CISO Reporting to Board on Cyber Security
The CISO must regularly update the board or executive committee on cyber security issues.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesThe CISO regularly reports directly to their organisation's board of directors or executive committee on cyber security matters.
Source: ASD Information Security Manual (ISM)
Plain language
The Chief Information Security Officer (CISO) should regularly update the board or executive committee about cybersecurity issues and strategies. This is important because if the organisation's leadership isn't aware of cyber risks, they can't make informed decisions to protect the company from financial loss or reputational harm due to security breaches.
Why it matters
Without direct CISO reporting to the board, cyber risk may be under‑reported, delaying investment decisions and worsening breach impact and governance outcomes.
Operational notes
Schedule regular CISO briefings to the board/executive committee covering top risks, incidents, metrics, and funded remediation decisions aligned to risk appetite.
Implementation tips
- The CISO should schedule regular meetings with the board: Set up a recurring appointment, perhaps monthly or quarterly, to ensure consistent communication. Present recent cybersecurity developments, potential risks, and how the team is addressing them.
- The IT team should prepare concise reports: Create straightforward summaries that highlight key security metrics and incidents. These reports should include clear explanations of technical terms to help the board understand the issues better.
- The HR department can help with training: Coordinate with the CISO to organise awareness sessions for board members. These sessions should equip them with the basic knowledge of cybersecurity risks and the organisation's strategies to mitigate them.
- Finance staff should collaborate with the CISO: Work together to estimate the financial impact of potential cybersecurity incidents. This information will help the board grasp the cost-benefit analysis of investing in cybersecurity measures.
- The CISO should use visual aids in presentations: Prepare slides with charts and graphics to illustrate complex information simply. Visuals can make it easier for board members to understand the state of cybersecurity and the effectiveness of current measures.
Audit / evidence tips
-
Ask: minutes from board meetings: Check if cybersecurity issues were discussed and who attended. Good minutes show consistent discussion of security matters with clear actions decided
-
Good: report should be easy to understand and show recent incidents and future plans
-
Ask: training records: Verify if board members attended cybersecurity training. Good records list participants, topics covered, and the date of the session
-
Good: assessment includes a cost-benefit analysis and recommendations for resource allocation
-
Ask: presentation materials: Review if visuals used by the CISO aid in board understanding. Good materials should simplify complex security concepts and focus on critical data
Cross-framework mappings
How ISM-0718 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| Annex A 5.35 | ISM-0718 requires the CISO to regularly report cyber security matters directly to the board or executive committee | |
| Annex A 5.36 | ISM-0718 mandates regular cyber security reporting by the CISO to the board | |
| Supports (2) | ||
| Annex A 5.1 | ISM-0718 requires CISO board reporting on cyber security | |
| Annex A 5.4 | Annex A 5.4 requires management to require all personnel to comply with established information security policies and procedures | |