Develop and Maintain a Cyber Security Communication Strategy
The CISO creates and updates a strategy to share the organisation's cyber security goals effectively.
Plain language
The Chief Information Security Officer (CISO) needs to set up a plan to communicate the organisation's cybersecurity goals clearly to everyone involved. This is important because if people don't understand the cybersecurity goals, they might not follow security measures, which can lead to data breaches or other cyber incidents.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO oversees the development, implementation and maintenance of a cyber security communications strategy to assist in communicating the cyber security vision and strategy for their organisation.
Why it matters
Without a CISO-led cyber security communications strategy, staff and executives receive inconsistent guidance, delaying response and increasing incident likelihood.
Operational notes
Maintain a CISO-approved comms plan with audiences, channels and cadence; include incident updates, awareness messages, ownership and measures of reach/effectiveness.
Implementation tips
- The CISO should organise a workshop with key staff members, such as managers and team leaders, to discuss the current cybersecurity goals and how they align with the organisation's overall objectives. During this workshop, collaboratively identify communication methods that best reach all employees and stakeholders.
- Managers should develop tailored messaging for their teams that explains how cybersecurity goals impact their specific roles. They can do this by collaborating with the IT team to simplify technical information into everyday language, ensuring clarity and understanding.
- The IT department should create clear and concise visual aids, such as posters or infographics, that summarise the organisation's main cybersecurity strategies. Display these materials in common areas and distribute them electronically to keep cybersecurity at the forefront of employees’ minds.
- Human Resources should incorporate cybersecurity training into their onboarding process for new employees. They can integrate this by developing a simple, engaging training module that highlights key cybersecurity messages and best practices within the organisation.
- The CISO should establish a regular communication schedule to update the entire organisation on changes to the cybersecurity strategy. This can be achieved through quarterly newsletters or all-hands meetings where successes and new challenges are discussed openly.
Audit / evidence tips
- AskThe documented cybersecurity communication strategy: Verify it is updated regularly and aligns with the organisation's goals GoodA well-documented plan reviewed at least annually with specific communication goals
- AskRecords of cybersecurity workshops or meetings: Check attendance lists and meeting minutes to ensure they are inclusive of key members
- AskSamples of communication materials like newsletters or infographics: Examine the clarity and relevance of the information provided GoodRegularly updated materials that clearly convey cybersecurity objectives
- AskThe onboarding training modules: Review the content for comprehensiveness and accessibility
- AskRecords of feedback mechanisms: Enquire about how feedback is collected regarding the effectiveness of communication strategies
Cross-framework mappings
How ISM-0720 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 5.4 | Annex A 5.4 requires management to ensure personnel apply information security in line with established policies and procedures | |
| Annex A 5.6 | Annex A 5.6 requires the organisation to establish and maintain ongoing contact with special interest groups or other specialist security... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.