The full cybersecurity reference for 2026 — framework landscape, ISO 27001 dual-lens, the Australian regulatory layer in depth, dedicated frontier tabs (AI security, zero trust, post-quantum, supply chain), incident-response playbooks, and the cyber-resilience chain from attack to recovery.
2026's headline number looks reassuring — global breach costs fell for the first time in five years. It isn't. The decline is AI-assisted containment showing up in the ledger, not a signal that attackers slowed down. Vulnerability exploitation has just overtaken credential abuse as the #1 initial access vector for the first time in nineteen years, and Australia logs a cybercrime report every six minutes. Read the full picture before reading the headline number.
20th edition, 600 organisations. Global avg fell to US$4.44m — AI-assisted containment credited. US hit a record US$10.22m (regulatory fines, slower detection). Healthcare stayed costliest at US$7.42m for the 15th straight year. Supply-chain compromise averaged US$4.91m and was slowest to resolve (267 days). PII was present in 53% of breaches.
22,052 incidents / 12,195 confirmed breaches analysed. Credential abuse (22%) and vulnerability exploitation (20%, +34% YoY) led initial access. Ransomware appeared in 44% of breaches (+37% YoY), though 64% of victims refused to pay — up from roughly half the year prior.
Vulnerability exploitation overtook credential abuse as the #1 initial access vector — the first time in nineteen years of the DBIR series. Third-party involvement rose a further ~60% to near half of all breaches, and only around 26% of Known Exploited Vulnerabilities were fully remediated.
Sophos State of Ransomware 2025: median demand fell to ~US$1.32m (−34%); median payment ~US$1m (−50%); average recovery cost excluding ransom fell from US$2.73m to US$1.53m (−44%); encryption occurred in only 49% of attacks, down from 66% — pure data-theft extortion is rising.
84,700+ reports lodged (one every ~6 minutes); 1,200+ incidents responded to (+11%). Average cost per report A$80,850 (+50%); large business average A$202,700 (+219%). DoS/DDoS reports rose 280%. Critical infrastructure made up ~11-13% of incidents. 138 ransomware incidents recorded — 39% detected by ACSC itself, not the victim.
The 9% global cost drop is not a signal to cut spend — it reflects AI-assisted detection maturity, and the single biggest cost lever remains faster detection and containment. Record-low payment rates show backup maturity is working; attackers are responding with volume, mid-market targeting, and pure data-theft extortion that backups alone cannot neutralise.
Vulnerability exploitation overtaking credentials means edge devices and VPNs — and patch latency — now dominate initial access. Calendar-based patching is inadequate for internet-facing assets where time-to-exploit approaches zero for critical edge CVEs. Rebuild the patch SLA around exposure, not a monthly cycle.
Every organisation of any size is now expected to answer to several cybersecurity frameworks at once — certifiable, voluntary, and regulatory. The practitioner move is not to pick one and ignore the rest; it is to map controls once against a single control set and report against many frameworks from that single source of truth.
| Framework | Type | Structure | When it matters |
|---|---|---|---|
| ISO/IEC 27001:2022 | Certifiable ISMS | Clauses 4-10 + Annex A, 93 controls across 4 themes | The certifiable spine — enterprise and procurement signal |
| NIST CSF 2.0(26 Feb 2024) | Voluntary coordination layer | 6 functions (GOVERN new + Identify, Protect, Detect, Respond, Recover), 22 categories, 106 subcategories, 4 tiers (Partial → Adaptive), Current/Target Profiles | Board-level structure; maps cleanly onto 27001 / 800-53 / CIS |
| Essential Eight(ASD/ACSC) | Australian baseline | 8 strategies × maturity levels 0-3 | ML2 mandatory for non-corporate Commonwealth entities under PSPF; the ISM sits behind it with 741+ controls |
| CIS Controls v8.1 | Prescriptive baseline | 18 controls, Implementation Groups IG1 → IG3 | Practical hygiene sequencing |
| SOC 2(AICPA TSC) | Attestation | Type I design / Type II operating effectiveness | US-market SaaS sales; annual re-attestation vs ISO's 3-year cycle |
| APRA CPS 234 + CPS 230 | Regulatory — AU financial services | Information security capability (234) + operational resilience (230, live 1 Jul 2025) | Mandatory for APRA-regulated entities |
| SOCI Act | Regulatory — AU critical infrastructure | CIRMP, Enhanced Cyber Security Obligations, Systems of National Significance | Mandatory across 11 critical infrastructure sectors |
| Cyber Security Act 2024 | Regulatory — AU economy-wide | Ransomware payment reporting, smart-device standards, Cyber Incident Review Board | Applies broadly — see Tab 05 |
| International brief | Regulatory — multi-jurisdiction | EU NIS2 (transposed 2024-25) · DORA (financial, Jan 2025) · UK Cyber Essentials · US SEC disclosure | Material incident disclosure to the SEC within ≤4 business days for US-listed entities |
Essential Eight maturity is assessed uniformly — an organisation cannot claim Maturity Level 2 on seven strategies while sitting at Level 0 on the eighth. All eight strategies must be raised together before advancing a maturity level as a whole.
