Coordinate Security Risk Management Activities
The CISO ensures business and security teams work together effectively on managing security risks.
Plain language
This control ensures that the Chief Information Security Officer (CISO) makes sure everyone in the organisation understands the potential risks to their digital systems. It's like having a designated person who gets everyone to work together on spotting any security threats and figuring out how to deal with them. If these teams don't communicate well, things can slip through the cracks, increasing the chance of data leaks or cyber attacks.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO coordinates security risk management activities between cyber security and business teams.
Why it matters
Without CISO-led coordination between cyber security and business teams, risk decisions can be inconsistent, leaving gaps in treatment and slower incident response.
Operational notes
Have the CISO run recurring cyber/business risk forums, maintain a shared risk register, and agree escalation paths so priorities and treatments stay aligned across teams.
Implementation tips
- The CISO should organise regular meetings: Schedule meetings between security and business teams to discuss potential risks and security strategies. These should happen monthly and include a clear agenda to cover what each team needs. This helps everyone stay on the same page.
- Security officers should create a risk assessment checklist: Develop a checklist that business teams can use to identify potential security risks in their areas. This checklist should be simple and encourage team members to spot potential issues before they become problems.
- Business managers should complete a risk awareness training: Have managers participate in training sessions that explain common cyber threats and how they affect business operations. This will equip managers with the knowledge they need to understand the importance of security measures.
- The IT team should use clear communication tools: Implement easy-to-use tools and platforms where security and business teams can efficiently share updates and alerts. For example, a shared online document or a chat group dedicated to security issues can help catch problems early.
- HR should onboard new employees on security protocols: Include security awareness in the induction process for new staff, clearly explaining the organisation's approach to managing cyber risks. Use easy-to-understand materials such as videos and infographics to make the information accessible.
Audit / evidence tips
-
Askmeeting minutes: Request the documented notes from meetings between security and business teams
Goodshows regular meetings with active participation from all relevant parties
-
Goodhas a comprehensive checklist tailored to the organisation's risks
-
Asktraining completion records: Request certificates or logs showing that managers have completed risk awareness training
Goodshows up-to-date training for all key personnel
-
Askan overview or demonstration of the communication tools used by teams to share security information
Goodoffers quick, clear pathways for sharing urgent security updates
-
Askonboarding materials: Request the materials used in onboarding new employees about security protocols. Review these materials for clarity and relevance
Goodshows that employees are informed about security right from the start
Cross-framework mappings
How ISM-0726 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |
| handshake Supports (5) expand_less | ||
| Annex A 5.1 | ISM-0726 requires the CISO to coordinate security risk management activities between cyber security and business teams | |
| Annex A 5.4 | ISM-0726 requires the CISO to coordinate security risk management activities between cyber security and business teams | |
| Annex A 5.8 | Annex A 5.8 requires projects to incorporate security risk management and appropriate coordination so risks introduced by change are iden... | |
| Annex A 5.24 | Annex A 5.24 requires defined and communicated incident management processes and responsibilities to ensure organisational readiness | |
| Annex A 5.35 | ISM-0726 requires the CISO to coordinate security risk management activities between cyber security and business teams | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.