While the Australian cyber security sector has recently been captivated by broader structural framework conversations around evolving the Essential Eight, a major operational shift slipped into the June 2026 Information Security Manual (ISM) update. The Australian Signals Directorate (ASD) introduced a critical new monitoring requirement: Control ISM-2116.
If you need to comply with the ISM and you're not actively using cyber threat intelligence as part of your detective controls, the system could now be considered non-compliant.
For over ten years, the team at Cosive have been responsible for leading threat intelligence sharing across the Australian cyber ecosystem. We’ve championed the transition away from siloed security operations, pushing for a collective defence model where organisations share threat activity for the benefit of the wider community.
We firmly believe that to survive the cyber-lions roaming the internet, defenders must act like a herd of zebras. In the wild, zebras survive not through individual strength, but by grouping tightly together. When a predator attacks, their overlapping stripes merge into a confusing mass of visual noise, making it nearly impossible for a lion to target a single individual. By cooperating, sharing threat intelligence, and moving as a unified front, we’ve seen that defenders can create a similar level of collective defence.
Our team was in the trenches helping architect, deploy, and support the foundational infrastructure for the ASD’s Cyber Threat Intelligence Sharing (CTIS) platform. We have spent years helping customers bridge the detection gap using machine-readable open standards like STIX/TAXII and MISP. Back then, we knew that establishing a pipeline connection was only the first phase; the real challenge lies in winning the hearts and minds of organisations to truly drive participation.
Sometimes you need a way to drive participation, not just talk about the benefits. The ISM has been missing that knockout blow in motivating agencies to not just hoard threat intelligence, but actually operationalise it. The introduction of ISM-2116 brings this full circle by turning threat intelligence into a baseline requirement for modern compliant cybersecurity programs.
To understand why ISM-2116 was introduced, we have to trace its lineage back through government policy and the evolution of the ISM core principles.
The initial success of CTIS brought discussions about CTI to executives and boards, helping establish CTI programs as a priority investment rather than a technical afterthought. In Australia, the Department of Home Affairs sets the overarching security framework for the Australian Government via the Protective Security Policy Framework (PSPF).
PSPF Direction 003-2024 (Supporting Visibility of the Cyber Threat) refined this further by requiring non-corporate Commonwealth entities to share cyber threat information with ASD, and mandates participation in ASD’s Cyber Security Partnership Program. The intent was to break down visibility silos and move towards a more unified national cyber defence.
More recently, the March 2026 ISM update significantly enhanced the manual's strategic view by updating its core Cyber Security Principles which align to the NIST framework. It placed an explicit high-level obligation on organisations to utilise "current strategic and sector-specific cyber threat intelligence" across three critical governance phases:
This progression reflects how we approach advisory work at Cosive: start by understanding the highest risks your organisation is realistically likely to face, identify which threat intelligence will help you recognise those risks, and then use that intelligence to guide detection.
To satisfy an IRAP assessor under the June 2026 baseline, organisations must actively prove how that intelligence modifies and drives their defensive posture on a daily basis. To get started on that journey, we can consider three concrete steps to operationalise ISM-2116:
For organisations looking for a practical starting point, modern Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) platforms can help bring cyber threat intelligence into detection.
Many leading EDR vendors already use global threat intelligence to inform detections and protections in their endpoint agents. When these platforms are configured to block and alert on relevant adversary behaviours, they can help organisations use CTI to identify incidents at the asset layer.
This is a useful foundation, but it is not the whole picture. Vendor intelligence is often broad by design, and may not include the Australian context, sector-specific insight, or local threat activity your organisation needs to make good detection decisions.
For enterprise environments and government departments with a formal SOC, a common next step is to bring cyber threat intelligence directly into the tools analysts already use.
This may involve configuring SIEM, logging, or SOAR platforms such as Microsoft Sentinel or Splunk to ingest high-confidence intelligence from trusted sources, including STIX/TAXII or MISP feeds and services such as the Australian Government’s CTIS.
When implemented well, this helps security teams look for signs of malicious activity across their environment, including indicators of compromise, adversary behaviours, and relevant tactics, techniques, and procedures.
The value comes from how the intelligence is applied. Teams should filter incoming intelligence for relevance, use it to support proactive threat hunting, and run new intelligence against historical logs where appropriate. This helps identify activity that may already be present in the environment, rather than only improving future detection.
For more mature organisations working with multiple threat intelligence sources, it is useful to have a central place to curate and manage that intelligence before it is pushed into detection tools.
CTI may come from a range of sources, including CTIS, commercial feeds, ISACs, community sharing, and internal telemetry. Without curation, those feeds can quickly create duplication, noise, and detections that do not reflect your organisation’s actual risk profile.
A dedicated platform such as CloudMISP can help by centralising, normalising, and deduplicating threat intelligence before it reaches SIEM, SOAR, EDR, or other defensive tooling. This gives analysts a place to review incoming intelligence, filter for relevance, and maintain a curated set of high-confidence indicators and context.
That curated intelligence can then be distributed to security tools to support detection, prevention, and threat hunting.
When well managed, this approach reduces alert fatigue, improves the quality of detections, and gives assessors a clearer view of how threat intelligence is being governed and used in practice.
While the ISM is primarily mandated for Australian Government agencies and parts of their supply chains, its influence often reaches further. It gives the broader Australian cyber security ecosystem a clearer view of what good practice can look like.
Requiring organisations to use cyber threat intelligence in detection is a big step forward. It encourages teams to move beyond static control checklists and think more carefully about the threats they are most likely to face, the intelligence that can help identify those threats, and how that intelligence should inform day-to-day security operations.
This will become increasingly important as AI changes attacker behaviour, vulnerability discovery, and the speed at which security teams need to respond.
Threat-informed defence should not be seen as something only large or highly mature teams can do. Organisations can start small by using trusted intelligence sources, applying that intelligence to relevant detections, and improving the process over time.
The path from the PSPF to ISM-2116 points to a more practical baseline for Australian organisations: use relevant threat intelligence to support detection, assurance, and improvement. Connecting intelligence sources is only the start. The value comes from applying that intelligence to reduce noise and close detection gaps.
Talk to us about how we can help your SOC operationalise cyber threat intelligence to keep your systems compliant