Develop and Maintain a Cyber Security Strategy
Ensure there is a continuous and effective plan for safeguarding cyber activities and data.
Plain language
Having a cyber security strategy means having a plan for keeping your digital stuff safe from cyber threats. This matters because without a plan, your important data could be vulnerable to hackers who might steal information, disrupt your business, or cause you financial harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Topic
Cyber Security StrategyOfficial control statement
A cyber security strategy is developed, implemented and maintained.
Why it matters
Without a cyber security strategy, security activity becomes ad hoc, funding is misdirected, and risk decisions are inconsistent, increasing breach likelihood.
Operational notes
Review the cyber security strategy at least annually and after major change; align to business goals, risk appetite and governance, and track delivery of planned initiatives.
Implementation tips
- Business owner or manager should draft the strategy: Develop a clear document outlining what digital assets you have and the steps your business will take to protect them. Include who is responsible for managing the strategy and set clear timelines for reviewing it.
- IT team should identify risks: Conduct a simple assessment of your cyber security risks by listing potential threats and how they might impact your business. This helps tailor the strategy to address specific areas of concern.
- Managers should engage staff: Organise training sessions to ensure all employees understand their role in the strategy and how to recognise and report suspicious activity. Encourage a culture of security awareness across the organisation.
- HR and procurement combine efforts: Include security checks when hiring new staff or buying new software or equipment. Make sure new joiners or systems align with the security standards outlined in your strategy.
- The board should review regularly: Set regular meetings to review the strategy's effectiveness and update it based on any new risks or changes in technology. Ensure decisions and changes are documented thoroughly.
Audit / evidence tips
-
Askthe written cyber security strategy document
Goodstrategy is comprehensive, up-to-date, and aligned with current technology and threats
-
Goodincludes frequent meetings and documented outcomes and action items
-
Askhow these are conducted and integrated into the strategy
Goodwould be a risk assessment that directly informs the strategy and shows ongoing updates
-
Goodshould show procedures were followed as per the strategy
Cross-framework mappings
How ISM-0039 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.21 | ISM-0039 requires a maintained cyber security strategy that drives how the organisation manages cyber risks to its information and services | |
| Annex A 5.24 | ISM-0039 requires a cyber security strategy that is developed, implemented and maintained, which should include how the organisation prep... | |
| handshake Supports (7) expand_less | ||
| Annex A 5.1 | ISM-0039 requires a cyber security strategy to be developed, implemented and maintained as an overarching plan for cyber security | |
| Annex A 5.4 | ISM-0039 requires management-led development, implementation, and ongoing maintenance of a cyber security strategy | |
| Annex A 5.5 | ISM-0039 requires the organisation to maintain a cyber security strategy that remains aligned to the operating and regulatory environment | |
| Annex A 5.6 | ISM-0039 requires a cyber security strategy that is developed and maintained to remain effective over time | |
| Annex A 5.8 | Annex A 5.8 requires information security to be integrated into project management so project outcomes align with security needs | |
| Annex A 5.10 | ISM-0039 requires the organisation to develop, implement and maintain a cyber security strategy to guide and coordinate cyber security ou... | |
| Annex A 5.36 | ISM-0039 requires the organisation to maintain an effective cyber security strategy over time | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.