Appointment of CISO for Cyber Security Leadership
Ensure a CISO is appointed to lead and guide the organisation's cyber security efforts.
Plain language
This control is about appointing someone as the Chief Information Security Officer (CISO) to lead and oversee all the cyber security tasks in an organisation. It matters because without a dedicated leader to focus on keeping your digital information safe, your organisation is like a ship without a captain, which can easily run into trouble from cyber threats.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
A CISO is appointed to provide cyber security leadership and guidance for their organisation (covering information technology and operational technology).
Why it matters
Without an appointed CISO, cyber security leadership is unclear across IT/OT, causing fragmented priorities, slower decisions, and higher breach likelihood.
Operational notes
Formally appoint a CISO with clear remit over cyber security for both IT and OT, defined decision rights, and regular reporting to executives and key stakeholders.
Implementation tips
- The board or top management should appoint the CISO: Identify an experienced and knowledgeable person to take on this role, someone who understands both IT and business needs. Begin by reviewing internal candidates who have leadership and cyber expertise or consider hiring externally if needed.
- The CISO should create a clear cyber security plan: Once appointed, the CISO should outline a comprehensive strategy that includes key risk areas and security priorities for the organisation. This involves gathering input from various departments to understand their specific security needs.
- HR or management should define the CISO's responsibilities: Clearly delineate the tasks and authority of the CISO in a documented role description, ensuring it includes oversight over both information technology and operational technology security.
- The CISO should regularly report to the board: Establish a routine where the CISO provides updates about cyber security risks and initiatives to senior leaders. Schedule these reports quarterly to ensure the board is aware and can make informed decisions.
- The IT department should support the CISO with accurate data: Provide the CISO with up-to-date information on current systems and potential vulnerabilities. This data should come from regular security assessments and staff reports.
Audit / evidence tips
-
Askthe CISO's appointment letter: Request to see the official document that confirms the CISO's role and responsibilities
Goodincludes the role's scope and specific responsibilities being clearly defined
-
Askrecent CISO reports to the board: Review the documentation or presentations shared with the board by the CISO
Goodshows regular, detailed updates on cyber security issues and plans
-
Askthe cyber security strategy document: Obtain the document that outlines the organisation's cyber security plan created by the CISO
Goodincludes a detailed plan with defined goals and timelines
-
Askmeeting minutes from CISO-led security discussions: Request the records from meetings where the CISO discussed security concerns with other department heads
Goodincludes agreed accountability and follow-up actions
-
Aska role description for the CISO: Check the specific duties and authority outlined for the CISO in the official role documentation
Goodincludes comprehensive coverage of responsibilities aligning with the organisation's needs
Cross-framework mappings
How ISM-0714 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |
| Annex A 5.24 | Annex A 5.24 requires planning and preparation for incident management, including defining roles and responsibilities | |
| handshake Supports (2) expand_less | ||
| Annex A 5.4 | Annex A 5.4 requires management to make sure personnel follow established information security policies, topic-specific policies and proc... | |
| Annex A 6.2 | Annex A 6.2 requires employment contractual agreements to clearly state information security responsibilities for personnel and the organ... | |
E8
| Control | Notes | Details |
|---|---|---|
| link Related (2) expand_less | ||
| E8-AC-ML2.9 | ISM-0714 requires the organisation to appoint a CISO to provide cyber security leadership and guidance | |
| E8-AH-ML2.16 | ISM-0714 requires appointing a CISO to lead and guide cyber security across IT and OT | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.