← Apex Delivery|Delivery SignalCIO AIICT PMOEnterprise PMOICT TOMISO GovernanceAI MaturityCybersecurity
Cybersecurity Blueprint Wiki · July 2026

Twelve Blueprints for
Enterprise Cybersecurity

The full cybersecurity reference for 2026 — framework landscape, ISO 27001 dual-lens, the Australian regulatory layer in depth, dedicated frontier tabs (AI security, zero trust, post-quantum, supply chain), incident-response playbooks, and the cyber-resilience chain from attack to recovery.

ISO/IEC 27001:2022 · 93 Controls Essential Eight · ML2 NIST CSF 2.0 Cyber Security Act 2024 CPS 230 Live Jul 2025 6 IR Playbooks ASD PQC 2030
Blueprint 01
Threat Landscape 2026

2026's headline number looks reassuring — global breach costs fell for the first time in five years. It isn't. The decline is AI-assisted containment showing up in the ledger, not a signal that attackers slowed down. Vulnerability exploitation has just overtaken credential abuse as the #1 initial access vector for the first time in nineteen years, and Australia logs a cybercrime report every six minutes. Read the full picture before reading the headline number.

2026 Signal
The numbers that set the year's agenda
US$4.44m
Global avg breach cost — first decline in 5 yrs (IBM 2025)
US$10.22m
Record US average breach cost
241 days
Mean time to identify + contain — lowest in 9 years
A$80,850
Avg cybercrime cost per report, Australia (+50%)
~20%
Ransom payment rate, Q4 2025 — record low (Coveware)
~6 min
A cybercrime reported in Australia — every ~6 minutes
The Global Picture
Five sources, one converging story
🌐

IBM Cost of a Data Breach 2025

20th edition, 600 organisations. Global avg fell to US$4.44m — AI-assisted containment credited. US hit a record US$10.22m (regulatory fines, slower detection). Healthcare stayed costliest at US$7.42m for the 15th straight year. Supply-chain compromise averaged US$4.91m and was slowest to resolve (267 days). PII was present in 53% of breaches.

  • Phishing remains the top initial vector at 16% (~US$4.8m avg)
  • Shadow AI present in 20% of breaches — adds ~US$670k in cost
  • 97% of AI-related breaches had no AI access controls; 63% had no AI governance policy at all
  • Attackers used AI in 16% of breaches — 37% AI-generated phishing, 35% deepfake impersonation
  • Defensive AI and automation saved an average of ~US$1.9m per breach
🔓

Verizon DBIR 2025

22,052 incidents / 12,195 confirmed breaches analysed. Credential abuse (22%) and vulnerability exploitation (20%, +34% YoY) led initial access. Ransomware appeared in 44% of breaches (+37% YoY), though 64% of victims refused to pay — up from roughly half the year prior.

  • Third-party involvement in breaches doubled year-on-year to 30%
  • SMBs bore the brunt: ransomware was present in 88% of their breaches
🔄

DBIR 2026 — the pivot

Vulnerability exploitation overtook credential abuse as the #1 initial access vector — the first time in nineteen years of the DBIR series. Third-party involvement rose a further ~60% to near half of all breaches, and only around 26% of Known Exploited Vulnerabilities were fully remediated.

  • Edge devices and VPN appliances are now the primary target class
  • Patch latency, not password hygiene, is this year's dominant control gap
💰

Ransomware economics

Sophos State of Ransomware 2025: median demand fell to ~US$1.32m (−34%); median payment ~US$1m (−50%); average recovery cost excluding ransom fell from US$2.73m to US$1.53m (−44%); encryption occurred in only 49% of attacks, down from 66% — pure data-theft extortion is rising.

  • Coveware Q4 2025: payment rate ~20% (record low), median payment ~US$110,890 — about 8.7% of the initial demand
  • Historical average ransomware downtime remains ~24 days
🇦🇺

ACSC Annual Cyber Threat Report 2024-25

84,700+ reports lodged (one every ~6 minutes); 1,200+ incidents responded to (+11%). Average cost per report A$80,850 (+50%); large business average A$202,700 (+219%). DoS/DDoS reports rose 280%. Critical infrastructure made up ~11-13% of incidents. 138 ransomware incidents recorded — 39% detected by ACSC itself, not the victim.

  • PRC state-sponsored actors active at APT40 / Volt Typhoon / Salt Typhoon-class sophistication, alongside a persistent infostealer wave
  • ACSC guidance for 2026: "assume compromise," and begin post-quantum cryptography preparation now
📌 Interpretation

The 9% global cost drop is not a signal to cut spend — it reflects AI-assisted detection maturity, and the single biggest cost lever remains faster detection and containment. Record-low payment rates show backup maturity is working; attackers are responding with volume, mid-market targeting, and pure data-theft extortion that backups alone cannot neutralise.

🏆 Authority Point

Vulnerability exploitation overtaking credentials means edge devices and VPNs — and patch latency — now dominate initial access. Calendar-based patching is inadequate for internet-facing assets where time-to-exploit approaches zero for critical edge CVEs. Rebuild the patch SLA around exposure, not a monthly cycle.

