Support Post-Quantum Cryptographic Algorithms by 2030
New cryptographic tools must support specific secure algorithms by 2030 to be ready for future quantum computing.
Plain language
This control is all about getting ready for the future when computers get super powerful. By 2030, new systems need to be built so they can handle a new kind of security that will work even against these future computers. If we don't prepare, these powerful computers could break our current security, leading to data breaches or even financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
The development and procurement of new cryptographic equipment, applications and libraries ensures support for the use of ML-DSA-87, ML-KEM-1024, SHA-384, SHA-512 and AES-256 by no later than 2030.
Why it matters
Without PQC-ready crypto (ML-DSA-87/ML-KEM-1024, SHA-384/512, AES-256) by 2030, data may be broken later via quantum attacks.
Operational notes
For all new procurements, verify libraries/equipment support ML-DSA-87, ML-KEM-1024, SHA-384/512 and AES-256, and record compliance to meet the 2030 deadline.
Implementation tips
- The IT team should update their software tools to support post-quantum cryptographic algorithms. They can do this by researching which cryptographic algorithms are recommended, such as AES-256 and SHA-512, and ensuring their tools are compatible with these standards.
- Procurement officers should include post-quantum readiness as a requirement when buying new tech gear. They need to check with vendors if their products will support algorithms like ML-DSA-87 by 2030.
- Managers should organise training sessions for their staff to understand the importance of post-quantum security. They can invite experts to explain how these algorithms protect against future threats.
- System owners should inventory current systems and identify which ones need upgrading or replacing. They can work with their IT team to make a plan ensuring all systems are updated before 2030.
- The compliance officer should incorporate a timeline for adopting new cryptographic algorithms into the organisation's security policies. This involves setting milestones and review points to stay on track for the 2030 deadline.
Audit / evidence tips
- AskA future-focused technology strategy plan: Request the document outlining the organisation's roadmap for adopting post-quantum algorithms GoodHas specific dates and actions for updating systems before 2030
- AskProcurement records showing requirements for post-quantum capability GoodIncludes recent contracts that mention these future security needs
- AskTraining records or schedules: Request documentation of staff training sessions on quantum readiness GoodShows regular training sessions carried out with participation across key teams
- AskSystem inventory updates GoodShows a list with clear notes on the actions required and completion timelines
- AskPolicy documents mentioning post-quantum security: Request the organisation's security policy that includes post-quantum planning GoodIncludes detailed policies on these future approaches
Cross-framework mappings
How ISM-1917 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 8.25 | ISM-1917 requires cryptographic components to support nominated PQC and strong algorithms by 2030, tying into procurement and development | |
| Annex A 8.26 | ISM-1917's focus on supporting specific PQC and strong algorithms by 2030 through procurement and development can be captured within ISO/... | |
| Annex A 8.27 | ISM-1917 states that new systems must support specific PQC and strong algorithms by 2030 | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.24 | Annex A 8.24 requires organisations to define and implement rules for the effective use of cryptography and for cryptographic key management | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.