Approval Process for Cyber Security Documentation
Cyber security documents need approval from the chief security officer or system officer based on their scope.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2025
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Organisational-level cyber security documentation is approved by the chief information security officer while system-specific cyber security documentation is approved by the system's authorising officer.
Source: ASD Information Security Manual (ISM)
Plain language
This control ensures that important cyber security documents are officially approved by the right people in the organisation. It’s vital because if the necessary checks aren't done, important systems could be vulnerable or not compliant with standards, potentially leading to data breaches or other security incidents.
Why it matters
If cyber security documentation is not approved by the CISO or the system authorising officer, controls may be unendorsed, non-compliant and lead to avoidable security incidents.
Operational notes
Record CISO approval for organisational documents and AO approval for system documents; keep signed evidence, and periodically review approval status after major changes.
Implementation tips
- The chief information security officer (CISO) should coordinate with department managers to identify all organisational-level cyber security documents that need approval. This can be done by listing current documents and responsibilities in a shared folder.
- System owners should meet with the system's authorising officer to review system-specific security documentation. They should ensure that the documents cover necessary security measures for the system and align with organisational policies.
- The IT team should create a checklist for the authorising officer that highlights key security areas the system documentation must cover. This checklist should be reviewed and updated annually to ensure it remains relevant.
- Managers should organise training sessions for staff involved in creating or approving security documentation to ensure they understand approval procedures and responsibilities. This training can be done via a workshop or an online course.
- Designate a documentation coordinator to keep track of when documents need review and approval. They can use calendar reminders and shared spreadsheets to manage timelines and ensure no documents are missed.
Audit / evidence tips
-
Ask: the master list of organisational-level security documents
-
Good: is a document that clearly shows which aspects of the system it covers and the specifics of any recent approval
-
Ask: how they decide if a document needs their approval and how they ensure accuracy
Good: is both parties describing their roles and the regular processes in place
-
Good: includes dates, attendee lists, and training materials or slides
Cross-framework mappings
How ISM-0047 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.1 | ISM-0047 requires organisational cyber security documentation to be approved by the CISO and system-specific documentation to be approved... | |
| Partially overlaps (2) | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |
| Annex A 5.3 | Annex A 5.3 requires segregation of conflicting responsibilities to reduce the risk of unauthorised or inappropriate actions going unchecked | |
| Supports (3) | ||
| Annex A 5.4 | Annex A 5.4 requires management to ensure personnel apply information security consistent with established policies and procedures | |
| Annex A 5.10 | Annex A 5.10 requires acceptable use rules and handling procedures to be identified, documented and implemented | |
| Annex A 5.31 | Annex A 5.31 requires the organisation to document and maintain its information security legal, regulatory, and contractual requirements ... | |