📎 Data Caveats
  • DBIR 2026, ransomware projections, and insurance forecasts come partly from secondary aggregators and forward-looking projections — treat as directional, not settled.
  • Ransomware statistics vary by source and methodology (Coveware, Sophos, Verizon, Chainalysis, IBM) — ranges are given deliberately rather than a single false-precision figure.
  • ISO/IEC 27090 and 27091 are forthcoming as of mid-2026 — confirm publication status before citing either as final (see Tab 06).
  • Privacy Act small-business-exemption removal is agreed in principle but not yet law (see Tab 05).
  • The SEC v SolarWinds dismissal reduces individual-CISO securities risk but does not eliminate exposure for material misstatements (see Tab 03).
Blueprint 02
Framework Landscape Map

Every organisation of any size is now expected to answer to several cybersecurity frameworks at once — certifiable, voluntary, and regulatory. The practitioner move is not to pick one and ignore the rest; it is to map controls once against a single control set and report against many frameworks from that single source of truth.

The Landscape
The frameworks compared
FrameworkTypeStructureWhen it matters
ISO/IEC 27001:2022Certifiable ISMSClauses 4-10 + Annex A, 93 controls across 4 themesThe certifiable spine — enterprise and procurement signal
NIST CSF 2.0(26 Feb 2024)Voluntary coordination layer6 functions (GOVERN new + Identify, Protect, Detect, Respond, Recover), 22 categories, 106 subcategories, 4 tiers (Partial → Adaptive), Current/Target ProfilesBoard-level structure; maps cleanly onto 27001 / 800-53 / CIS
Essential Eight(ASD/ACSC)Australian baseline8 strategies × maturity levels 0-3ML2 mandatory for non-corporate Commonwealth entities under PSPF; the ISM sits behind it with 741+ controls
CIS Controls v8.1Prescriptive baseline18 controls, Implementation Groups IG1 → IG3Practical hygiene sequencing
SOC 2(AICPA TSC)AttestationType I design / Type II operating effectivenessUS-market SaaS sales; annual re-attestation vs ISO's 3-year cycle
APRA CPS 234 + CPS 230Regulatory — AU financial servicesInformation security capability (234) + operational resilience (230, live 1 Jul 2025)Mandatory for APRA-regulated entities
SOCI ActRegulatory — AU critical infrastructureCIRMP, Enhanced Cyber Security Obligations, Systems of National SignificanceMandatory across 11 critical infrastructure sectors
Cyber Security Act 2024Regulatory — AU economy-wideRansomware payment reporting, smart-device standards, Cyber Incident Review BoardApplies broadly — see Tab 05
International briefRegulatory — multi-jurisdictionEU NIS2 (transposed 2024-25) · DORA (financial, Jan 2025) · UK Cyber Essentials · US SEC disclosureMaterial incident disclosure to the SEC within ≤4 business days for US-listed entities
🎯

Essential Eight — the eight strategies

  • Application control
  • Patch applications
  • Configure Microsoft Office macro settings
  • User application hardening
  • Restrict administrative privileges
  • Patch operating systems
  • Multi-factor authentication
  • Regular backups
📐

Maturity discipline

Essential Eight maturity is assessed uniformly — an organisation cannot claim Maturity Level 2 on seven strategies while sitting at Level 0 on the eighth. All eight strategies must be raised together before advancing a maturity level as a whole.

🏆 Authority Point

Map controls once, report against many. Use NIST CSF 2.0 as the coordination layer sitting over a 27001 ISMS, with Essential Eight as the Australian baseline floor underneath it — one control set, four reporting views, and no duplicated evidence-gathering effort.

Blueprint 03
ISO 27001 Executive Lens

This tab is written for the board and the executive sponsor — the transition cliff, the economics, the liability picture, and the insurance market. For clause-by-clause and Annex A control detail, see Tab 04, ISO 27001 Implementer Lens, which is kept strictly separate.

Where the Market Sits
The certification and liability picture in 2026
31 Oct 2025
All ISO 27001:2013 certificates expired
US$15k–75k
Typical 3-year certification cycle cost
3–6 mo
Small-organisation certification timeline
12–18 mo
Larger-organisation certification timeline
~20%
2026 fee rise reported by some certification providers
1st
Federal Court civil penalty for cyber failures — ASIC v FIIG, A$2.5m
Executive Priorities
What the board and CISO must own

The transition cliff

Every ISO 27001:2013 certificate expired 31 October 2025. Organisations that didn't transition now face a full initial audit — not the cheaper transition or surveillance audit — to get certified. New certificates have only been issued against the 2022 standard since 30 April 2024.

💵

Certification economics

Two audit stages: Stage 1 (documentation review) and Stage 2 (operating effectiveness). Annual surveillance audits in years 1-2 typically cost one-third to one-half of the initial audit; year-3 recertification is priced close to the initial audit. Audit day rates run roughly US$1,500-2,200 (UK £1,000-1,500), with audit days set by the ISO/IEC 27006 tables based on headcount and complexity.