Map controls once, report against many. Use NIST CSF 2.0 as the coordination layer sitting over a 27001 ISMS, with Essential Eight as the Australian baseline floor underneath it — one control set, four reporting views, and no duplicated evidence-gathering effort.
This tab is written for the board and the executive sponsor — the transition cliff, the economics, the liability picture, and the insurance market. For clause-by-clause and Annex A control detail, see Tab 04, ISO 27001 Implementer Lens, which is kept strictly separate.
Every ISO 27001:2013 certificate expired 31 October 2025. Organisations that didn't transition now face a full initial audit — not the cheaper transition or surveillance audit — to get certified. New certificates have only been issued against the 2022 standard since 30 April 2024.
Two audit stages: Stage 1 (documentation review) and Stage 2 (operating effectiveness). Annual surveillance audits in years 1-2 typically cost one-third to one-half of the initial audit; year-3 recertification is priced close to the initial audit. Audit day rates run roughly US$1,500-2,200 (UK £1,000-1,500), with audit days set by the ISO/IEC 27006 tables based on headcount and complexity.
ISO 27001 shares the Annex SL high-level structure with ISO 42001 (AI management), 27701 (privacy), 9001, and 22301 (business continuity) — enabling combined audits and shared evidence. Supporting standards worth budgeting for: 27002 (implementation guidance), 27005 (risk), 27017 (cloud), 27018 (PII in the cloud), 27035 (incident management).
SEC v SolarWinds / Tim Brown was largely dismissed 18 July 2024 and fully dismissed with prejudice 20 November 2025 — genuine relief for CISOs personally. But SEC disclosure rules and the Cyber and Emerging Technologies Unit (established February 2025) remain fully in force. Action: secure explicit D&O coverage for CISOs — standard cyber-liability policies typically do not cover enforcement or shareholder actions.
Market size: US$15.3b (2024, Munich Re) → ~US$16b (2025) → projected US$23b+ (2026). Premiums softened ~6% in 2025 (−22% from the 2022 peak), but S&P Global and WTW both project 15-20% increases into 2026. Over 40% of claims see no or partial payout — the #1 denial reason is failure to maintain stated controls, especially MFA. War and nation-state exclusions appear in ~16% of denials and are tightening post-NotPetya (Lloyd's). The CrowdStrike outage crystallised systemic/accumulation risk for insurers.
Translate technical risk into board language using FAIR (Factor Analysis of Information Risk) quantification, mapped explicitly to NIST CSF 2.0's GOVERN function outcomes — dollarised exposure the board can weigh against other enterprise risks.
Insurance is now a control-evidence game — insurers deny claims on absent MFA and unmaintained controls, not fine print. Treat documented control evidence (not attestation) as the gating renewal deliverable, especially heading into a year where premiums may re-rate 15-20%.
This tab is written for the implementer — clause detail, Annex A control structure, the 2022 delta, and the operational decisions (SOC model, metrics, testing ladder, tooling) that turn a certificate into a working control environment. For board and liability framing, see Tab 03, kept strictly separate from this tab.
| Theme | Control count | Coverage |
|---|---|---|
| A.5 Organisational | 37 | Policies, roles, supplier and cloud relationships, threat intelligence, incident management, business continuity readiness |
| A.6 People | 8 | Screening, terms of employment, awareness/training, disciplinary process, remote working, confidentiality |
| A.7 Physical | 14 | Secure areas, equipment, physical security monitoring, clear desk/clear screen |
| A.8 Technological | 34 | Access control, cryptography, configuration management, data leakage prevention, secure coding, monitoring |
The Statement of Applicability (Clause 6.1.3) and risk treatment plan (Clause 8.3) are the pivotal audit documents for 2022 conformance. Build the evidence trail first; write the SoA to match what the evidence shows, not the reverse.
