ASD Just Made Your External Exposure a Board Obligation.
The ISM doubled its Govern function in six months. The Essential Eight measures none of it.

Your systems, your suppliers, your people — all three moved into board accountability in June 2026. None of it can be evidenced from inside your network, and not one carries an Essential Eight mapping. Here is the diff.

Assess Your Exposure →

ASD publishes the Information security manual as a PDF, which is how almost everyone reads it. It also publishes the same content as a spreadsheet — every principle, every control, with revision numbers and Essential Eight mappings.

Download the December 2025 spreadsheet. Download the June 2026 spreadsheet. Compare them.

What ASD did in six months is not a routine update. It is a restructure — and it created an accountability your board cannot currently measure.

Part One: the Govern function doubled

The ISM sorts its cyber security principles into six functions: Govern, Identify, Protect, Detect, Respond, Recover. Between the two releases the total rose from 34 principles to 49.

What ASD added to the GOVERN function — where the board is accountable

  • GOV-10 — System exposure minimisation. What your systems publicly disclose. Created from nothing.
  • GOV-11 — Supplier cyber security assurance. Promoted out of PROTECT (was PRO-03), upgraded to require practices be regularly independently verified.
  • GOV-12 — Personnel suitability assurance. Promoted out of PROTECT (was PRO-11), upgraded to require ongoing assurance.
  • GOV-08 — Executive artificial intelligence accountability. The board is accountable for AI being secure, controllable and human-supervised.
  • GOV-09 — Security risk management responsibilities. Including shared responsibilities with suppliers, partners and customers.
  • GOV-13 — Cyber security and safety. Controls must not compromise human, physical or environmental safety.
  • GOV-14 — Legacy system management. End-of-life systems require compensating controls and enhanced assurance.

Seven additions. Every other function in the ISM gained one or two. And two of the seven were taken out of PROTECT — where engineers work — and moved into the function where the board carries the accountability.

Every other function gained one or two. Govern gained seven. And the ISM is unambiguous about what the Govern function is for. Its first principle, GOV-01, reads: the board of directors or executive committee is accountable for cyber security.

So the question worth asking is what ASD moved into the function where the board carries the accountability. Three of the seven answers should stop you.

It invented a principle about what you publicly disclose

GOV-10 — System exposure minimisation [created from nothing] Information about the design, configuration and operation of systems is not publicly disclosed or shared externally unless necessary for commercial, legal, regulatory or security purposes, with any disclosure minimised, controlled and logged.

There is no equivalent in December 2025. Nothing was renamed or renumbered into it. It did not exist, and now it does.

Read the verbs. Disclosure must be minimised, controlled and logged. Each presupposes you know what you are currently disclosing — and none of it is visible from inside your network. A subdomain nobody decommissioned. An error page returning a framework version. A certificate transparency entry. A contractor’s public repository. A job advertisement naming your firewall vendor.

It promoted your suppliers out of Protect and into Govern

December 2025 had a Protect principle, PRO-03 — Trustworthy suppliers: “Systems are delivered and supported by trustworthy suppliers.” That principle is gone from June 2026. It was not deleted. It reappears in Govern, rewritten:

GOV-11 — Supplier cyber security assurance [promoted from PRO-03] Systems are delivered and supported by trustworthy suppliers whose cyber security practices are regularly independently verified or otherwise risk-assessed.

Note what was added. December asked for trustworthy suppliers and stopped. June asks that their practices be regularly and independently verified. Self-attestation was sufficient in December. It is not sufficient now.

The controls moved with it. ISM-1571 requires the right to verify a provider’s compliance to be documented in the contract. ISM-1738, revised in June 2026, requires that right to be regularly exercised. A clause you have never invoked is not assurance. It is paperwork.

It promoted your people out of Protect and into Govern

December had PRO-11 — Personnel vetting: “Only trustworthy personnel are granted access to systems.” Also gone from Protect. Also reappearing in Govern. Also upgraded:

GOV-12 — Personnel suitability assurance [promoted from PRO-11] Only personnel whose suitability and trustworthiness have been established, and are subject to ongoing assurance, are granted access to systems.

December was a gate: vet them once, let them in. June is a state: suitability must be established and then continuously assured.

And ASD said precisely what it meant by that, because it added four brand-new controls in the same release. ISM-2104, 2105, 2106 and 2107 direct organisations to advise personnel not to post information about their security clearances and briefings; to limit posting their work-related duties; to limit posting their skills and experience; and to use privacy settings on what they publish.

That is LinkedIn. It is conference bios, GitHub profiles, and the recruitment advertisement that lists your internal stack. The public professional footprint of your staff is now something your board is accountable for.

Read the three together

What moved into board accountability, in one release

  • GOV-10 — what your systems disclose. Created from nothing.
  • GOV-11 — what your suppliers do, now requiring independent verification. Promoted from Protect.
  • GOV-12 — what your people publish, now requiring ongoing assurance. Promoted from Protect.

Systems, suppliers, people. That is not three unrelated governance concerns. It is a complete description of an organisation’s external exposure surface — the three channels through which information about you reaches the world outside your perimeter.

In December they were engineering problems, sitting in Protect alongside patching and network segmentation. In June they are governance problems, sitting where the board is accountable, each carrying a new demand for verification or assurance.

Not one of them can be satisfied from inside the network.

Part Two: the instrument your board is shown cannot see any of it

Now the turn, and it is the reason this matters rather than merely being interesting.

The same ASD spreadsheet marks, for every control, whether it maps to Essential Eight Maturity Level One, Two or Three. Count those rows.