🧩

Integration dividend

ISO 27001 shares the Annex SL high-level structure with ISO 42001 (AI management), 27701 (privacy), 9001, and 22301 (business continuity) — enabling combined audits and shared evidence. Supporting standards worth budgeting for: 27002 (implementation guidance), 27005 (risk), 27017 (cloud), 27018 (PII in the cloud), 27035 (incident management).

⚖️

CISO liability — the SolarWinds signal

SEC v SolarWinds / Tim Brown was largely dismissed 18 July 2024 and fully dismissed with prejudice 20 November 2025 — genuine relief for CISOs personally. But SEC disclosure rules and the Cyber and Emerging Technologies Unit (established February 2025) remain fully in force. Action: secure explicit D&O coverage for CISOs — standard cyber-liability policies typically do not cover enforcement or shareholder actions.

🛡️

Cyber insurance in 2026

Market size: US$15.3b (2024, Munich Re) → ~US$16b (2025) → projected US$23b+ (2026). Premiums softened ~6% in 2025 (−22% from the 2022 peak), but S&P Global and WTW both project 15-20% increases into 2026. Over 40% of claims see no or partial payout — the #1 denial reason is failure to maintain stated controls, especially MFA. War and nation-state exclusions appear in ~16% of denials and are tightening post-NotPetya (Lloyd's). The CrowdStrike outage crystallised systemic/accumulation risk for insurers.

📊

Board reporting

Translate technical risk into board language using FAIR (Factor Analysis of Information Risk) quantification, mapped explicitly to NIST CSF 2.0's GOVERN function outcomes — dollarised exposure the board can weigh against other enterprise risks.

🏆 Authority Point

Insurance is now a control-evidence game — insurers deny claims on absent MFA and unmaintained controls, not fine print. Treat documented control evidence (not attestation) as the gating renewal deliverable, especially heading into a year where premiums may re-rate 15-20%.

Blueprint 04
ISO 27001 Implementer Lens & Annex A

This tab is written for the implementer — clause detail, Annex A control structure, the 2022 delta, and the operational decisions (SOC model, metrics, testing ladder, tooling) that turn a certificate into a working control environment. For board and liability framing, see Tab 03, kept strictly separate from this tab.

Annex A 2022
93 controls across 4 themes
37
A.5 Organisational controls
8
A.6 People controls
14
A.7 Physical controls
34
A.8 Technological controls
93
Total Annex A controls, each with attributes + purpose statement
ThemeControl countCoverage
A.5 Organisational37Policies, roles, supplier and cloud relationships, threat intelligence, incident management, business continuity readiness
A.6 People8Screening, terms of employment, awareness/training, disciplinary process, remote working, confidentiality
A.7 Physical14Secure areas, equipment, physical security monitoring, clear desk/clear screen
A.8 Technological34Access control, cryptography, configuration management, data leakage prevention, secure coding, monitoring
🆕

The 11 new 2022 controls

  • 5.7 Threat intelligence
  • 5.23 Information security for use of cloud services
  • 5.30 ICT readiness for business continuity
  • 7.4 Physical security monitoring
  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.16 Monitoring activities
  • 8.23 Web filtering
  • 8.28 Secure coding
Implementer Priorities
The decisions that make the ISMS operational
📄

SoA + risk treatment plan

The Statement of Applicability (Clause 6.1.3) and risk treatment plan (Clause 8.3) are the pivotal audit documents for 2022 conformance. Build the evidence trail first; write the SoA to match what the evidence shows, not the reverse.

🖥️

SOC operating models

Decide between in-house SOC, fully outsourced MSSP, or hybrid MDR based on scale, available talent, and genuine 24/7 coverage need — not on which model looks cheapest on a slide.

📈

Metrics that matter

MTTD, MTTR, patch latency, phishing simulation click/report rates, and vulnerability-management SLAs — track these as the operating heartbeat of the ISMS, not as year-end reporting artefacts.

🪜

Testing ladder

Penetration test (point-in-time) → red team (adversary emulation) → purple team (collaborative detection tuning). Each rung answers a different question; run the ladder in sequence, not just the cheapest rung repeatedly.

🧰

Tooling rationalisation

SIEM, SOAR, EDR/XDR, CNAPP, IAM — consolidate toward integrated platforms rather than point-solution sprawl. Alert fatigue and licence sprawl are both, in practice, control failures: a control nobody can afford to watch is not an operating control.

🏆 Authority Point

The SoA and risk treatment plan are not paperwork — they are the pivotal audit documents for 2022 conformance. Auditors probe the gap between what the SoA claims and what the evidence trail actually shows. Build the evidence first; write the SoA to match it.

Blueprint 05
Australian Regulatory Layer

This is the differentiator tab. Australia's cyber regulatory stack hardened dramatically through 2025-26 — mandatory ransomware payment reporting, APRA CPS 230 going live, and the first-ever Federal Court civil penalty for cyber failures. Multiple regulators, multiple clocks, and for many organisations, multiple simultaneous notification obligations from a single incident.

