Among the twenty controls ASD added to the Information security manual in June 2026, one is a procurement instruction wearing technical clothes.
It did not exist in December 2025. It carries no Essential Eight mapping — not Maturity Level One, Two or Three — so no maturity score you have ever reported to a board has measured whether you comply with it.
And it is not asking whether you can assess yourself. It is asking whether you have been assessed.
The verb ASD used, and the verb it did not
Read the June 2026 release as a whole and one word recurs with unusual insistence.
- GOV-11 — Supplier cyber security assurance (new principle): suppliers must be trustworthy and their cyber security practices regularly independently verified or otherwise risk-assessed.
- ISM-1738 (revised, June 2026): the right to verify a service provider’s compliance is regularly exercised.
- ISM-1966 (revised, June 2026): the CISO maintains and regularly verifies a register of systems.
- ISM-1736 and ISM-1637 (both revised, June 2026): the managed service register and the outsourced cloud service register are maintained and regularly verified.
- ISM-2005 (revised, June 2026): the board understands how systems are protected and how that protection is verified.
Verified. Verified. Verified. Exercised.
The word ASD conspicuously does not use is attest.
What changed between December and June
- December 2025. PRO-03 asked for “trustworthy suppliers.” Full stop. A questionnaire satisfied it.
- June 2026. GOV-11 asks for suppliers whose practices are regularly independently verified — and moves the principle into GOVERN, the function where the board is accountable.
- ISM-1571 still requires the right to verify to be documented in the contract. ISM-1738 now requires it to be exercised. ASD has separated holding the right from using it, and made using it the control.
A clause you have never invoked is not assurance. It is paperwork with a signature on it.
What “independent” excludes
This is where most organisations will quietly fail, and they will fail in good faith.
An assessment is not independent because it was thorough. It is independent because the party performing it has no stake in the answer. Which rules out more than people expect:
- Your own security team. Competent, often excellent — and structurally incapable of being independent of itself.
- Your provider’s completed questionnaire. That is an attestation. GOV-11 asks for verification.
- A certification your provider handed you. Scope is chosen by the certified party. A certificate tells you something was assessed; it does not tell you that your systems, or the parts of them you depend on, were in scope.
- A scan you ran against assets you already knew about. This is the quiet one. A vulnerability assessment bounded by your own asset register cannot discover what your register omits — and the assets most likely to hurt you are precisely the ones nobody recorded.
The spreadsheet ASD gave you, that nobody has filled in
ASD publishes a Cloud controls matrix template alongside the ISM. Open it and you find all 1,101 controls, and two columns that ship completely empty across every row:
- Provider Responsibility
- Consumer Responsibility
That is deliberate. ISM-1569, revised in June 2026, requires a shared responsibility model to be created, documented and shared between provider and consumer. The empty matrix is that model, unfilled. ASD has handed you the instrument and the obligation, and left the work to you.
Ask, in your organisation, who has completed it for your material cloud services. In most, nobody has — which means the boundary between what your provider secures and what you secure has never been written down, and every assumption on either side of it is untested.
Where this lands under Australian obligations
- CPS 230, in force since 1 July 2026, requires entities to manage risks arising from material service providers. GOV-11 tells you what “manage” now means: regularly independently verified. ISM-1738 tells you to exercise the right you already hold.
- CPS 234 requires an entity’s information security controls to be systematically tested and their effectiveness assured by appropriately skilled and independent parties. APRA has asked for this for years. ISM-2118 now puts a frequency on it: annually, and before significant change.
- SOCI responsible entities operate risk-management programs that must withstand scrutiny. “We assessed ourselves and found no issues” is not a program. It is a position.
- ASIC already expects directors to oversee cyber risk across the digital supply chain, reassessed on an ongoing basis. In ASIC v RI Advice Group [2022] FCA 496 the Federal Court declined to prescribe a minimum standard — holding instead that the adequacy of a firm’s cyber risk management is a matter for the Court, informed by expert evidence. The question a director will face is not “did you follow the rule?” It is “would a competent expert call this reasonable?” That question is answered by an expert, and an expert is by definition not you.
Four questions for a board
- When were we last independently assessed — and by someone with no stake in the result? (ISM-2118)
- When did we last exercise our right to verify a material provider, rather than accept their questionnaire? (ISM-1738, GOV-11)
- Has anyone completed the shared responsibility matrix for our material cloud services? (ISM-1569)
- Was our last assessment scoped from our own asset register — and if so, what could it not have found?
The point, stated once
ASD spent its June 2026 release doing one thing repeatedly: replacing assertion with verification. Suppliers must be verified, not trusted. Registers must be verified, not maintained. Protection must be verified, not implemented. And systems must be assessed — independently, before deployment, before significant change, and every year after.
None of it appears in an Essential Eight maturity score, because none of these controls carries an Essential Eight mapping. Which means an organisation can report ML2 to its board, in complete good faith, while having never once been looked at by anyone outside its own walls.
That is the gap. It closes exactly one way.
Sources & references
- ASD — Information security manual, June 2026 (ISM-2118, GOV-11, GOV-12, ISM-1569, ISM-1571, ISM-1637, ISM-1736, ISM-1738, ISM-1966, ISM-2005, IDE-01)
- ASD — Cloud controls matrix template (June 2026). The Provider Responsibility and Consumer Responsibility columns ship empty across all 1,101 controls.
- ASD — System security plan annex template (December 2025) and (June 2026). Comparison of the two releases is the source for all “new” and “revised” claims in this article.
- APRA — Prudential Standard CPS 230 Operational Risk Management (in force 1 July 2026)
- Gilbert + Tobin — ASIC v RI Advice Group Pty Ltd [2022] FCA 496: no prescriptive standard; adequacy determined by the Court on expert evidence
- ASIC — Cyber risk: Be prepared; oversight across the digital supply chain