8 December 2025
ACSC ISM Roadmap (2025 → 2026)
High-level, minimal wording, easy to present March 2025 Focus: Restructure & Modernisation New ISM format released (section renumbering). Clean separation of principles, controls, guidance. Initial movement toward modern…
High-level, minimal wording, easy to present
March 2025
Focus: Restructure & Modernisation
- New ISM format released (section renumbering).
- Clean separation of principles, controls, guidance.
- Initial movement toward modern cryptography guidance.
June 2025
Focus: Supply-Chain & Third-Party Security
- Strengthened controls for cloud and outsourced service providers.
- Updates to crypto-requirements and algorithm hardening.
- Emphasis on verifying third-party security posture.
September 2025
Focus: Identity, Access & Authentication Overhaul
- Strengthening password policy expectations.
- Updates to authentication mechanisms and identity governance.
- Early hints of pivot toward Zero-Trust-style identity assurance.
December 2025
Focus: AI Governance + CBOM + Modern Auth Hygiene
- Major new AI application security controls (training data integrity, model documentation, output protections, anomaly monitoring).
- Introduction of Cryptographic Bill of Materials (CBOM).
- Removal of outdated practices (security questions, email OOB auth, legacy fax).
- Password policy modernization (≤ 64 chars, no forced rotation, no complexity rules, block weak/common passwords).
March 2026 (Predicted)
Focus: Zero-Trust, Cloud/Hybrid Security, SBOM Growth & OT Controls
- Possible formal Zero-Trust architecture references (least privilege, continuous access evaluation).
- Strengthened hybrid/multi-cloud controls and MSP accountability.
- Expansion of SBOM/CBOM into broader software supply-chain compliance.
- Increased OT/ICS security guidance (segmentation, firmware integrity).
- More AI lifecycle controls (logging, provenance, model-risk assessment).
- Early guidance on post-quantum migration pathways.
One-Line Summary Version
Mar 2025: ISM restructure →
Jun 2025: Third-party & crypto tightening →
Sep 2025: Identity & authentication uplift →
Dec 2025: AI controls + CBOM + auth modernisation →
Mar 2026 (predicted): Zero-Trust, hybrid-cloud, SBOM expansion & OT security.