The Regulatory Clock
Obligation, trigger, deadline, regulator, penalty
ObligationTriggerDeadlineRegulatorPenalty
Ransomware payment reportPayment made — or awareness made on your behalf, including by an insurer72 hoursASDUp to 60 penalty units (~A$19,800)
Material operational-risk incidentOccurrenceASAP, ≤72 hoursAPRA (CPS 230 para 33)Supervisory action
Disruption outside toleranceCritical operation tolerance breachASAP, ≤24 hoursAPRA (CPS 230 para 42)Supervisory action
Eligible data breachSuspicion → assessment30-day maximum assessment; notify ASAP once confirmedOAICCivil penalties (s 13G)
SOCI incident reportingCritical or significant impact12 hours (critical) / 72 hours (other)CISC / ASDCivil penalties
SEC disclosure(if US-listed)Material incident4 business daysSECEnforcement action
The Instruments
Four pieces of the Australian regime

Cyber Security Act 2024

Royal Assent 29 November 2024; reporting obligations live from 30 May 2025. Applies to entities with turnover above A$3m plus all SOCI responsible entities. There is no minimum payment threshold, and both monetary and non-monetary benefits are reportable.

  • "Limited use" protections: information reported is not admissible in criminal proceedings against the reporter
  • Paying a ransom is not itself illegal in Australia — but sanctions risk applies, and ACSC strongly advises against payment
  • Also establishes smart-device security standards and the Cyber Incident Review Board
🏦

APRA CPS 230

Live since 1 July 2025. Requires critical operations to be identified, tolerance levels set, and a credible business continuity plan tested annually against severe-but-plausible scenarios.

  • Material service provider register required, including fourth-party risk
  • Pre-existing contracts covered from the earlier of contract renewal or 1 July 2026
  • Consolidates the former CPS 231 and CPS 232
🏗️

SOCI Act

As amended by the Enhanced Response and Prevention Act 2024. CIRMP obligations in force from 18 August 2024, with 2024-25 as the first reporting period.

  • Business-critical-data protections in force from 4 April 2025
  • Systems of National Significance carry Enhanced Cyber Security Obligations
  • 11 regulated sectors; telecommunications migrated into the SOCI regime in April 2025
🔏

OAIC Notifiable Data Breaches

The 30-day assessment window is a ceiling, not a target — aim to move faster. The trigger is a "likely serious harm" threshold.

  • December 2024 Privacy Act reforms clarified that APP 11 "reasonable steps" means both technical and organisational measures
  • Removal of the small-business exemption is agreed in principle but is not yet law
Case Law
Cyber failure is now a quantifiable directors' duty exposure
⚖️

ASIC v RI Advice [2022] FCA 496

Established that cyber risk sits within s 912A AFS licensee obligations. Justice Rofe held that cybersecurity risk "is a significant risk connected with the conduct of the business" that can be "materially reduce[d] … to an acceptable level." No penalty was imposed, but A$750k in costs and a remediation order followed.

🔨

ASIC v FIIG Securities [2026] FCA 92

Justice Derrington, 9 February 2026 — the first-ever Federal Court civil penalty for cyber security failures: A$2.5m plus A$500k costs under s 912A(1)(a),(d),(h). The underlying incident was a May 2023 ransomware attack that exfiltrated ~385GB affecting ~18,000 clients. Failures found: no MFA, poor passwords, misconfigured firewalls, unpatched software, no staff training. The maximum available penalty was ~A$41.25m; adequate controls would have cost an estimated ~A$1.2m. ASIC Deputy Chair Sarah Court: "This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations."

📋

Pipeline to watch

  • ASIC v Fortnum Private Wealth — commenced July 2025, pending
  • OAIC v Medibank — Privacy Act s 13G, ~9.7m alleged contraventions, commenced June 2024, ongoing
  • McClure v Medibank [2025] FCA 167 — privilege over cyber forensic reports
⚠️ The Quadruple-Reporting Reality

An APRA-regulated SOCI entity hit by ransomware involving PII may simultaneously owe: CPS 234/230 notification to APRA, SOCI incident reporting to CISC, a payment report to ASD, and an NDB assessment to OAIC. Four different triggers, four different clocks. Build the pre-agreed reporting matrix before an incident — not during one.

🏆 Authority Point

FIIG changes the board conversation: the controls that would have prevented a A$3m-plus penalty cost an estimated A$1.2m. Cyber underinvestment is now a quantifiable directors' duty exposure in Australia — not a hypothetical.

Blueprint 06
AI Security

A companion to the ISO AI Governance wiki (ISO/IEC 42001; forthcoming 27090/27091). Where that wiki covers governance of AI as a management system, this tab covers the security-specific attack surface: offensive AI in the hands of adversaries, defensive AI inside the SOC, and the shadow AI risk sitting between the two.

