Develop a Post-Quantum Cryptography Transition Plan
Create and maintain a plan to move to cryptographic methods that are secure against quantum computing threats.
Plain language
This control is about preparing your organisation to handle future threats from super-powerful computers called quantum computers. Right now, the way we scramble sensitive information might become vulnerable to these new computers, so we need a plan to start using stronger methods. If we don't do this, confidential information like customer data or trade secrets could be at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
A post-quantum cryptography transition plan is developed, implemented and maintained.
Why it matters
Without a post-quantum transition plan, systems may retain vulnerable crypto and allow harvest-now-decrypt-later exposure, causing breaches and loss of trust.
Operational notes
Maintain a PQC transition plan by inventorying crypto, prioritising high-value/long-life data, tracking standards, and scheduling migration milestones and owners.
Implementation tips
- The IT team should lead the development of a plan by first learning about what post-quantum cryptography is and why it is necessary. They can do this by attending training sessions or webinars on the topic, offered by reputable cybersecurity organisations like the Australian Cyber Security Centre (ACSC).
- System owners should work with the IT team to identify which systems and data will be most impacted by the shift to post-quantum security. Make a list of these systems and discuss why each one needs stronger protection against the new kinds of threats.
- Managers should ensure that staff know about the transition and see its importance. This can be done by organising a company-wide meeting or sending out an informative email that explains the impact of quantum computing on business security and how the organisation plans to handle it.
- The procurement team should look into new software and hardware that supports post-quantum cryptographic methods. They can attend industry expos or follow vendor announcements to understand what's available and keep a shortlist of potential products for evaluation.
- The entire organisation should schedule regular reviews of the transition plan. This could be quarterly meetings where progress is checked, adjustments are made based on new research or technology, and all stakeholders get updates on any changes affecting their roles.
Audit / evidence tips
-
Askthe documented post-quantum transition plan: Verify the existence of a structured plan outlining the steps for adopting new cryptographic methods
Goodwill be a clearly outlined plan with a timeline and assigned responsibilities
-
Askto see training records: Request evidence that IT staff have received training on post-quantum cryptography
Goodincludes dated evidence of actual participation in relevant training events
-
Askthe list of systems identified for transition impact: Request a documented risk assessment that identifies which systems will be most affected by quantum threats
Goodincludes a detailed assessment with prioritised system list and rationale
-
Askvendor evaluation notes: Request documentation or minutes showing how new products supporting post-quantum methods were evaluated
Goodincludes dated meeting notes or a report with detailed evaluations
-
Askreview meeting notes: Request records of the periodic review meetings held to monitor the transition plan's progress
Goodshows regular involvement from different teams and updates to the transition plan
Cross-framework mappings
How ISM-2073 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| Annex A 5.7 | ISM-2073 requires an organisation to maintain a PQC transition plan to address emerging quantum threats to cryptographic confidentiality ... | |
| Annex A 5.21 | ISM-2073 requires an organisation to develop and maintain a PQC transition plan, including managing dependencies on third-party products ... | |
| Annex A 8.24 | ISM-2073 requires an organisation to develop, implement and maintain a post-quantum cryptography (PQC) transition plan to manage quantum-... | |
| Annex A 8.32 | ISM-2073 requires an organisation to implement and maintain a PQC transition plan, which typically involves coordinated changes to algori... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.