baseline file has an Info / Information tab or a Pivot tab, the Updated baseline export drops them. Info tabs do not round-trip cleanly through the xlsx library; Pivot tabs would show baseline-quarter counts against the new controls. Re-create the pivot against the Updated baseline in Excel (Insert → PivotTable). Other user sheets and hidden sheets still pass through untouched.
- Freeze panes are not preserved. The underlying library (xlsx-js-style) does not write frozen rows. Apply it manually in Excel after download (View → Freeze Top Row).
- Sensitivity labels (MIP / AIP) and DRM. Real-world SSP-As are often protected with Microsoft Purview / Azure Information Protection labels, Microsoft Information Protection encryption, or third-party DRM. The tool can only parse an unprotected
.xlsx— if the file is labelled or encrypted, browserFileReaderreturns ciphertext and the parse will fail with a cryptic error. Before uploading, open your SSP-A in Excel, remove the sensitivity label (or downgrade it to an unprotected equivalent) and save a fresh copy, then feed that copy to the tool. Re-apply the label on your original after the review. Because processing is entirely client-side, the unlabelled copy never leaves your machine. - Password-protected or macro-enabled workbooks. Password-protected
.xlsx,.xlsmand.xlsbfiles are not supported — remove the password or convert to a plain.xlsxbefore uploading.
Disclaimer and limitation of liability
This tool is provided on an “as is” and “as available” basis, without warranty of any kind. The output is a decision-support aid, not professional, legal, compliance, assurance or IRAP advice. You remain solely responsible for reviewing each change, confirming every pre-fill, and ensuring the final artefacts meet your organisation’s assurance, accreditation and record-keeping obligations. To the maximum extent permitted by law, in no event shall Cybernion be liable for any direct, indirect, incidental, special, consequential or punitive damages arising from your use of this tool.
Security and transparency
This is a static, client-side web tool with no backend, no account, and no server-side processing. The HTML file contains the application source; bundled workbook and PDF assets and pinned JavaScript libraries are loaded as static resources. Everything runs in your browser.
- No data leaves your machine. Your SSP-A, CCM, and all inputs are processed entirely in-browser. Nothing is transmitted to any server — not even Cybernion’s. Apart from loading the pinned JavaScript libraries and the bundled CCM and ISM Changes PDF, your uploaded files and entered data are not transmitted anywhere.
- Third-party libraries. Four open-source JavaScript libraries are loaded at startup: xlsx-js-style v1.2.0 (Excel read/write) from jsDelivr, PDF.js v3.11.174 (PDF parsing) from Cloudflare CDN, Chart.js v4.4.4 (ISM Version Compare charts) from jsDelivr, and chartjs-plugin-datalabels v2.2.0 (chart data labels) from jsDelivr. All four are version-pinned with SHA-384 Subresource Integrity (SRI) hashes — the browser will refuse to execute any file that does not match the pinned hash. The PDF.js worker is loaded as a Web Worker (not a script tag) so browser-native SRI does not apply; the tool fetches it, verifies its SHA-384 hash in JavaScript before use, and rejects any mismatch. A fifth library, fflate v0.8.2 (a small, zero-dependency ZIP library, MIT licensed), is not loaded from any CDN — it is compiled directly into the application source at build time and used by the Create CCM tab to edit the spreadsheet losslessly, so dropdown lists and all other workbook features are preserved.
- Vulnerability scanning. This html tool and all four JavaScript libraries were scanned against public vulnerability databases prior to release. No known vulnerabilities were identified at the versions pinned above.
- Static resource review. The tool and its bundled assets were reviewed as static resources prior to publication. No active content, no dynamic code evaluation, and no third-party tracking scripts are present.
- Source transparency. The application source is contained in the HTML file and can be inspected at any time in your browser’s developer tools or by opening the file in a text editor. Bundled assets (workbooks, PDF) and JavaScript libraries are separate static resources loaded at runtime.
- Bundled file integrity. Each time the tool loads, it computes SHA-256 hashes of the bundled CCM and ISM Changes PDF in your browser and compares them against known-good hashes embedded in the HTML at release time. A “Verified” result confirms the files served to you are byte-for-byte identical to the files tested by Cybernion. A CCM hash mismatch blocks the tool from proceeding — the PDF is enrichment only, so a PDF mismatch is flagged as a warning. The expected hashes are updated in the source with each quarterly release.
If you identify a security concern, please Contact Us.
Licence and attribution
© 2026 Cybernion. All rights reserved. This tool is provided free of charge for use by security practitioners. No part of this tool may be reproduced, redistributed, or used to create derivative works without prior written permission from Cybernion. “ISM”, “Cloud Controls Matrix”, “Essential Eight”, “IRAP” and related terms refer to work published by the Australian Signals Directorate / ACSC. This tool is an independent utility and is not endorsed by, affiliated with, or sponsored by ASD, ACSC or the Australian Government.
ISM Version Compare
Compare any two historical ISM CCM versions. New, Updated, and Rescinded controls and principles are computed using the same engine as the quarterly review tab.
Generates a workbook with Summary, Controls, Principles, and Methodology sheets.
Summary
Controls 0changes
Principles 0changes
Visual Summary
Changes by Guideline (Controls)
Change Type Distribution
Change Register
| ISM ID | Change | Guideline / Section | Topic | Applicability / ML | Description |
|---|