The Three Fronts
Offensive, defensive, and shadow AI
🗡️

Offensive AI

Deepfake fraud, AI-generated phishing at scale, and automated vulnerability discovery. IBM found attackers used AI in 16% of breaches — 37% for AI-generated phishing content, 35% for deepfake impersonation.

🛡️

Defensive AI

SOC automation and AI-assisted detection and triage are the driver behind the 2025 global breach-cost decline — extensive automation saved an average of ~US$1.9m per breach.

🌑

Shadow AI

Present in 20% of breaches, adding ~US$670k in cost. 97% of AI-related breaches lacked AI access controls; 63% had no AI governance policy at all. Govern explicitly — an approved list and active channelling, not an outright ban.

OWASP Top 10 for LLM Applications 2025
The application-layer risk taxonomy
CodeRiskNature of the risk
LLM01Prompt InjectionTop-ranked risk — direct and indirect manipulation of model instructions via crafted input
LLM02Sensitive Information DisclosureModel reveals confidential data present in training or context
LLM03Supply ChainCompromised models, datasets, plugins, or fine-tuning pipelines
LLM04Data & Model PoisoningMalicious manipulation of training or fine-tuning data
LLM05Improper Output HandlingDownstream systems trust LLM output without validation
LLM06Excessive AgencyModel granted more autonomy, permissions, or tool access than the task requires
LLM07System Prompt LeakageDisclosure of system instructions intended to remain hidden
LLM08Vector & Embedding WeaknessesManipulation or leakage via RAG vector stores and embeddings
LLM09MisinformationConfident, plausible, but false outputs presented as fact
LLM10Unbounded ConsumptionUncontrolled resource/cost consumption via excessive inference requests
Frontier Watch
Threat modelling, agentic risk, and the governance bridge
🗺️

MITRE ATLAS v5.1.0

Published November 2025 — 16 tactics, 84 techniques covering adversary TTPs against AI systems, including prompt injection and jailbreaks. Use it for structured AI threat modelling, the same way ATT&CK is used for enterprise IT.

🤖

Agentic AI expands the surface

The OWASP Agentic Security Initiative's Top 10 for Agentic Applications (December 2025) covers agent memory, tool integration, identity/permissions, and multi-agent risks. Anthropic's Opus 4.5 system card notes that indirect prompt-injection success rises with attempt count — agentic systems materially expand the attack surface versus single-turn chat.

🌉

The governance bridge

ISO/IEC 42001 (AIMS) is the management plane. ISO 27090 (AI security, FDIS expected June 2026, publication H2 2026) and ISO 27091 (AI privacy, late 2026/2027) are the forthcoming control-level depth beneath it — confirm publication status before citing either as final.

🏆 Authority Point

Shadow AI and AI governance policy gaps compound each other — 20% of breaches now involve shadow AI, and 63% of AI-related breaches occurred with no AI governance policy at all. Treat AI access control and an approved-tool list as day-one, Essential-Eight-equivalent hygiene, not a future-state governance nicety.

Blueprint 07
Zero Trust Architecture

"Never trust, always verify." With edge-device and VPN exploitation now the #1 initial access vector, zero trust has moved from architectural aspiration to the practical answer for perimeter-less risk.

Reference Architecture
NIST SP 800-207 and the CISA maturity model
🧭

NIST SP 800-207

The architecture reference — Policy Decision Point, Policy Enforcement Point, and Policy Information Point components, built around 7 tenets and the "never trust, always verify" principle.

🎯

Practical priorities

  • Identity-first security as the entry point
  • ZTNA over VPN — edge-device exploitation is now the #1 initial vector, and VPN appliances are the target
  • Microsegmentation to contain lateral movement
📍

Reference points

  • DoD Zero Trust Strategy targets full adoption by FY2027 — 7 pillars, 152 activities
  • NSA Zero Trust implementation primers run through 2026
CISA Zero Trust Maturity Model 2.0
April 2023 — 5 pillars, 3 cross-cutting capabilities, 4 stages

5 Core Pillars

  • Identity
  • Devices
  • Networks
  • Applications & Workloads
  • Data

3 Cross-Cutting Capabilities

  • Visibility & Analytics
  • Automation & Orchestration
  • Governance

Each pillar progresses independently through 4 stages — Traditional → Initial → Advanced → Optimal — meaning an organisation can be Advanced on Identity while still Traditional on Data. Sequence investment by risk reduction per dollar, not by uniform maturity across pillars.

🏆 Authority Point

Start with the Identity pillar — phishing-resistant MFA (passkeys) plus conditional access delivers the largest risk reduction per dollar, and it's the control insurers now require as a coverage condition.

Blueprint 08
Post-Quantum Cryptography

Harvest-now-decrypt-later means data encrypted today with traditional asymmetric cryptography is already at risk if it needs to stay confidential for a decade or more. Australia's timeline is five years ahead of the US — for Australian organisations, this is a live multi-year programme, not a 2035 problem.

