Develop and Maintain a Cyber Security Strategy
Ensure there is a continuous and effective plan for safeguarding cyber activities and data.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
A cyber security strategy is developed, implemented and maintained.
Source: ASD Information Security Manual (ISM)
Plain language
Having a cyber security strategy means having a plan for keeping your digital stuff safe from cyber threats. This matters because without a plan, your important data could be vulnerable to hackers who might steal information, disrupt your business, or cause you financial harm.
Why it matters
Without a cyber security strategy, security activity becomes ad hoc, funding is misdirected, and risk decisions are inconsistent, increasing breach likelihood.
Operational notes
Review the cyber security strategy at least annually and after major change; align to business goals, risk appetite and governance, and track delivery of planned initiatives.
Implementation tips
- Business owner or manager should draft the strategy: Develop a clear document outlining what digital assets you have and the steps your business will take to protect them. Include who is responsible for managing the strategy and set clear timelines for reviewing it.
- IT team should identify risks: Conduct a simple assessment of your cyber security risks by listing potential threats and how they might impact your business. This helps tailor the strategy to address specific areas of concern.
- Managers should engage staff: Organise training sessions to ensure all employees understand their role in the strategy and how to recognise and report suspicious activity. Encourage a culture of security awareness across the organisation.
- HR and procurement combine efforts: Include security checks when hiring new staff or buying new software or equipment. Make sure new joiners or systems align with the security standards outlined in your strategy.
- The board should review regularly: Set regular meetings to review the strategy's effectiveness and update it based on any new risks or changes in technology. Ensure decisions and changes are documented thoroughly.
Audit / evidence tips
-
Ask: the written cyber security strategy document
Good: strategy is comprehensive, up-to-date, and aligned with current technology and threats
-
Good: includes frequent meetings and documented outcomes and action items
-
Ask: how these are conducted and integrated into the strategy
Good: would be a risk assessment that directly informs the strategy and shows ongoing updates
-
Good: should show procedures were followed as per the strategy
Cross-framework mappings
How ISM-0039 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| Annex A 5.21 | ISM-0039 requires a maintained cyber security strategy that drives how the organisation manages cyber risks to its information and services | |
| Annex A 5.24 | ISM-0039 requires a cyber security strategy that is developed, implemented and maintained, which should include how the organisation prep... | |
| Supports (7) | ||
| Annex A 5.1 | ISM-0039 requires a cyber security strategy to be developed, implemented and maintained as an overarching plan for cyber security | |
| Annex A 5.4 | ISM-0039 requires management-led development, implementation, and ongoing maintenance of a cyber security strategy | |
| Annex A 5.5 | ISM-0039 requires the organisation to maintain a cyber security strategy that remains aligned to the operating and regulatory environment | |
| Annex A 5.6 | ISM-0039 requires a cyber security strategy that is developed and maintained to remain effective over time | |
| Annex A 5.8 | Annex A 5.8 requires information security to be integrated into project management so project outcomes align with security needs | |
| Annex A 5.10 | ISM-0039 requires the organisation to develop, implement and maintain a cyber security strategy to guide and coordinate cyber security ou... | |
| Annex A 5.36 | ISM-0039 requires the organisation to maintain an effective cyber security strategy over time | |