1,101
Controls in the ISM
June 2026
126
Measured by the Essential Eight
11% — what your board is shown
975
Measured by nothing
89% — including GOV-10, 11 and 12

Your board is briefed on Essential Eight maturity. Your insurer asks for it. Your tender responses cite it. Across the Australian market, “we have achieved Maturity Level Two” is the sentence treated as settling the question.

It settles eleven per cent of it.

Be precise about what this does and does not mean

The Essential Eight was never designed to be comprehensive, and ASD has never pretended otherwise. It is eight prioritised mitigation strategies — a baseline, deliberately narrow, chosen because they stop the most common intrusions for the least effort. Judged as a baseline, it works.

The problem is not the Essential Eight. The problem is what the market did with it.

The substitution A baseline became a scorecard. Insurers ask for it, procurement demands it, boards are briefed on it — and because it is the only number anyone reports, ML2 has quietly come to mean done, rather than what it actually means: we have implemented the eight things ASD said to do first.

And ASD has stopped adding to it

  • 29 controls have been added to the ISM since December 2025 — nine in March, twenty in June.
  • Of the twenty added in June 2026, not one maps to Maturity Level One, Two or Three.

One hundred per cent of ASD’s latest control development landed outside the Essential Eight.

The collision

Put the two halves together and the shape of the problem appears.

The gap, stated once Your board has just been made accountable for what your systems disclose, what your suppliers can be independently verified to do, and what your people publish. And the only instrument it is shown — Essential Eight maturity — measures none of the three. Not one of those controls carries an Essential Eight mapping. Not GOV-10. Not GOV-11. Not GOV-12. Not ISM-1738. Not ISM-2104 through 2107.

This is not a theoretical gap. It is a lookup in ASD’s own file. The Essential Eight tells you to patch (ISM-1877, mapped to ML1, ML2 and ML3) and to scan for missing patches (ISM-1698, mapped to all three). It has nothing whatever to say about:

  • whether your credentials are already public (ISM-1875 — no mapping)
  • whether secrets are being blocked at commit (ISM-2030 — no mapping)
  • whether you have ever exercised your right to verify a provider (ISM-1738 — no mapping)
  • whether you have assessed the likelihood you are already compromised (ISM-1921 — no mapping)
  • whether anyone has independently assessed you at all (ISM-2118, new in June — no mapping)
  • whether your board understands who might seek access and how protection is verified (ISM-2005, revised in June — no mapping)

An organisation reporting ML2 to its board is reporting, accurately and in good faith, on the one part of the manual that does not contain any of the things it has just been made accountable for.

And the Essentials series will not rescue it

On 24 June 2026 ASD confirmed the Essential Eight will be retired and replaced by the Essentials series — grounded in the ISM, with consultation on the first chapter closing on 12 July.

So the sequence is complete. The Essential Eight — the eleven per cent — is being wound down. The ISM — the hundred per cent — is where every new control is going. The successor framework is being built on the latter. And the three principles that now sit in board accountability are principles the Essential Eight was never built to measure and never will be.

Method Every figure in this article is derived by comparing two files published by ASD: the System security plan annex template (December 2025) and the System security plan annex template (June 2026). Both list every principle and control, with revision numbers and Essential Eight mappings. The comparison is reproducible by anyone who downloads them.

A note on the ISM’s status: the ISM states plainly that an organisation is not required as a matter of law to comply with it unless legislation, or a direction under legislation or other lawful authority, compels them to. It is advice, not statute. But it is the advice ASD gives, the foundation the Essentials series is being built on, and the document an IRAP assessor works from.
Check our arithmetic — free, no form Every figure in this article comes from two spreadsheets ASD publishes publicly. We have put the full control-level comparison online, ungated, so you can verify it yourself.

Download the ASD ISM Update →

Where this lands under Australian obligations

  • CPS 230, in force since 1 July 2026, requires entities to manage risks arising from material service providers. GOV-11 now says what “manage” means: regularly independently verified. ISM-1738 says exercise the right, not merely hold it.
  • CPS 234 requires information assets classified by criticality, with controls commensurate with the threat. GOV-10 adds the question classification never asked: what have we already told the world about them?
  • SOCI responsible entities run risk-management programs premised on knowing what they operate — and the Identify function gained IDE-05, asset interdependencies, in the same release.
  • ASIC already expects directors to reassess cyber risk on an ongoing basis, using threat intelligence and vulnerability identification, with oversight across the digital supply chain. GOV-10, GOV-11 and GOV-12 are that expectation, made explicit.
  • PSPF-bound entities operate against the ISM directly. These principles apply now, not in two years.

Three questions with no Essential Eight answer

  • What do we publicly disclose about our systems — and who has measured it? (GOV-10)
  • When did we last independently verify a material supplier, rather than accept their attestation? (GOV-11, ISM-1738)
  • What do our people publish about their duties, their skills and their clearances — and what is our ongoing assurance over it? (GOV-12, ISM-2104–2107)

Six months ago, none of those were board questions. They are now. And whatever your Essential Eight maturity score says, it does not answer a single one of them — because it was never built to, and ASD is no longer building it.

The measurement your board needs sits entirely outside the number your board is shown. Every one of these questions is answered the same way: from outside the organisation, looking in.

Sources & references

Three Questions Your Board
Cannot Currently Answer.

A BlackFlag Advisory assessment measures what your organisation, its providers and its people disclose to the open internet — the three surfaces ASD just made your Board accountable for, and the Essential Eight has never measured.

Request an Assessment →
Passive Only — No Systems Accessed

All BlackFlag Advisory assessments use exclusively passive OSINT techniques and publicly available data sources. No systems, networks, or accounts are accessed, probed, or tested at any time. Board-ready output delivered within three to seven business days.