The Clock
Standards, thresholds, and deadlines
13 Aug 2024
NIST PQC standards finalised
End 2030
ASD deadline to cease traditional asymmetric crypto
2035
NIST/NSA full disallowance of traditional asymmetric crypto
~4,000
Error-corrected logical qubits needed to break RSA-2048
End 2026
ASD milestone: refined transition plan due
The Programme
Standards, threat model, timelines, and where Australia sits
🔐

The standards

  • FIPS 203 ML-KEM — key encapsulation (formerly Kyber)
  • FIPS 204 ML-DSA — signatures (formerly Dilithium)
  • FIPS 205 SLH-DSA — hash-based signatures (formerly SPHINCS+)
⏱️

The threat: harvest-now-decrypt-later

Encrypted data stored today can be decrypted once a cryptographically relevant quantum computer exists — most experts estimate mid-2030s or later. Prioritise data with confidentiality needs beyond 10 years for migration now, not on the eventual deadline.

📅

Timelines compared

CNSA 2.0 (NSA): PQC signing from 2025; stop RSA/ECDH key establishment 2030; stop RSA/ECDSA signatures 2033; National Security Systems fully PQC by 2035. NIST IR 8547: deprecate RSA/ECC after 2030, disallow after 2035.

🇦🇺

Australia is ahead

ASD's Information Security Manual requires cessation of RSA, DH, ECDH, and ECDSA by end 2030 — five years ahead of the NIST/NSA 2035 timeline — and phases out SHA-224/256 by 2030 as well. ISM-1917 requires new crypto equipment, applications, and libraries to support ML-DSA-87, ML-KEM-1024, SHA-384/512, and AES-256 by 2030. ISM-2073 requires a documented PQC transition plan.

  • Milestones: refined transition plan due end 2026 → transition commenced for critical/high systems first by end 2028 → transition complete by end 2030
  • ASD-approved algorithms: AES-256, SHA-384/512, ML-KEM-1024 (preferred), ML-DSA-87 (preferred)
  • ASD neither prohibits nor recommends hybrid schemes, and does not endorse QKD
🏭

Enterprise state, 2026

Still early — crypto-agility is the strategic objective, not a completed migration. OpenSSL 3.4+ and liboqs already support the new algorithms, giving early movers a practical path to start testing now.

🏆 Authority Point

For Australian organisations, PQC is a live multi-year programme, not a 2035 problem — ASD's end-2026 "refined plan" milestone is now. Step one is always the cryptographic inventory: you cannot migrate what you haven't mapped.

Blueprint 09
Supply Chain & Third-Party Risk

Roughly half of all breaches now involve a third party, and the CrowdStrike outage proved that concentration risk in a single vendor — EDR, cloud, or identity — can be more consequential than a targeted attack.

The Numbers
Third-party risk by the numbers
~50%
Of breaches involve third parties (DBIR 2026, +~60% YoY)
US$4.91m
Avg supply-chain breach cost — slowest to resolve, 267 days
8.5m
Windows systems crashed by the CrowdStrike update
~US$5.4b
Estimated Fortune 500 impact (Parametrix)
10-20%
Portion of that impact covered by insurance
The Control Set
Provenance, frameworks, and the CrowdStrike lesson
📦

SBOM + provenance

Sigstore signing, SLSA levels, and dependency scanning are moving from best practice to contractual baseline — driven by the EU Cyber Resilience Act (phasing through 2027), US Executive Order 14028 SSDF attestations, and NIST SP 800-218A for GenAI.

📖

C-SCRM frameworks

NIST SP 800-161r1 is the primary reference for cyber supply chain risk management; ISO 27036 covers supplier relationships specifically.

💥

The CrowdStrike outage — 19 July 2024

A faulty Falcon content update crashed roughly 8.5 million Windows systems — under 1% of the installed base, yet the largest IT outage in history. Parametrix estimated up to ~US$5.4b in Fortune 500 revenue/gross-profit impact (healthcare ~US$1.94b, banking ~US$1.15b); insurance covered only 10-20% of that; global losses were estimated near US$15b.

  • Lesson 1: staged/ring deployment for content updates, not simultaneous global push
  • Lesson 2: kernel minimisation for third-party tooling
  • Lesson 3: validated alternate control paths, tested quarterly — not assumed to work
  • Lesson 4: fourth-party mapping, not just direct-vendor mapping
📜

Incident history

SolarWinds SUNBURST (2020) · MOVEit (2023) · Snowflake credential intrusions (2024) · Change Healthcare · CDK Global — each a different failure mode inside the same third-party trust boundary.

🎯

Concentration risk

Single-vendor dependencies in EDR, cloud, or identity create systemic exposure. Insurers now model accumulation risk explicitly — a single vendor failure can trigger claims across an entire portfolio of insureds simultaneously.

🏆 Authority Point

CrowdStrike proved that a single-vendor dependency in EDR, cloud, or identity is systemic risk, not vendor risk — insurers now model accumulation risk explicitly, and only 10-20% of Fortune 500 impact was covered. Fourth-party mapping and tested alternate control paths are the practical answer; SBOM and contractual provenance are the long-run structural fix.

