CISO Management of Cyber Security Personnel
The Chief Information Security Officer (CISO) manages cyber security staff in the organisation.
Plain language
This control means that the Chief Information Security Officer (CISO) is responsible for leading and managing the people who ensure cyber security in an organisation. It matters because without someone effectively overseeing these experts, security efforts can become disorganised, leaving the organisation vulnerable to cyber threats that could disrupt operations or compromise sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
Mobile device emergency sanitisation processes, and supporting mobile device emergency sanitisation procedures, are developed, implemented and maintained.
Why it matters
Without mobile device emergency sanitisation processes, lost or stolen devices may expose sensitive data, causing reportable breaches and operational harm.
Operational notes
Test and maintain mobile emergency sanitisation (e.g., remote wipe) procedures, including triggers, responsibilities, logging, and periodic drills on new device models.
Implementation tips
- The CISO should first identify all cyber security roles within the organisation. This can be done by reviewing current job descriptions and responsibilities to ensure they align with the organisation's security needs.
- HR should work closely with the CISO to establish clear hiring guidelines for security positions. This includes setting criteria for qualifications and experience relevant to the organisation's specific cybersecurity challenges.
- The IT team should set up regular training sessions for all cybersecurity personnel. This involves scheduling workshops and ensuring employees attend and understand new security practices and technologies.
- Managers should implement a regular review process for the cyber security team's performance. This can be done by setting up quarterly review meetings to discuss achievements, challenges, and areas for improvement.
- The organisation's leadership should ensure the CISO has the necessary support to make strategic decisions. This can mean providing budget allocation for tools, training, or additional staffing as required.
Audit / evidence tips
- AskThe organisational chart: Request the latest version that includes all cyber security roles GoodIs a chart showing clear lines of responsibility under the CISO
- AskPerformance review templates used for cybersecurity staff: Request examples of past reviews GoodIncludes documented evidence of regular reviews tied to security goals
- AskTraining records: Request a list of recent training sessions and attendance records for the cybersecurity team GoodA timeline of relevant cybersecurity training with full team participation
- AskTo see hiring records: Request examples of job advertisements and the recruitment process for recent cybersecurity hires GoodShows a standardised hiring process aligned to specific cybersecurity needs
- AskA list of security tools and technologies: Request documentation on what the team uses GoodIncludes a list of updated and appropriately resourced tools supported by the organisation
Cross-framework mappings
How ISM-0701 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 5.2 | ISM-0701 requires the CISO to manage cyber security personnel, implying the organisation assigns leadership and accountability for securi... | |
| Annex A 6.3 | ISM-0701 requires the CISO to manage cyber security personnel, which includes ensuring staff capability and ongoing effectiveness of secu... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.