SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Anz secure joint defence data center cloud shield padlock blue
#
Data Protection
#
Cloud Security
#
Supply Chain

ISACA to certify CMMC assessors in ANZ defence shift

Mon, 22nd Dec 2025
Author image
By Sean Mitchell, Publisher

Global technology association ISACA has been appointed the exclusive body responsible for certifying assessors and instructors for the US Department of War's Cybersecurity Maturity Model Certification programme, in a move expected to influence how Australian and New Zealand suppliers approach cyber standards.

ISACA will act as the sole CMMC Assessor and Instructor Certification Organisation for the programme, which sets cybersecurity maturity requirements for companies in the US defence industrial base and their international partners.

The organisation will oversee training, examinations and certification for professionals, assessors and instructors across the global CMMC ecosystem. The structure is intended to create a consistent way of validating the skills of those who assess and teach against the CMMC framework.

The US Department of War developed CMMC as a cybersecurity standard for companies that handle sensitive defence-related information. The programme applies to hundreds of thousands of organisations that manage Controlled Unclassified Information or Federal Contract Information in support of US defence contracts.

CMMC is moving into phased implementation between November 2025 and November 2028. Businesses that work with the US defence supply chain will need to meet defined levels of cyber maturity that match the sensitivity of the information they manage.

ISACA expects that, once fully implemented, CMMC will rank among the largest cybersecurity certification programmes globally by volume of participants.

ANZ defence focus

The appointment has particular relevance for Australia and New Zealand because of their embedded roles in US defence and technology ecosystems. Both countries participate in long-term defence, intelligence and research partnerships with the United States, including the AUKUS security framework and associated industrial projects.

Many organisations in Australia and New Zealand already work with US prime contractors or join multinational programmes in defence, aerospace, advanced manufacturing and cybersecurity. Those entities are likely to encounter CMMC requirements when they handle US defence data or connect into US-controlled systems.

Cloud services, engineering firms and other suppliers that support joint defence projects or US-linked critical infrastructure are also expected to sit within the scope of the standard. That exposure extends CMMC's reach into wider technology and industrial supply chains across the region.

Domestic policy changes are also raising the bar. In Australia, the government is placing greater emphasis on structured cyber practices through the Essential Eight maturity model and through reforms to the Security of Critical Infrastructure Act. Defence agencies are increasing scrutiny of supply chain security through their own assurance programmes.

New Zealand's Cyber Security Strategy and closer alignment with US defence and cloud ecosystems are driving similar expectations. Local firms seeking work in these areas face stronger requirements to demonstrate verifiable security controls and processes.

Training and credentials

CMMC includes a formal training and assessment track for professionals who will carry out audits or guide organisations through the framework. ISACA will now administer the Department of War's full suite of CMMC credentials.

The certifications include CMMC Certified Professional, which covers the foundational knowledge of the model. They also include CMMC Certified Assessor and Lead CMMC Certified Assessor, which prepare individuals to conduct formal assessments. A further designation, CMMC Certified Instructor, recognises professionals who teach CMMC-approved courses.

ISACA plans to integrate these into its wider portfolio of technology and risk credentials. The organisation already runs established certifications such as CISA, CISM, CGEIT, CRISC, CDPSE and a group of advanced artificial intelligence-related qualifications.

ISACA's leadership said the appointment reflects its existing role in cybersecurity training and standards. "ISACA is proud to be recognised as the trusted organisation to administer the credentialing program for DoW's CMMC," said Erik Prusch, CEO, ISACA. "We look forward to leveraging our deep cybersecurity and assurance roots and our global leadership in cybersecurity maturity, training, credentialing and assessment to serve as the CAICO and help the DoW meet the challenge of protecting its sensitive information."

Regional impact

ISACA officials based in Australia expect CMMC to feature heavily in future defence and critical infrastructure contracts in the region. They also expect growing demand for recognised credentials among local professionals.

Jamie Norton, Vice Chair of the ISACA Board and an Australian-based cybersecurity figure, said the framework would quickly become common terminology. "Australia and New Zealand are deeply integrated into global defence and critical-infrastructure supply chains," said Mr Norton. "As CMMC becomes part of U.S. defence procurement, it will increasingly define how international partners demonstrate they can be trusted with sensitive information. ISACA's role as CAICO gives ANZ businesses and professionals a clear pathway to recognised training and credentials that align with international expectations and support the uplift our region is striving for."

The new arrangement also reshapes the governance structure of the CMMC ecosystem. The Cyber AB, which previously carried out the CAICO function, will remain the accreditation body that oversees the programme.

The Cyber AB's leadership said the shift would reinforce trust in the scheme. "We are thrilled to transition the CAICO and the stewardship of its critical mission to ISACA," said Matthew Travis, CEO of The Cyber AB. "ISACA brings unsurpassed credibility and experience to the CMMC program, directly contributing to building greater trust and confidence in the quality of CMMC assessors and in the program overall."

ISACA's CAICO responsibilities take effect immediately, with a full transition scheduled for completion by April 2026. Organisations and professionals that plan to work with the CMMC framework now face a changing credentialing landscape as the handover progresses.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Ping Identity names Adnan Chaudhry Chief Revenue Officer
Exabeam launches AI agent behaviour analytics tools
Security now central to business decisions, says report
Automation vital as TLS certificate lifespans shrink
Ping Identity buys Keyless to boost biometric security

Top stories

Black Hat to debut cyber war room documentary in Vegas
2026: Resilience, the new foundation of cybersecurity
AI’s 2026 security fallout: identity chaos & deepfake fear
ADLINK gains IEC 62443-4-1 nod for secure edge R&D
Agentic AI double agents expose dangerous security gaps