Approval Process for Cyber Security Documentation
Cyber security documents need approval from the chief security officer or system officer based on their scope.
Plain language
This control ensures that important cyber security documents are officially approved by the right people in the organisation. It’s vital because if the necessary checks aren't done, important systems could be vulnerable or not compliant with standards, potentially leading to data breaches or other security incidents.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Organisational-level cyber security documentation is approved by the chief information security officer while system-specific cyber security documentation is approved by the system's authorising officer.
Why it matters
If cyber security documentation is not approved by the CISO or the system authorising officer, controls may be unendorsed, non-compliant and lead to avoidable security incidents.
Operational notes
Record CISO approval for organisational documents and AO approval for system documents; keep signed evidence, and periodically review approval status after major changes.
Implementation tips
- The chief information security officer (CISO) should coordinate with department managers to identify all organisational-level cyber security documents that need approval. This can be done by listing current documents and responsibilities in a shared folder.
- System owners should meet with the system's authorising officer to review system-specific security documentation. They should ensure that the documents cover necessary security measures for the system and align with organisational policies.
- The IT team should create a checklist for the authorising officer that highlights key security areas the system documentation must cover. This checklist should be reviewed and updated annually to ensure it remains relevant.
- Managers should organise training sessions for staff involved in creating or approving security documentation to ensure they understand approval procedures and responsibilities. This training can be done via a workshop or an online course.
- Designate a documentation coordinator to keep track of when documents need review and approval. They can use calendar reminders and shared spreadsheets to manage timelines and ensure no documents are missed.
Audit / evidence tips
-
Askthe master list of organisational-level security documents
-
Goodis a document that clearly shows which aspects of the system it covers and the specifics of any recent approval
-
Askhow they decide if a document needs their approval and how they ensure accuracy
Goodis both parties describing their roles and the regular processes in place
-
Goodincludes dates, attendee lists, and training materials or slides
Cross-framework mappings
How ISM-0047 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.1 | ISM-0047 requires organisational cyber security documentation to be approved by the CISO and system-specific documentation to be approved... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |
| Annex A 5.3 | Annex A 5.3 requires segregation of conflicting responsibilities to reduce the risk of unauthorised or inappropriate actions going unchecked | |
| handshake Supports (3) expand_less | ||
| Annex A 5.4 | Annex A 5.4 requires management to ensure personnel apply information security consistent with established policies and procedures | |
| Annex A 5.10 | Annex A 5.10 requires acceptable use rules and handling procedures to be identified, documented and implemented | |
| Annex A 5.31 | Annex A 5.31 requires the organisation to document and maintain its information security legal, regulatory, and contractual requirements ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.