Coordinate Cyber Security Steering Committees
The CISO ensures cyber security and business strategies align by holding regular meetings with key executives.
Plain language
A cyber security steering committee ensures that your business goals align with your cyber security strategies by bringing together key business and security leaders. If this doesn't happen, your company might face unnecessary risks because your security measures aren't keeping up with business decisions, possibly leading to data breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key cyber security and business executives, which meets formally and on a regular basis.
Why it matters
Without an executive cyber security steering committee, cyber priorities can drift from business needs, delaying risk decisions and funding and increasing exposure to major incidents.
Operational notes
Establish a steering committee of key cyber and business executives; meet regularly with minutes, risk/prioritisation decisions, owners and due dates tracked to closure.
Implementation tips
- The CISO (Chief Information Security Officer) should establish the committee by inviting key executives from both the business and security teams. Ensure that representatives from IT, finance, risk management, and operations are included to have a comprehensive perspective on security needs.
- The CISO should coordinate regular meetings for the committee, perhaps monthly, to discuss current cyber threats and how these intersect with business strategies. Use video conferencing tools for remote attendance to ensure everyone is able to participate.
- The CISO should set the agenda for each committee meeting, focusing on understanding upcoming business initiatives and their potential security implications. Collaborate with department heads to gather topics for discussion prior to meetings.
- The committee members should be tasked with reviewing recent security incidents and deciding if adjustments are needed to better align with business goals. Each member should come prepared with insights from their respective teams.
- The committee should regularly assess if the current security posture supports the business growth plans by reviewing metrics such as incident response times and the effectiveness of existing security measures. Facilitate open discussions for potential improvements.
Audit / evidence tips
-
Askpast meeting minutes: Request documentation of steering committee meetings held in the past year
-
Askmeeting agendas: Request several past agendas from these meetings to understand the discussion focus areas
-
Aska list of committee members: Verify who is on the steering committee by requesting an updated member list. Look to see if there is representation from both business and cyber security
Goodcommittee will have a diverse range of executives from all critical business functions
-
Askto review policy alignment notes: Request the output from committee meetings that detail how business policies are aligned with cyber security strategies
-
Askthe evaluation reports: Request reports generated as a result of steering committee evaluations on the effectiveness of current security measures
Goodreport will have actionable insights and follow-up plans
Cross-framework mappings
How ISM-0725 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |
| handshake Supports (3) expand_less | ||
| Annex A 5.1 | ISM-0725 requires the CISO to align cyber security and business strategies through a regular, formal executive steering committee/advisor... | |
| Annex A 5.4 | Annex A 5.4 requires management to ensure personnel apply information security in line with organisational policies and procedures | |
| Annex A 5.35 | ISM-0725 requires the CISO to coordinate cyber security and business alignment via a formal, regularly meeting cyber security steering co... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.