ACSC ISM December 2025 Release - What Changes Should I Care About?
A breakdown of the ACSC ISM December 2025 changes, including new and updated controls, emerging AI requirements, and alignment with modern authentication guidance.
Written by: Nathan Su
18 December 2025
ACSC ISM December 2025 Release – What Changed and Why It Matters
In Australia, December is a special month for IRAP assessors.
As you’ve probably seen from your LinkedIn feed, there is a new release of the Australian Signals Directorate’s Information Security Manual (ISM).
The December 2025 release compared to the September 2025 release:
| Change | Count |
|---|---|
| New Controls | 21 |
| Updated Controls | 77 |
| No Change | 975 |
| Total | 1073 |
While the majority of controls remain unchanged, the number of updated controls means most systems will need to review at least part of their existing control implementations and System Security Plans (SSPs).
For readers who wish to review the official source material, the ACSC change log for this release is available here:
Below is our analysis of the most significant changes from an IRAP assessment perspective.
Artificial Intelligence Application Development
The December 2025 ISM introduces a new section focused on Artificial Intelligence (AI) application development.
This reflects ACSC’s view that AI-enabled systems introduce risks that are not fully addressed by traditional application security guidance. Notably, the ISM has removed the previous reference to the OWASP Top 10 for Large Language Model Applications, replacing it with more explicit and prescriptive requirements.
These controls apply to systems that develop, train, fine-tune, or integrate with artificial intelligence models, including systems that consume external AI services. Organisations embedding AI capabilities into existing platforms should carefully assess whether these new requirements introduce additional scope or assurance obligations.
From an assurance perspective, this change places greater emphasis on understanding AI system architecture, data flows, and model integration points during security design and assessment activities.
Cryptography
The ISM now recommends maintaining a cryptographic bill of materials (CBOM).
This change aligns with broader government and industry discussions about transitioning to **post-quantum cryptography **. A CBOM provides a structured catalogue of cryptographic algorithms, libraries, and implementations in use, enabling organisations to identify cryptographic components that are likely to be impacted by advances in quantum computing and to plan remediation accordingly.
Authentication and Password Management
Several new controls have been introduced in the authentication domain, along with updates to existing requirements.
Many of these changes relate to the design and configuration of identity provider systems, including:
- An acceptable length (at least 64 characters)
- Supported character sets (e.g. ASCII support)
- Security questions are not used for authentication purposes
If you are using commercial-off-the-shelf (COTS) identity solutions, it is important to confirm whether these requirements are configurable and enabled. For organisations designing or building identity platforms, these controls should be incorporated into system requirements, security architecture documentation, and threat models.
Password expiry and complexity
The ISM has aligned more closely with NIST SP 800-63B-4 by removing mandatory password change frequencies and prescriptive complexity requirements.
This change reflects NIST’s conclusion that forced password rotation and overly complex rules often result in weaker passwords in practice. Instead, the ISM places greater emphasis on compensating controls such as:
- Phishing-resistant multi-factor authentication (MFA)
- The use of passphrases
- Mandatory password changes following suspected compromise
For many organisations, this will reduce operational burden while improving overall authentication security so long as appropriate compensating controls are implemented.
Looking to adopt these changes?
Keeping your System Security Plan aligned with the latest ISM release can be time-consuming, particularly when controls are updated rather than newly introduced.
With our platform Navi, you can update your SSP from any prior ISM version to the December 2025 release, with clear visibility of what has changed and why.
If you prefer a more guided approach, our team of IRAP assessors and consultants can assist with impact analysis, SSP updates, and readiness activities.