CISO Oversight of Cyber Security Personnel
The CISO is in charge of managing the organisation's cyber security staff.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Sept 2020
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesThe CISO oversees the management of cyber security personnel within their organisation.
Source: ASD Information Security Manual (ISM)
Plain language
The Chief Information Security Officer (CISO) is responsible for overseeing the cyber security team at their organisation. This ensures that the team is well-trained and prepared to handle threats, reducing the risk of data breaches that could harm the organisation's reputation and financial standing.
Why it matters
Without CISO oversight, cyber security personnel may be mismanaged, reducing accountability and resourcing and increasing likelihood of missed threats and major incidents.
Operational notes
Define the CISO’s accountability for cyber security personnel: set roles, reporting lines and KPIs; review workload, resourcing and training regularly; and address capability gaps promptly.
Implementation tips
- The CISO should conduct regular one-on-one meetings with each member of the cyber security team to discuss current projects, challenges, and professional development. These meetings can be held monthly and documented to track progress and provide support where needed.
- Human Resources should assist the CISO in developing clear job descriptions and responsibilities for all cyber security roles. This can be achieved by conducting a review of existing roles and aligning them with security objectives, ensuring clarity in duties and expectations.
- The IT manager should set up a skills inventory for the cyber security team. This will help in identifying any training needs and ensuring team members have the skills needed for emerging threats. Regularly review this inventory and plan training sessions or courses to fill any gaps.
- The cyber security team, led by the CISO, should establish a weekly check-in within the team to go over the latest threats and determine how those affect the organisation's systems. This will help the team stay updated and adapt strategies accordingly.
- Leadership (CISO, HR, and senior managers) should organise annual team-building exercises aimed at better communication and coordination within the cyber security team. These activities can be simple workshops or seminars designed to improve teamwork and problem-solving skills.
Audit / evidence tips
-
Ask: documentation of the cyber security team meetings: Request records of the one-on-one and team meetings
Good: Regularly documented meetings with follow-up actions and reviews noted
-
Ask: the cyber security roles and responsibilities document: Request the document that outlines each team member's role and their key responsibilities
Good: Detailed role descriptions that match current organisational needs
-
Ask: the skills inventory report: Request the latest skills inventory for the cyber security team
Good: A comprehensive list of current skills, needs, and completed training, showing proactive skill development
-
Ask: records of weekly threat check-ins: Request documentation or minutes of these meetings
Good: Consistent records showing recent threat analyses and adaptations in security protocols
-
Ask: evidence of team-building activities: Request details of past team-building initiatives and attendance records
Good: Documented activities with full participation aimed at improving team cohesion
Cross-framework mappings
How ISM-0717 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |