The Imperative for Australian Boards and Senior Executives to Champion Cyber Security Culture: Key Updates in the ISM Framework

Cybersecurity is not just a protective measure; it's a fundamental requirement for maintaining trust and operational integrity. For Australian organizations, the Australian Signals Directorate's (ASD) Information Security Manual (ISM) provides a crucial framework for navigating the complexities of cybersecurity. With recent March 2025 updates, the ISM has reinforced the need for a proactive and adaptive cybersecurity posture, emphasising the importance of integrating cybersecurity into every facet of business operations. In this dynamic landscape, Immersive's people-centric cybersecurity solutions, including cyber drills, hands-on labs, and exercises, are essential tools for enterprises seeking to prove and improve their cybersecurity capabilities in alignment with ISM guidelines.

‍

Understanding the ISM‍

The Australian Signals Directorate (ASD) developed the Information Security Manual (ISM) as a cybersecurity framework. It is designed to help organizations protect their technology systems, applications, and data from cyber threats using risk management strategies. The ISM is specifically intended for chief information security officers (CISOs), chief information officers (CIOs), cybersecurity professionals, and IT managers.    

‍

Key Updates to the ISM in March 2025‍

The March 2025 updates to the ISM include several new controls focused on embedding cybersecurity at the highest levels of an organization. These updates emphasise the role of the board of directors and executive committees in leading and integrating cybersecurity initiatives.

• Board and Executive Commitment: The ISM now requires that cybersecurity be integrated into all business functions, with clear roles and responsibilities defined by the board or executive committee. It also stipulates that cybersecurity strategies must align with the organization's overarching strategic and business objectives. Additionally, the board must receive regular briefings and reports on the organization’s cybersecurity posture and the broader threat environment.
• Championing a Positive Cybersecurity Culture: The board or executive committee is now charged with fostering a positive cybersecurity culture, setting an example for the rest of the organization to follow.    

• Building Cybersecurity Expertise: To ensure effective governance, the ISM mandates that the board or executive committee maintain sufficient cybersecurity literacy. This includes staying informed about recruitment, retention rates, and skill gaps within the cybersecurity team. It also involves supporting cybersecurity training and awareness programs for all personnel.    
• Planning for Major Cybersecurity Incidents: Organizations must now plan for major cybersecurity incidents, with the board or executive committee actively participating in exercises to understand their roles and duties during such events.
      

Recent attacks on superannuation funds have surged in Australia & industry bodies are acting.‍

In February 2023, Australian Prudential Regulation Authority (APRA) superannuation general manager highlighted the "emerging and increasing risk" of cyberattacks and the need for improved cyber risk management within the superannuation industry, even though no significant cyber incidents had occurred up to that point.

However, by 2025, a major Australian superannuation fund with approximately 3.5 million members and over A$365 billion in managed funds experienced a cyberattack. This incident resulted in about A$500,000 in combined losses for a small number of members*

Recognising the importance of combating financial and cyber crime, the superannuation industry is prioritising the development of industry-wide frameworks. To this end, Association of Superannuation Funds of Australia (ASFA), through its Financial Crime Protection Initiative (FCPI) will soon release a toolkit designed to enhance cybersecurity coordination across the sector and align with the ISM changes. This initiative aims to ensure strong sector-wide coordination in cybersecurity.
‍

Immersive's People-Centric Cybersecurity Approach‍

Immersive's value proposition extends beyond mere compliance. We offer organisations the ability to prove and improve cyber capabilities across the entire workforce, so they can be ready for all kinds of threats. By using Immersive, organizations can reduce breach costs, improve recruitment and retention, and make better cybersecurity investment decisions, while proving readiness to regulators, boards, and C-level executives.
‍

Immersive provides:

• Cybersecurity Exercises and Labs: Immersive delivers hands-on, gamified learning environments for individuals, teams, and organizations. These include defensive cybersecurity for professionals, penetration testing, application security for experts, and cloud and infrastructure security. 
• Team-Based Simulations: Immersive offers team-based simulations for executive teams, crisis management and incident response teams, and offensive, defensive, and Security Operations Center (SOC) teams.    
• Skills Development Exercises: Immersive also provides skills development exercises that drive transformative behavioral change for senior leaders, front-line employees, and high-risk targets of cyberattacks.    

‍

Aligning Your Organization with the Updated ISM Compliance: Immersive's Role‍

Immersive's approach strongly supports the ISM's updated requirements, particularly in the areas of Embedding Cybersecurity, Championing a Positive Cybersecurity Culture, Building Cybersecurity Expertise, and Planning for Major Cybersecurity Incidents outlined in the new updates.

Immersive's exercises and labs help organizations integrate cybersecurity into all business functions by providing targeted training for various roles, from the board to frontline workers. These programs ensure that everyone understands their cybersecurity responsibilities, fostering a culture of shared accountability.    

Our training and simulations promote a proactive and engaged cybersecurity culture. By involving the board and executive teams in exercises, Immersive underscores the importance of leading by example and helps to instill cybersecurity awareness throughout the organisation.    

Immersive directly addresses the ISM's call for enhanced cybersecurity literacy and skills development. Our hands-on labs and exercises provide continuous learning opportunities, ensuring that all personnel, including the board, stay informed about the latest cyber threats and best practices.    

To learn more about Immersive and our approach to cybersecurity and why people are your strongest Cybersecurity asset, visit this post here.

*The Australian Financial Review. Article “ Money taken in co-ordinated cyberattack on big super funds”  Lucas Baird April 4, 2025

‍