Decide between in-house SOC, fully outsourced MSSP, or hybrid MDR based on scale, available talent, and genuine 24/7 coverage need — not on which model looks cheapest on a slide.
MTTD, MTTR, patch latency, phishing simulation click/report rates, and vulnerability-management SLAs — track these as the operating heartbeat of the ISMS, not as year-end reporting artefacts.
Penetration test (point-in-time) → red team (adversary emulation) → purple team (collaborative detection tuning). Each rung answers a different question; run the ladder in sequence, not just the cheapest rung repeatedly.
SIEM, SOAR, EDR/XDR, CNAPP, IAM — consolidate toward integrated platforms rather than point-solution sprawl. Alert fatigue and licence sprawl are both, in practice, control failures: a control nobody can afford to watch is not an operating control.
The SoA and risk treatment plan are not paperwork — they are the pivotal audit documents for 2022 conformance. Auditors probe the gap between what the SoA claims and what the evidence trail actually shows. Build the evidence first; write the SoA to match it.
This is the differentiator tab. Australia's cyber regulatory stack hardened dramatically through 2025-26 — mandatory ransomware payment reporting, APRA CPS 230 going live, and the first-ever Federal Court civil penalty for cyber failures. Multiple regulators, multiple clocks, and for many organisations, multiple simultaneous notification obligations from a single incident.
| Obligation | Trigger | Deadline | Regulator | Penalty |
|---|---|---|---|---|
| Ransomware payment report | Payment made — or awareness made on your behalf, including by an insurer | 72 hours | ASD | Up to 60 penalty units (~A$19,800) |
| Material operational-risk incident | Occurrence | ASAP, ≤72 hours | APRA (CPS 230 para 33) | Supervisory action |
| Disruption outside tolerance | Critical operation tolerance breach | ASAP, ≤24 hours | APRA (CPS 230 para 42) | Supervisory action |
| Eligible data breach | Suspicion → assessment | 30-day maximum assessment; notify ASAP once confirmed | OAIC | Civil penalties (s 13G) |
| SOCI incident reporting | Critical or significant impact | 12 hours (critical) / 72 hours (other) | CISC / ASD | Civil penalties |
| SEC disclosure(if US-listed) | Material incident | 4 business days | SEC | Enforcement action |
Royal Assent 29 November 2024; reporting obligations live from 30 May 2025. Applies to entities with turnover above A$3m plus all SOCI responsible entities. There is no minimum payment threshold, and both monetary and non-monetary benefits are reportable.
Live since 1 July 2025. Requires critical operations to be identified, tolerance levels set, and a credible business continuity plan tested annually against severe-but-plausible scenarios.
As amended by the Enhanced Response and Prevention Act 2024. CIRMP obligations in force from 18 August 2024, with 2024-25 as the first reporting period.
The 30-day assessment window is a ceiling, not a target — aim to move faster. The trigger is a "likely serious harm" threshold.
Established that cyber risk sits within s 912A AFS licensee obligations. Justice Rofe held that cybersecurity risk "is a significant risk connected with the conduct of the business" that can be "materially reduce[d] … to an acceptable level." No penalty was imposed, but A$750k in costs and a remediation order followed.
Justice Derrington, 9 February 2026 — the first-ever Federal Court civil penalty for cyber security failures: A$2.5m plus A$500k costs under s 912A(1)(a),(d),(h). The underlying incident was a May 2023 ransomware attack that exfiltrated ~385GB affecting ~18,000 clients. Failures found: no MFA, poor passwords, misconfigured firewalls, unpatched software, no staff training. The maximum available penalty was ~A$41.25m; adequate controls would have cost an estimated ~A$1.2m. ASIC Deputy Chair Sarah Court: "This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations."
An APRA-regulated SOCI entity hit by ransomware involving PII may simultaneously owe: CPS 234/230 notification to APRA, SOCI incident reporting to CISC, a payment report to ASD, and an NDB assessment to OAIC. Four different triggers, four different clocks. Build the pre-agreed reporting matrix before an incident — not during one.