Blueprint 10
Incident Response Playbooks

Aligned to NIST SP 800-61r3 (published 3 April 2025 — restructured around CSF 2.0, where Govern/Identify/Protect form preparation and Detect/Respond/Recover form handling, wrapped in continuous Improvement), CISA playbooks, and ACSC guidance. Each of the six playbooks below carries a phase flow, decision points, a RACI where relevant, regulatory clocks, and evidence-preservation actions.

📌 The Four Regulatory Clocks

ASD: 72 hours for ransomware payment reports. APRA: ≤72 hours for material operational-risk incidents, ≤24 hours for tolerance-breaching disruptions (CPS 230). OAIC: 30-day maximum assessment ceiling for eligible data breaches, notify ASAP once confirmed. SEC: 4 business days for material incidents at US-listed entities. Pre-map which clocks apply to which playbook before an incident, not during one.

Playbook 01 · Flagship
Ransomware with Ransom Demand
🔍
Detection
🔒
Containment
Isolation
🚨
Crisis Mgmt
Activation
⚖️
Ransom Decision
📋
If paid
ASD report ≤72h
🤝
Negotiation
Considerations
💾
Recovery
Immutable backups
🏢
Restoration
Business resilience
📝
PIR
Post-incident review
⚠️ The Ransom Decision

Board approves — payment and risk appetite is a board decision. CISO advises on technical response. Crisis team executes. ACSC strongly advises against paying: there is no guarantee of restoration, payment funds future attacks, ~80% of payers are re-attacked within 12 months, and only ~4% of payers recover all their data. Sanctions risk applies — payment to a sanctioned entity is a separate offence. Paying is not itself illegal in Australia.

If paid — including by an insurer on your behalf: a mandatory ASD report is due within 72 hours under the Cyber Security Act 2024. There is no minimum threshold, and both monetary and non-monetary benefits are reportable.

StakeholderRACIRole
BoardAccountablePay / no-pay decision and risk appetite
CISOResponsibleTechnical response and advice to the board
Crisis TeamResponsibleExecution and communication cascade
LegalConsultedSanctions exposure, privilege, notification obligations
CommsResponsibleInternal, customer, regulator, and media templates
InsurerConsultedPanel firm engagement, coverage confirmation before any commitments
💣

Double/triple extortion reality

Encryption + data theft + DDoS/harassment. Backup maturity neutralises the encryption leg, but does not neutralise data-theft leverage — plan for extortion even when recovery from backup is fast and complete.

🏥

Cyber insurance interaction

Notify the insurer early; use panel firms where required by the policy. Unauthorised commitments — including early negotiation promises — can void coverage.

📢

Communication approach

Pre-drafted templates for internal, customer, regulator, and media audiences. A single spokesperson. Legal privilege maintained over forensic findings from the outset.

♻️

Backup restoration strategy

Restore from immutable/offline backups only. Verify integrity before restoring. Assume a re-entry attempt is coming, and rotate all credentials as part of the restoration — not after it.

Playbook 02
Business Email Compromise / Financial Fraud
🔍
Detect
Anomalous payment
🏦
Freeze/Recall
Bank fraud team, minutes matter
🗂️
Preserve Evidence
Headers, logs
📞
Report
ReportCyber, bank, AFP
🔎
Assess PII
NDB if eligible
🛠️
Remediate
MFA, DMARC, callbacks
📝
PIR
⚠️ The Recall Window

The recall window is measured in hours, not days. Bank contact is step one — not step four. Every minute spent on internal verification before calling the bank's fraud team reduces the odds of recovering the funds.

Playbook 03
Data Breach with PII Exposure
🔒
Contain
📅
OAIC Assessment
30-day max, "likely serious harm"?
✉️
Notify
If eligible: OAIC + individuals ASAP
🛠️
Remediate
+ credit monitoring where warranted
📝
PIR
📌 The 30-Day Ceiling

30 days is a ceiling, not a target. Document the assessment even if you conclude notification isn't required — the assessment record itself is your defence in any later regulatory inquiry.

Playbook 04
Supply Chain Compromise
🔍
Identify
Affected vendor/component
💥
Blast Radius
SBOM query
🔀
Alternate Paths
Activate
🚫
Contain Access
Revoke/rotate, isolate integrations
📖
Vendor Assessment
NIST 800-161 / ISO 27036
📑
Notifications
Contractual + regulatory
📝
PIR
Incl. concentration-risk review
Playbook 05
DDoS / Availability Attack
🔍
Detect
🌊
Scrub
Scrubbing/CDN/upstream ISP
⏱️
Maintain Ops
Within CPS 230 tolerance; ≤24h if APRA-regulated
🧐
Attribution
Caution
📝
PIR
📌 Availability Attacks Are Back

ACSC reported DoS/DDoS incidents up 280% in 2024-25. If APRA-regulated, a disruption outside tolerance triggers a ≤24-hour notification under CPS 230 para 42 — build that clock into the playbook, not just the ransomware one.

