What to Expect from September’s ISM Update
The Optus case shows where enforcement is heading.
The Australian government is suing Optus over its 2022 breach—the first civil penalty of its kind under the Privacy Act. It’s a sign that regulators are prepared to follow through when organizations fall short on protecting customer data.
Australia is catching up to global peers like the EU and U.S., where fines for poor cyber practices are already part of the landscape.
With the next round of ISM updates due in September, business leaders should be asking: what changes are coming, and what do they mean for us?
ISM changes show what regulators now expect.
The ISM is the benchmark regulators, auditors, and boards use to judge whether an organization has met its duty of care. Agencies must implement it. Contractors handling government data are bound by it. And for the wider private sector it has become the de facto standard for “reasonable” cyber risk management.
Where We Are Now
The June update set a new tone for governance and accountability:
- Boards and executives now hold explicit responsibility for cyber risk, not just IT teams.
- Secure-by-design practices were elevated across development and procurement.
- Supply chain assurance became a front-line requirement, with SBOMs and provenance checks central to compliance.
With the Optus case, regulators are showing that they are more than willing to hold businesses accountable for breaches, especially when they see systemic failures in governance and supply chain oversight. Leadership needs to be careful, and be able to prove the strength of their programs.
What’s Likely Next
While no one outside government knows exactly what September will bring, several trends point toward areas likely to see attention.
Expanded governance requirements
Board-level accountability was just the start. With global momentum—such as the SEC’s new disclosure rules in the U.S. and CMMC 2.0 requiring third-party certification—expect regulators to keep strengthening governance provisions. Boards may soon need documented oversight processes and proof they are actively reviewing and addressing cyber risks.Tighter software provenance requirements
Breaches like MediSecure have exposed how fragile software supply chains can be. With SBOMs already mandated, the next step may be expanded requirements for proving software comes from trusted sources and is regularly validated. Companies will need stronger supplier evidence and monitoring practices to stay compliant.- Greater focus on AI security
Governments worldwide are sharpening their scrutiny of artificial intelligence, from bias and privacy risks to secure development practices. Australia has already released guidance for AI assurance, and September may introduce clearer expectations. For businesses, this could mean stronger testing and documentation requirements for any AI-enabled systems.
What It Means for Your Business
September’s update will continue shifting responsibility upward and outward.
For executives, that means building cyber into enterprise risk management frameworks and ensuring regular, transparent reporting.
For CISOs, it means maintaining evidence that governance processes are active and effective.
For suppliers, it means being ready to demonstrate compliance and resilience as part of every contract negotiation.
Organizations that treat the ISM as a living standard—updating practices continuously, not reactively—will have a smoother path forward. Those that wait may find themselves scrambling under regulatory or contractual pressure.
Now is the time to prepare. Review your governance structures, tighten supplier assurance, and invest in secure-by-design practices before the next update arrives. When regulators act, they will expect evidence that these steps are already in place.
Follow Coalfire’s updates in September. We’ll break down the new changes, what they mean, and how your organization can stay ahead.