FIIG changes the board conversation: the controls that would have prevented a A$3m-plus penalty cost an estimated A$1.2m. Cyber underinvestment is now a quantifiable directors' duty exposure in Australia — not a hypothetical.
A companion to the ISO AI Governance wiki (ISO/IEC 42001; forthcoming 27090/27091). Where that wiki covers governance of AI as a management system, this tab covers the security-specific attack surface: offensive AI in the hands of adversaries, defensive AI inside the SOC, and the shadow AI risk sitting between the two.
Deepfake fraud, AI-generated phishing at scale, and automated vulnerability discovery. IBM found attackers used AI in 16% of breaches — 37% for AI-generated phishing content, 35% for deepfake impersonation.
SOC automation and AI-assisted detection and triage are the driver behind the 2025 global breach-cost decline — extensive automation saved an average of ~US$1.9m per breach.
Present in 20% of breaches, adding ~US$670k in cost. 97% of AI-related breaches lacked AI access controls; 63% had no AI governance policy at all. Govern explicitly — an approved list and active channelling, not an outright ban.
| Code | Risk | Nature of the risk |
|---|---|---|
| LLM01 | Prompt Injection | Top-ranked risk — direct and indirect manipulation of model instructions via crafted input |
| LLM02 | Sensitive Information Disclosure | Model reveals confidential data present in training or context |
| LLM03 | Supply Chain | Compromised models, datasets, plugins, or fine-tuning pipelines |
| LLM04 | Data & Model Poisoning | Malicious manipulation of training or fine-tuning data |
| LLM05 | Improper Output Handling | Downstream systems trust LLM output without validation |
| LLM06 | Excessive Agency | Model granted more autonomy, permissions, or tool access than the task requires |
| LLM07 | System Prompt Leakage | Disclosure of system instructions intended to remain hidden |
| LLM08 | Vector & Embedding Weaknesses | Manipulation or leakage via RAG vector stores and embeddings |
| LLM09 | Misinformation | Confident, plausible, but false outputs presented as fact |
| LLM10 | Unbounded Consumption | Uncontrolled resource/cost consumption via excessive inference requests |
Published November 2025 — 16 tactics, 84 techniques covering adversary TTPs against AI systems, including prompt injection and jailbreaks. Use it for structured AI threat modelling, the same way ATT&CK is used for enterprise IT.
The OWASP Agentic Security Initiative's Top 10 for Agentic Applications (December 2025) covers agent memory, tool integration, identity/permissions, and multi-agent risks. Anthropic's Opus 4.5 system card notes that indirect prompt-injection success rises with attempt count — agentic systems materially expand the attack surface versus single-turn chat.
ISO/IEC 42001 (AIMS) is the management plane. ISO 27090 (AI security, FDIS expected June 2026, publication H2 2026) and ISO 27091 (AI privacy, late 2026/2027) are the forthcoming control-level depth beneath it — confirm publication status before citing either as final.
Shadow AI and AI governance policy gaps compound each other — 20% of breaches now involve shadow AI, and 63% of AI-related breaches occurred with no AI governance policy at all. Treat AI access control and an approved-tool list as day-one, Essential-Eight-equivalent hygiene, not a future-state governance nicety.
"Never trust, always verify." With edge-device and VPN exploitation now the #1 initial access vector, zero trust has moved from architectural aspiration to the practical answer for perimeter-less risk.
The architecture reference — Policy Decision Point, Policy Enforcement Point, and Policy Information Point components, built around 7 tenets and the "never trust, always verify" principle.
Each pillar progresses independently through 4 stages — Traditional → Initial → Advanced → Optimal — meaning an organisation can be Advanced on Identity while still Traditional on Data. Sequence investment by risk reduction per dollar, not by uniform maturity across pillars.
Start with the Identity pillar — phishing-resistant MFA (passkeys) plus conditional access delivers the largest risk reduction per dollar, and it's the control insurers now require as a coverage condition.
Harvest-now-decrypt-later means data encrypted today with traditional asymmetric cryptography is already at risk if it needs to stay confidential for a decade or more. Australia's timeline is five years ahead of the US — for Australian organisations, this is a live multi-year programme, not a 2035 problem.
