11 September 2025
ACSC ISM Roadmap & Alignment with NIST 800–53 Rev 2
In the ever-evolving landscape of cybersecurity, frameworks like the Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM) and the U.S. National Institute of Standards and Technology’s (NIST) Specia…
In the ever-evolving landscape of cybersecurity, frameworks like the Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM) and the U.S. National Institute of Standards and Technology’s (NIST) Special Publication 800–53 Revision 2 provide essential guidance for organizations to manage risks effectively. While NIST 800–53 Rev 2, published in 2009, offers a foundational set of security controls, the ACSC ISM has been undergoing rapid updates in 2025 to address modern threats. This article explores how the ISM roadmap — through its quarterly updates in March, June, and September 2025 — aligns with NIST 800–53 Rev 2, while also extending beyond it to incorporate emerging technologies like AI and post-quantum cryptography. By mapping ISM changes to NIST controls and the Risk Management Framework (RMF), we can see a clear progression toward structured, risk-aware security practices.
March 2025 ISM Update: Building Foundations in Governance and Asset Management
The March 2025 ISM update focused on strengthening core principles to establish a robust baseline for cybersecurity. Key changes included enhanced Secure by Design principles, which emphasize secure software development and supply chain risk management (SCRM). The Govern (GOV) principles were updated to clarify risk ownership and governance structures, while Identify (IDE) controls were bolstered for asset discovery and classification, especially in operational technology (OT) environments. Initial considerations for AI security, such as data handling for AI systems, were introduced, alongside expanded physical security controls for data centers.
These updates map closely to several NIST 800–53 Rev 2 controls:
- CM-8 (System Component Inventory): The ISM’s IDE enhancements for asset discovery and classification align with NIST’s requirements for maintaining comprehensive inventories, which are crucial for risk categorization in RMF Step 1 (Categorize).
- SA-3 (System Development Life Cycle): Secure by Design principles correspond to NIST’s emphasis on integrating security throughout the development process.
- RA-3 (Risk Assessment): Updates to GOV for risk ownership support NIST’s risk assessment controls, aiding RMF Step 2 (Select).
- PE-2/3 (Physical Access Authorizations/Control): Strengthened physical security measures map to NIST’s physical and environmental protection family.
- SC-28 (Protection of Information at Rest): AI data handling aligns loosely with NIST’s data protection controls, though Rev 2 does not address AI specifically.
In terms of roadmap alignment, this update emphasizes RMF Steps 1–2, prioritizing asset visibility and governance to create risk-aware baselines. It lays the groundwork for subsequent control implementations, mirroring NIST’s structured approach to risk management while adapting to contemporary needs.
June 2025 ISM Update: Operationalizing Software Security
Building on the March foundations, the June 2025 update represented a major overhaul, introducing over 40 new controls (from ISM-2020 to ISM-2068) centered on the software development lifecycle. Highlights included requirements for software bills of materials (SBOM), issue tracking, and malicious code scanning. GOV and IDE principles were rewritten to embed Secure by Design and Secure by Default concepts. Additional emphases were placed on data minimization and personnel oversight in development, with AI-specific controls like ISM-1924 addressing generative AI behavior.
Mappings to NIST 800–53 Rev 2 include:
- SA-4 (Acquisition Process): SBOM and supply chain controls align with NIST’s acquisition security requirements, promoting third-party software integrity.
- SI-3 (Malicious Code Protection): Scanning for malicious code in artifacts directly corresponds to NIST’s system integrity controls.
- SA-8 (Security Engineering Principles): Secure by Design/Secure by Default principles strongly match NIST’s focus on engineering secure systems.
- PS-4 (Personnel Termination): Personnel oversight maps to NIST’s personnel security family, ensuring developer accountability.
- SC-28 (Protection of Information at Rest): AI controls like ISM-1924 loosely align with data protection, despite Rev 2’s lack of AI detail.
- RA-5 (Vulnerability Scanning): Issue tracking supports NIST’s vulnerability management requirements.
This update aligns with RMF Steps 3–4 (Implement, Assess), focusing on actionable controls for software security and continuous monitoring. The inclusion of SBOM and AI elements reflects NIST’s broader roadmap goals of adapting to emerging risks, even if Rev 2 requires some interpretation for modern technologies.
September 2025 ISM Update: Enhancing Resilience and Emerging Tech Integration
The September 2025 update refined the ISM further by adding shorthand descriptors for all principles across GOV, IDE, Protect, Detect, Respond, and Recover categories. New additions included IDE-01 for IT/OT asset and supply chain documentation, updates to Protect principles (e.g., shifting from “trusted” to “trustworthy” for suppliers and implementing least privilege for services), and a new Recover (REC) category with REC-01 for post-incident risk acceptance. Five to seven new controls were introduced, such as ISM-2069/2070 for physical device security, ISM-2071 for personnel training on suspicious requests, ISM-2072 for AI model storage, ISM-2073 for post-quantum cryptography transitions, and expansions to ISM-1924 for generative AI safeguards, including ASD-endorsed Protection Profiles for cryptographic assurance.
