ISM Quarterly Review Tool

1. Product details

Product name

Information Classification

Product overview (architecture, hosting, key components) — used as context for triage decisions

* Required. All three values must be provided to compute a delta.

2. Upload inputs

Comparison mode: SSP-A vs CCM — standard quarterly review; lets the tool enrich with your SSP-A's scoping and produce an Updated SSP-A. CCM vs CCM — cross-quarter comparison of two Cloud Controls Matrices. Useful if you missed a quarter, or for portfolio-level trend analysis. No SSP-A enrichment.

Product SSP-A — previous-quarter baseline (.xlsx, required)

Not loaded

Current-quarter Cloud Controls Matrix (.xlsx, required)

Not loaded

ISM Changes PDF (.pdf, required — for cross-validation and rescission rationale)

Not loaded

3. Change register

Download outputs All outputs reflect whatever is currently on this page — triage decisions, recommended actions, owner notes. The change register captures the delta and reviewer decisions for audit; the updated SSP-A merges the new ISM into your baseline (new rows inserted in CCM order, modified rows show New/Old, rescinded rows flagged) so you have a starting point for the next cycle. The Word summary is a formatted executive-style report; the stakeholder note drafts a plain-English message for non-security recipients.

Want priority and a plan? Use the Claude Project pack.

This tool gives you a clean, auditable delta. If you also want each change prioritised against your product's real posture, industry context from public sources (ACSC / ANAO / hyperscaler assurance letters / PSPF), and a 12-week burndown, add the companion Claude Project pack. Same inputs, plus a short posture brief.

Open the Claude Project pack → Requires a Claude.ai account.

Reviewer responsibility: "In scope" and "Triage" are pre-filled from your baseline SSP-A to save time — they are suggestions only. It remains the reviewer's responsibility to read each changed control, apply product and architectural judgement, and confirm or override every pre-fill before the register is circulated.

Quarterly themes and cross-validation notes

Control/Function ID	Change	Guideline / Function	Topic	Applicability	Old vs. new text	Current SSP-A scoping	In scope	Triage	Recommended action	Owner / notes

About this tool

How this tool works

The tool reads two spreadsheets, finds what actually changed between them, and fills in the parts of the review that can be determined mechanically — so the reviewer can focus on the judgement calls.

1. Inputs

SSP-A (latest available) — your baseline scoping
CCM (this quarter) — the new ASD truth
Changes PDF (this quarter) — for cross-validation and rescission rationale

2. Process

Detect quarters from sheet names
Diff IDs → New / Modified / Rescinded
Enrich each row with SSP-A scoping
Pre-fill In-scope + Triage (rules below)

3. Outputs

Dashboard — filter, search, edit inline
Change Register (.xlsx) — Summary, Controls, Principles, Methodology, E8 Snapshot
Updated SSP-A (.xlsx) — baseline with your triage applied
Stakeholder note + share summary

Assumptions the tool makes about the inputs

The delta and pre-fills rest on a few assumptions about how the SSP-A and the CCM are structured. If any are untrue for your product the output will still look plausible but won't be trustworthy — worth a glance before you upload.

Assumption	What goes wrong if it’s untrue
The SSP-A lists every ISM control in force when it was last finalised, including rows marked `Not Applicable`.	If Not-Applicable rows were deleted instead of marked NA, they reappear in the current CCM and get counted as New.
Control identifiers are stable across quarters unless ASD rescinds and re-issues.	A rename surfaces as one Rescinded + one New item. Likely pairs are flagged as hints but not auto-linked.
Material updates to a control change its description text (not just its applicability labels).	Applicability-only changes aren’t flagged as Modified. The applicability-drift HINT catches them separately.
The scope of the system and ISM Guidelines has not changed materially since the last SSP-A was finalsied.	Pre-fills come straight from the baseline SSP-A. After an architectural change, pre-filled Not-Applicable decisions may be stale.
Essential Eight maturity lives in the CCM’s `ML1` / `ML2` / `ML3` columns.	If ASD restructures those columns the E8 snapshot populates as empty. The startup self-test catches gross drift.

Pre-fill rules (applied in order)

Priority	Trigger condition	In scope	Triage	Applies to
1	Every control under a Guideline is marked `Not Applicable` in the baseline SSP-A	No	No Action	New and Modified
2	This specific row is marked `Not Applicable` in the baseline SSP-A	No	No Action (mod only)	Modified and Rescinded
3	Row exists in baseline and is not flagged out-of-scope	Yes	blank — reviewer decides	Modified and Rescinded
—	Brand-new control with no baseline entry and rule 1 doesn't apply	blank	blank	New

Reminder: pre-fills exist only to save the reviewer keystrokes. They do not assess the actual change. The reviewer is responsible for reading each changed control and confirming or overriding every pre-fill before sharing the register.

Privacy

100% client-side — nothing leaves your browser

The SSP-A, CCM and PDF you upload are processed in-memory. All data and processing is lost when a tab is closed or reloaded. Export the Change Register, Updated SSP-A or Word summary before leaving to save your work.

Known limitations and edge cases

Column layout assumptions. The tool assumes the CCM and SSP-A use the column headers in use at the time of publication (Identifier, Revision, Updated, Guideline, Topic, Provider Responsibility, Implementation Status, etc.). If ASD restructures the CCM, you may need to tweak the code — spot-check a few rows the first time you use it against a new quarter's release.
Sheet name convention. Quarter detection reads the workbook's sheet name (e.g. "Controls - March 2026"). If your SSP-A renames that sheet, the baseline quarter label will be blank.
Rescission + re-issue. Occasionally ASD retires one ISM identifier and reintroduces the same requirement under a new identifier. The tool will flag the old ID as Rescinded and the new ID as New but will not connect them — the reviewer has to spot these pairs manually.
Pre-fill heuristics are typical-case. The guideline-level out-of-scope rule reflects how most SSP-As are structured, but unusual ones (multi-tenant, hybrid, federal-vs-state splits) may need the pre-fills overridden more often. Sanity-check at least one guideline you expect to be in scope before trusting the register.
Essential Eight flagging. The Essential 8 Maturity Level column is populated from the CCM's ML1/ML2/ML3 columns. Controls that do not map to Essential 8 are shown as "None".
Info and Pivot tabs are dropped. If your baseline SSP-A has an Info / Information tab or a Pivot tab, the Updated SSP-A export drops them. Info tabs do not round-trip cleanly through the xlsx library; Pivot tabs would show baseline-quarter counts against the new controls. Re-create the pivot against the Updated SSP-A in Excel (Insert → PivotTable). Other user sheets and hidden sheets still pass through untouched.
Freeze panes are not preserved. The underlying library (xlsx-js-style) does not write frozen rows. Apply it manually in Excel after download (View → Freeze Top Row).
Sensitivity labels (MIP / AIP) and DRM. Real-world SSP-As are often protected with Microsoft Purview / Azure Information Protection labels, Microsoft Information Protection encryption, or third-party DRM. The tool can only parse an unprotected .xlsx — if the file is labelled or encrypted, browser FileReader returns ciphertext and the parse will fail with a cryptic error. Before uploading, open your SSP-A in Excel, remove the sensitivity label (or downgrade it to an unprotected equivalent) and save a fresh copy, then feed that copy to the tool. Re-apply the label on your original after the review. Because processing is entirely client-side, the unlabelled copy never leaves your machine.
Password-protected or macro-enabled workbooks. Password-protected .xlsx, .xlsm and .xlsb files are not supported — remove the password or convert to a plain .xlsx before uploading.