Encrypted data stored today can be decrypted once a cryptographically relevant quantum computer exists — most experts estimate mid-2030s or later. Prioritise data with confidentiality needs beyond 10 years for migration now, not on the eventual deadline.
CNSA 2.0 (NSA): PQC signing from 2025; stop RSA/ECDH key establishment 2030; stop RSA/ECDSA signatures 2033; National Security Systems fully PQC by 2035. NIST IR 8547: deprecate RSA/ECC after 2030, disallow after 2035.
ASD's Information Security Manual requires cessation of RSA, DH, ECDH, and ECDSA by end 2030 — five years ahead of the NIST/NSA 2035 timeline — and phases out SHA-224/256 by 2030 as well. ISM-1917 requires new crypto equipment, applications, and libraries to support ML-DSA-87, ML-KEM-1024, SHA-384/512, and AES-256 by 2030. ISM-2073 requires a documented PQC transition plan.
Still early — crypto-agility is the strategic objective, not a completed migration. OpenSSL 3.4+ and liboqs already support the new algorithms, giving early movers a practical path to start testing now.
For Australian organisations, PQC is a live multi-year programme, not a 2035 problem — ASD's end-2026 "refined plan" milestone is now. Step one is always the cryptographic inventory: you cannot migrate what you haven't mapped.
Roughly half of all breaches now involve a third party, and the CrowdStrike outage proved that concentration risk in a single vendor — EDR, cloud, or identity — can be more consequential than a targeted attack.
Sigstore signing, SLSA levels, and dependency scanning are moving from best practice to contractual baseline — driven by the EU Cyber Resilience Act (phasing through 2027), US Executive Order 14028 SSDF attestations, and NIST SP 800-218A for GenAI.
NIST SP 800-161r1 is the primary reference for cyber supply chain risk management; ISO 27036 covers supplier relationships specifically.
A faulty Falcon content update crashed roughly 8.5 million Windows systems — under 1% of the installed base, yet the largest IT outage in history. Parametrix estimated up to ~US$5.4b in Fortune 500 revenue/gross-profit impact (healthcare ~US$1.94b, banking ~US$1.15b); insurance covered only 10-20% of that; global losses were estimated near US$15b.
SolarWinds SUNBURST (2020) · MOVEit (2023) · Snowflake credential intrusions (2024) · Change Healthcare · CDK Global — each a different failure mode inside the same third-party trust boundary.
Single-vendor dependencies in EDR, cloud, or identity create systemic exposure. Insurers now model accumulation risk explicitly — a single vendor failure can trigger claims across an entire portfolio of insureds simultaneously.
CrowdStrike proved that a single-vendor dependency in EDR, cloud, or identity is systemic risk, not vendor risk — insurers now model accumulation risk explicitly, and only 10-20% of Fortune 500 impact was covered. Fourth-party mapping and tested alternate control paths are the practical answer; SBOM and contractual provenance are the long-run structural fix.
Aligned to NIST SP 800-61r3 (published 3 April 2025 — restructured around CSF 2.0, where Govern/Identify/Protect form preparation and Detect/Respond/Recover form handling, wrapped in continuous Improvement), CISA playbooks, and ACSC guidance. Each of the six playbooks below carries a phase flow, decision points, a RACI where relevant, regulatory clocks, and evidence-preservation actions.
ASD: 72 hours for ransomware payment reports. APRA: ≤72 hours for material operational-risk incidents, ≤24 hours for tolerance-breaching disruptions (CPS 230). OAIC: 30-day maximum assessment ceiling for eligible data breaches, notify ASAP once confirmed. SEC: 4 business days for material incidents at US-listed entities. Pre-map which clocks apply to which playbook before an incident, not during one.
Board approves — payment and risk appetite is a board decision. CISO advises on technical response. Crisis team executes. ACSC strongly advises against paying: there is no guarantee of restoration, payment funds future attacks, ~80% of payers are re-attacked within 12 months, and only ~4% of payers recover all their data. Sanctions risk applies — payment to a sanctioned entity is a separate offence. Paying is not itself illegal in Australia.
