Manage and Allocate Cyber Security Budget
The CISO is responsible for handling the organisation's dedicated cyber security funds.
Plain language
The Chief Information Security Officer (CISO) needs to oversee and manage a dedicated budget specifically for cyber security. This is important because having allocated funds ensures that the organisation can proactively protect its data and systems from cyber threats, rather than reacting only after an attack occurs.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO receives and manages a dedicated cyber security budget for their organisation.
Why it matters
If the CISO does not manage a dedicated cyber security budget, risk treatments and key security initiatives may not be funded, increasing the likelihood and impact of incidents and data loss.
Operational notes
Maintain a CISO-owned dedicated cyber security budget; review quarterly and reallocate to priority risk treatments, capability uplift, and emerging threats, with clear approvals and tracking of spend.
Implementation tips
- The CISO should work with the finance manager to understand the total amount allocated for cyber security in the annual budget. They can do this by reviewing financial reports and discussing future projections for maintaining or improving cyber defences.
- The IT team should list all necessary security measures and tools required for the year. This includes software licenses, staff training programs, and any external consultancy needed. By preparing a detailed wish list, they can help the CISO allocate the budget effectively.
- Managers in each department should identify any specific security concerns they have. They need to communicate these to the CISO during budget planning meetings so that funds can be distributed to address these particular risks.
- Procurement should be involved to ensure that all purchases related to cyber security comply with the organisation's buying policies. They should assist the CISO in negotiating contracts with vendors to get the best possible deals.
- The CISO should set up regular reviews of the cyber security budget to track spending and adjust priorities as needed. These reviews can help ensure that funds are not wasted and that high-risk areas are sufficiently protected.
Audit / evidence tips
-
Askthe cyber security budget plan: Request a document that outlines the budget allocation for various security measures
Goodis a detailed breakdown showing alignment with the organisation's risk priorities
-
Askmeeting notes or minutes from budget planning meetings: These should show discussions and decisions about cyber security funding
Goodincludes specific actions to address risks discussed in the meetings
-
Askprocurement records for cyber security purchases: Request receipts or contracts related to tools and services bought. Check if the purchases align with budget plans and provide good value
Goodconfirms that spending matches planned budget items and priorities
-
Askperiodic budget review reports: Choose reports that track how well the budget is being utilised throughout the year
Goodincludes justified reallocations and tracks unspent funds or overruns effectively
-
Askdocumentation on security risks identified and mitigations planned: This should tie back to budget allocations
Gooddetails clear links between risks assessed, priorities set, and funds allocated to mitigate those risks
Cross-framework mappings
How ISM-0732 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |
| handshake Supports (2) expand_less | ||
| Annex A 5.1 | ISM-0732 requires that the CISO receives and manages a dedicated cyber security budget for the organisation | |
| Annex A 5.35 | ISM-0732 requires that the CISO receives and manages a dedicated cyber security budget for the organisation | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.