Key mappings to NIST 800–53 Rev 2 are:
- CM-8 (System Component Inventory): IDE-01’s focus on asset and supply chain documentation aligns with NIST’s inventory controls.
- AC-6 (Least Privilege): Protect updates for least privilege map to NIST’s access control family.
- PE-2/3 (Physical Access Authorizations/Control): ISM-2069/2070 correspond to NIST’s physical protection measures.
- PS-6 (Access Agreements): ISM-2071’s training requirements align with NIST’s personnel security training.
- SC-12 (Cryptographic Key Management): ISM-2073’s post-quantum focus maps loosely to NIST’s cryptographic controls, though Rev 2 lacks quantum specifics.
- SC-28 (Protection of Information at Rest): ISM-2072 and expanded ISM-1924 align with data protection.
- IR-4 (Incident Handling): The new REC category maps to NIST’s incident response and recovery controls.
- CA-7 (Continuous Monitoring): Detect updates (DET-01/02 for logging and analysis) support NIST’s monitoring requirements.
Roadmap-wise, this update corresponds to RMF Steps 4–6 (Assess, Authorize, Monitor), emphasizing operational resilience, recovery, and adaptations for AI and quantum threats. It advances NIST’s framework by addressing gaps in Rev 2 through refined implementation and monitoring.
Trends and Future Direction
The ISM’s 2025 evolution demonstrates a progressive alignment with NIST’s risk management philosophy, but it modernizes more aggressively to tackle AI, post-quantum cryptography, and OT security. March laid governance foundations, June operationalized software security, and September focused on recovery and emerging technologies.
However, NIST 800–53 Rev 2, being pre-2010, has notable gaps in areas like AI, quantum risks, and modern supply chain threats. The ISM’s updates extend beyond Rev 2, anticipating later NIST developments, such as the 2023 quantum preparedness guidelines.
Looking ahead, future ISM updates — potentially in December 2025 — may deepen Zero Trust integration, expand AI and OT controls, and align with NIST’s RMF advancements, including continuous authorization and hybrid cloud security. Organizations aiming for ISM-NIST compliance should prioritize asset visibility, SBOM adoption, and quantum transition planning to navigate these frameworks effectively.
In summary, the ACSC ISM roadmap not only follows NIST 800–53 Rev 2’s structured RMF but also innovates to meet today’s dynamic threat environment, ensuring Australian entities remain resilient in a global context.
The Shift to Zero Trust: A Paradigm of Continuous Verification
Zero Trust is a security philosophy that assumes no entity — whether inside or outside the network — can be trusted by default. It emphasizes three core principles: verify explicitly, use least privilege access, and assume breach. Unlike the Essential Eight’s focus on specific controls, Zero Trust requires continuous authentication, authorization, and monitoring across all users, devices, and systems. This approach aligns with the increasing complexity of hybrid IT environments, cloud adoption, and emerging technologies like AI and operational technology (OT).
The ISM’s 2025 updates, particularly those in March, June, and September, reflect a clear shift toward embedding Zero Trust principles into its framework. These updates expand beyond the Essential Eight’s tactical controls to incorporate governance, risk management, and adaptive security measures that align with NIST’s Zero Trust Architecture (SP 800–207) and broader risk management frameworks.
Key ISM Updates Driving Zero Trust Integration
1. March 2025: Strengthening Governance and Asset Visibility
The March 2025 ISM update laid the groundwork for Zero Trust by emphasizing Secure by Design principles and robust governance. Key changes included:
- Enhanced Govern (GOV) principles to clarify risk ownership and establish clear governance structures, aligning with Zero Trust’s need for centralized policy enforcement.
- Updated Identify (IDE) controls for comprehensive asset discovery and classification, particularly for OT environments. This mirrors Zero Trust’s requirement for full visibility into all assets (devices, applications, and data) to enforce granular access policies.
- Initial AI security considerations, such as secure data handling for AI systems, reflecting Zero Trust’s focus on protecting emerging technologies.
These updates align with Zero Trust’s “verify explicitly” principle by ensuring organizations know their assets and risks before granting access. The focus on governance supports policy-driven security, a cornerstone of Zero Trust, moving beyond the Essential Eight’s control-specific approach.
2. June 2025: Operationalizing Secure Development and Supply Chain Security
The June 2025 update introduced over 40 new controls (ISM-2020 to ISM-2068) focused on the software development lifecycle (SDLC) and supply chain risk management (SCRM). Notable changes included:
- Requirements for software bills of materials (SBOM) and malicious code scanning, ensuring transparency and integrity in third-party software — a key Zero Trust requirement for validating supply chain components.
- Rewritten GOV and IDE principles to embed Secure by Design/Secure by Default, aligning with Zero Trust’s least privilege and proactive security engineering.