If paid — including by an insurer on your behalf: a mandatory ASD report is due within 72 hours under the Cyber Security Act 2024. There is no minimum threshold, and both monetary and non-monetary benefits are reportable.
| Stakeholder | RACI | Role |
|---|---|---|
| Board | Accountable | Pay / no-pay decision and risk appetite |
| CISO | Responsible | Technical response and advice to the board |
| Crisis Team | Responsible | Execution and communication cascade |
| Legal | Consulted | Sanctions exposure, privilege, notification obligations |
| Comms | Responsible | Internal, customer, regulator, and media templates |
| Insurer | Consulted | Panel firm engagement, coverage confirmation before any commitments |
Encryption + data theft + DDoS/harassment. Backup maturity neutralises the encryption leg, but does not neutralise data-theft leverage — plan for extortion even when recovery from backup is fast and complete.
Notify the insurer early; use panel firms where required by the policy. Unauthorised commitments — including early negotiation promises — can void coverage.
Pre-drafted templates for internal, customer, regulator, and media audiences. A single spokesperson. Legal privilege maintained over forensic findings from the outset.
Restore from immutable/offline backups only. Verify integrity before restoring. Assume a re-entry attempt is coming, and rotate all credentials as part of the restoration — not after it.
The recall window is measured in hours, not days. Bank contact is step one — not step four. Every minute spent on internal verification before calling the bank's fraud team reduces the odds of recovering the funds.
30 days is a ceiling, not a target. Document the assessment even if you conclude notification isn't required — the assessment record itself is your defence in any later regulatory inquiry.
ACSC reported DoS/DDoS incidents up 280% in 2024-25. If APRA-regulated, a disruption outside tolerance triggers a ≤24-hour notification under CPS 230 para 42 — build that clock into the playbook, not just the ransomware one.
Security acting before HR and Legal alignment destroys both the case and the process fairness. Coordinate before confronting — every time, without exception.
A playbook that hasn't been exercised is a hypothesis. Quarterly scenario exercises — ransomware and BEC at minimum — an annual severe-but-plausible CPS 230 exercise, and the reporting matrix pinned to the wall: that's the difference between response and improvisation.
Cyber recovery is not disaster recovery. DR assumes clean infrastructure to fail over to; cyber recovery must assume the adversary compromised that infrastructure too. This tab walks the ISO 22301 core, the plan hierarchy, and the resilience chain from attack to lessons learned.
"The process of analysing the impact over time of a disruption on the organization." For each prioritised activity, determine:
Governing rule: RTO must sit below MTPD, with a documented safety margin between them.
APRA CPS 230 requires tolerance levels for critical operations plus an annual severe-but-plausible scenario exercise covering all critical operations — including service-provider disruptions, not just internal failures.
Crisis team structure with decision authority pre-delegated, war-room operations ready to activate, and communication cascades — who calls whom, in what order, with what pre-approved messages — decided before an incident, not during one.
Escalation flows up this chain by severity; recovery flows back down through Business Continuity, with Disaster Recovery as its technology engine.
DR assumes clean infrastructure to fail over to. Cyber recovery assumes compromise — rebuild from a known-good, integrity-verified state in an isolated recovery environment. Immutable backups are necessary but not sufficient; the restore process itself must assume the adversary is still present. Ransomware downtime has historically averaged ~24 days — set executive expectations accordingly.
The plan hierarchy — Incident Response → Crisis Management → Business Continuity → Disaster Recovery — is not documentation for its own sake; it is the escalation and decision-authority map that stops a technical incident becoming an unmanaged crisis. Exercise the whole chain, not just the DR runbook.
A staged path from compliance triage to full management-system integration — sequenced so that insurer-baseline controls and the Australian reporting matrix come first, frontier capability second, and integration and assurance last.
Once ML2 is achieved uniformly and MTTD/MTTR sit within target, shift marginal spend from prevention toward resilience and recovery capability.
Where a critical system's vendor has no PQC-capable product available, use crypto-agility wrappers rather than waiting indefinitely for vendor support.
When the insurer re-rates premiums 15-20% at renewal, documented control evidence becomes the gating deliverable for that renewal — not a policy document.
Certification and maturity are sequencing decisions, not a checklist to complete in any order — insurer-baseline controls and the Australian reporting matrix come before zero-trust and PQC roadmaps, and integration across 27001, 42001, 27701, and 22301 is the payoff for Stages 1-2 done well, not a parallel track to run alongside them.