All articles

8 December 2025

ACSC ISM Roadmap (2025 → 2026)

High-level, minimal wording, easy to present March 2025 Focus: Restructure & Modernisation New ISM format released (section renumbering). Clean separation of principles, controls, guidance. Initial movement toward modern…

High-level, minimal wording, easy to present

March 2025

Focus: Restructure & Modernisation

  • New ISM format released (section renumbering).
  • Clean separation of principles, controls, guidance.
  • Initial movement toward modern cryptography guidance.

June 2025

Focus: Supply-Chain & Third-Party Security

  • Strengthened controls for cloud and outsourced service providers.
  • Updates to crypto-requirements and algorithm hardening.
  • Emphasis on verifying third-party security posture.

September 2025

Focus: Identity, Access & Authentication Overhaul

  • Strengthening password policy expectations.
  • Updates to authentication mechanisms and identity governance.
  • Early hints of pivot toward Zero-Trust-style identity assurance.

December 2025

Focus: AI Governance + CBOM + Modern Auth Hygiene

  • Major new AI application security controls (training data integrity, model documentation, output protections, anomaly monitoring).
  • Introduction of Cryptographic Bill of Materials (CBOM).
  • Removal of outdated practices (security questions, email OOB auth, legacy fax).
  • Password policy modernization (≤ 64 chars, no forced rotation, no complexity rules, block weak/common passwords).

March 2026 (Predicted)

Focus: Zero-Trust, Cloud/Hybrid Security, SBOM Growth & OT Controls

  • Possible formal Zero-Trust architecture references (least privilege, continuous access evaluation).
  • Strengthened hybrid/multi-cloud controls and MSP accountability.
  • Expansion of SBOM/CBOM into broader software supply-chain compliance.
  • Increased OT/ICS security guidance (segmentation, firmware integrity).
  • More AI lifecycle controls (logging, provenance, model-risk assessment).
  • Early guidance on post-quantum migration pathways.

One-Line Summary Version

Mar 2025: ISM restructure →
Jun 2025: Third-party & crypto tightening →
Sep 2025: Identity & authentication uplift →
Dec 2025: AI controls + CBOM + auth modernisation →
Mar 2026 (predicted): Zero-Trust, hybrid-cloud, SBOM expansion & OT security.