- AI-specific controls (e.g., ISM-1924 for generative AI behavior) to address risks in emerging technologies, ensuring continuous verification of AI-driven processes.
These changes move beyond the Essential Eight’s focus on endpoint and network controls, embracing Zero Trust’s broader scope of securing the entire ecosystem, including software supply chains and development pipelines. The emphasis on continuous monitoring (e.g., vulnerability scanning and issue tracking) aligns with Zero Trust’s “assume breach” principle, enabling proactive detection and response.
3. September 2025: Enhancing Resilience and Emerging Tech Integration
The September 2025 update further advanced Zero Trust integration by refining operational and recovery-focused controls. Key changes included:
- New IDE-01 controls for IT/OT asset and supply chain documentation, reinforcing asset visibility as a prerequisite for Zero Trust’s granular access controls.
- Updated Protect principles, such as adopting “trustworthy” over “trusted” for suppliers and enforcing least privilege for services, directly aligning with Zero Trust’s least privilege principle.
- A new Recover (REC) category (e.g., REC-01 for post-incident risk acceptance) to enhance resilience, supporting Zero Trust’s assumption of inevitable breaches.
- Controls like ISM-2072 (AI model storage) and ISM-2073 (post-quantum cryptography) address emerging risks, ensuring Zero Trust principles extend to new technologies.
These updates align with Zero Trust’s continuous monitoring and adaptive response requirements, moving beyond the Essential Eight’s static maturity levels to a dynamic, risk-aware framework.
Mapping Essential Eight to Zero Trust in the ISM
While the Essential Eight remains a subset of the ISM, its controls are being reframed to support Zero Trust principles. For example:
- Application Control and Patch Management (Essential Eight) align with Zero Trust’s least privilege by restricting unauthorized software and ensuring systems are up-to-date.
- MFA supports Zero Trust’s “verify explicitly” principle by requiring continuous user authentication.
- System Monitoring and Backups align with Zero Trust’s “assume breach” principle, enabling detection and recovery from incidents.
However, the ISM’s Zero Trust evolution extends far beyond these controls. The Essential Eight focuses on tactical, endpoint-centric protections, whereas Zero Trust requires a holistic approach, integrating governance, supply chain security, and continuous monitoring across hybrid environments. The ISM’s 2025 updates bridge this gap by embedding Zero Trust principles into its core categories (GOV, IDE, Protect, Detect, Respond, Recover).
Trends and Future Direction
The ISM’s transition from Essential Eight to Zero Trust reflects a response to modern threats, including:
- Hybrid IT and Cloud Environments: Zero Trust’s network-agnostic approach addresses the complexity of cloud and on-premises systems, unlike the Essential Eight’s focus on traditional IT.
- Emerging Technologies: Controls for AI, OT, and post-quantum cryptography (e.g., ISM-2073) ensure the ISM remains relevant for future risks, extending beyond the Essential Eight’s scope.
- Supply Chain Risks: SBOM and SCRM controls address vulnerabilities in third-party components, a critical Zero Trust requirement absent in the Essential Eight.
Looking ahead, future ISM updates (e.g., December 2025) are likely to deepen Zero Trust integration by:
- Expanding continuous authorization mechanisms, aligning with NIST’s Zero Trust Architecture and dynamic access controls.
- Enhancing AI and OT security controls to address autonomous systems and critical infrastructure.
- Strengthening micro-segmentation and identity-based access, further embedding least privilege across all environments.
Practical Implications for Organizations
For organizations using the ISM, transitioning from Essential Eight maturity to a Zero Trust approach requires:
- Asset Visibility: Implement IDE-01 and related controls to maintain comprehensive inventories of IT/OT assets and supply chain components.
- SBOM Adoption: Embrace June 2025’s SBOM requirements to ensure software integrity and transparency.
- Continuous Monitoring: Leverage Detect and Recover controls (e.g., DET-01/02, REC-01) to enable real-time threat detection and resilient recovery.
- Quantum Preparedness: Begin planning for post-quantum cryptography transitions (ISM-2073) to future-proof cryptographic protections.
- Governance Overhaul: Update risk management and governance structures to align with GOV updates, ensuring policy-driven Zero Trust enforcement.
Conclusion
The ACSC ISM is evolving from the Essential Eight’s prescriptive, maturity-based approach to a broader Zero Trust framework that addresses modern cyber complexities. The 2025 updates demonstrate this shift by integrating governance, asset visibility, secure development, and emerging technology controls, aligning with Zero Trust’s principles of explicit verification, least privilege, and breach assumption. While the Essential Eight remains a valuable foundation, the ISM’s adoption of Zero Trust ensures Australian organizations are better equipped to tackle dynamic threats in hybrid, cloud, and AI-driven environments. By prioritizing asset visibility, supply chain security, and continuous monitoring, the ISM is paving the way for a resilient, future-ready cybersecurity posture.