Playbook 06
Insider Threat
🔍
Detect
Anomalous access/exfiltration
🤝
Coordinate
HR + Legal + Security, before confronting
🗂️
Preserve Evidence
Forensic imaging, chain of custody
🚫
Revoke Access
Timed with HR action
⚖️
Assess
Malicious vs negligent
🔎
NDB Assessment
If PII involved
📝
PIR
⚠️ The Coordination Trap

Security acting before HR and Legal alignment destroys both the case and the process fairness. Coordinate before confronting — every time, without exception.

Exercise Discipline
A plan that hasn't been tested is a hypothesis
🏆 Authority Point

A playbook that hasn't been exercised is a hypothesis. Quarterly scenario exercises — ransomware and BEC at minimum — an annual severe-but-plausible CPS 230 exercise, and the reporting matrix pinned to the wall: that's the difference between response and improvisation.

Blueprint 11
Business Continuity & Cyber Resilience

Cyber recovery is not disaster recovery. DR assumes clean infrastructure to fail over to; cyber recovery must assume the adversary compromised that infrastructure too. This tab walks the ISO 22301 core, the plan hierarchy, and the resilience chain from attack to lessons learned.

ISO 22301 BCMS Core
Business impact analysis and the plan hierarchy
📊

Business Impact Analysis (Cl 8.2.2)

"The process of analysing the impact over time of a disruption on the organization." For each prioritised activity, determine:

  • RTO — the period within which the activity must resume
  • RPO — the maximum acceptable data loss point
  • MTPD/MAO — the time until impacts become unacceptable
  • MBCO — the minimum acceptable service level during disruption

Governing rule: RTO must sit below MTPD, with a documented safety margin between them.

🏦

Operational resilience evolution

APRA CPS 230 requires tolerance levels for critical operations plus an annual severe-but-plausible scenario exercise covering all critical operations — including service-provider disruptions, not just internal failures.

🎖️

Crisis management

Crisis team structure with decision authority pre-delegated, war-room operations ready to activate, and communication cascades — who calls whom, in what order, with what pre-approved messages — decided before an incident, not during one.

The plan hierarchy
🚨
Incident Response
Tactical: contain, stabilise
🎖️
Crisis Management
Strategic: reputation, stakeholders, regulators
🏢
Business Continuity
Maintain activities at MBCO within RTO
💾
Disaster Recovery
The IT-recovery subset, nested in BC

Escalation flows up this chain by severity; recovery flows back down through Business Continuity, with Disaster Recovery as its technology engine.

⚠️ Cyber Recovery ≠ Disaster Recovery

DR assumes clean infrastructure to fail over to. Cyber recovery assumes compromise — rebuild from a known-good, integrity-verified state in an isolated recovery environment. Immutable backups are necessary but not sufficient; the restore process itself must assume the adversary is still present. Ransomware downtime has historically averaged ~24 days — set executive expectations accordingly.

The Resilience Chain
From attack to lessons learned — and back to preparation
💥
Cyber Attack
🚨
Incident Response
🎖️
Crisis Management
🏢
Business Continuity
💾
Recovery
📝
Lessons Learned
🛡️
Preparation
Feeds back into readiness
🏆 Authority Point

The plan hierarchy — Incident Response → Crisis Management → Business Continuity → Disaster Recovery — is not documentation for its own sake; it is the escalation and decision-authority map that stops a technical incident becoming an unmanaged crisis. Exercise the whole chain, not just the DR runbook.

Blueprint 12
Certification Roadmap & Maturity

A staged path from compliance triage to full management-system integration — sequenced so that insurer-baseline controls and the Australian reporting matrix come first, frontier capability second, and integration and assurance last.

🔍
Gap Assessment
📊
Risk Assessment
/ Treatment
📄
SoA
🛠️
Implementation
🔎
Internal Audit
👥
Mgmt Review
1️⃣
Stage 1
2️⃣
Stage 2
📆
Surveillance
Yr 1-2
🔄
Recertification
Yr 3
Stage 1 · 0-90 Days
Compliance triage
Stage 2 · 3-9 Months
Resilience & frontier
Stage 3 · 9-24 Months
Integration & assurance
Benchmark Triggers
When to shift the roadmap
🎯

Essential Eight ML2 achieved

Once ML2 is achieved uniformly and MTTD/MTTR sit within target, shift marginal spend from prevention toward resilience and recovery capability.

🔐

PQC-capable products unavailable

Where a critical system's vendor has no PQC-capable product available, use crypto-agility wrappers rather than waiting indefinitely for vendor support.

📈

Insurer re-rates 15-20%

When the insurer re-rates premiums 15-20% at renewal, documented control evidence becomes the gating deliverable for that renewal — not a policy document.

🏆 Authority Point

Certification and maturity are sequencing decisions, not a checklist to complete in any order — insurer-baseline controls and the Australian reporting matrix come before zero-trust and PQC roadmaps, and integration across 27001, 42001, 27701, and 22301 is the payoff for Stages 1-2 done well, not a parallel track to run alongside them.