March 2025 ISM Updates: Compelling Boards and Executives in Cyber

In March 2025, the Australian Government's Information Security Manual (ISM) underwent significant updates, emphasising the critical role of boards and executives in cybersecurity governance. As cyber threats continue to evolve, it's more important than ever for leadership to take an active role in protecting their organisations. 

Insicon has long advocated for the pivotal role of Boards and Executives in cybersecurity, and we are pleased to see this renewed emphasis.

Key ISM Updates for Boards and Executives

Embedding Cybersecurity

The ISM now requires boards to define cybersecurity roles, integrate security across business functions, and align cybersecurity strategy with overall business objectives [ISM-1997] [ISM-1998]. Regular briefings on the organisation's cybersecurity posture are also mandated [ISM-1999] [ISM-2000].

Championing Cybersecurity Culture

Boards are now expected to actively promote a positive cybersecurity culture throughout the organisation [ISM-2001].

Building Cybersecurity Expertise

The ISM emphasises the importance of maintaining cybersecurity literacy among board members, awareness of recruitment challenges, and support for ongoing cybersecurity training [ISM-2002] [ISM-2003] [ISM-2004].

Critical Asset Management and Incident Planning

New controls require boards to understand critical business assets from a cybersecurity perspective and plan for major cybersecurity incidents [ISM-2005] [ISM-2006].

How Insicon Can Help

At Insicon, we offer a range of services designed to help boards and executives meet these new ISM requirements and enhance their cybersecurity capabilities:

Board Cyber Advisory Service

Our Board Cyber Advisory Service empowers directors with the knowledge and resources needed to effectively prepare for and govern through cyber crises. We provide:

• Scenario planning and readiness assessments
• Cybersecurity awareness training
• Crisis management support throughout all phases: response, recovery, and remediation

CISO-as-a-Service (CISOaaS)

Our CISOaaS offering provides executive-level strategic guidance for cybersecurity. We:

• Assess your security posture and identify improvement areas
• Develop tailored security roadmaps
• Advise on security investments and resource allocation

Cybersecurity Risk Assessment

Our comprehensive cybersecurity risk assessments help you:

• Increase visibility and establish a benchmark
• Identify potential threats and vulnerabilities
• Assess the likelihood and impact of identified risks
• Develop a tailored action plan for risk mitigation

Governance, Risk, and Compliance Advisory

We educate board members and executive leaders on their obligations regarding governance, compliance, and risk management strategy in relation to their cyber posture and liabilities.

ISO 27001 Certification Support

We assist in achieving ISO 27001 certification, demonstrating your commitment to a robust information security management system.

Essential Eight (E8) Support

We assist Australian businesses achieve and maintain compliance with the Essential Eight (E8) and the Maturity Model (E8MM).

Managed Security Services

We offer a full range of managed security services designed to help organisations strengthen their cyber resilience, all while keeping their focus on what they do best.

By partnering with Insicon, you gain access to seasoned cyber leaders who can help you navigate the complexities of the new ISM requirements. Our tailored approach ensures that your organisation not only complies with the latest standards but also builds a resilient cybersecurity posture aligned with your business objectives.

Don't let the evolving cybersecurity landscape catch you off guard. Contact Insicon today to learn how we can help your board and executives meet the new ISM requirements and strengthen your organisation's cyber defences.