Ensure CISO Awareness of Cyber Incidents
The CISO should be informed about all cyber security incidents in the organisation.
Plain language
This control means that the Chief Information Security Officer (CISO) must be kept in the loop about every cyber security issue that happens within the organisation. It matters because if incidents are kept hidden or not communicated promptly, the organisation could face bigger security risks, leading to data breaches, financial loss, or damage to its reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO is fully aware of all cyber security incidents within their organisation.
Why it matters
Unchecked cyber incidents can escalate threats, causing severe reputational damage and financial loss if the CISO is not promptly informed.
Operational notes
Ensure incident reports are relayed to the CISO within 24 hours, enabling timely decision-making and effective response coordination.
Implementation tips
- CIO (Chief Information Officer) should establish a process: Develop a clear communication plan to inform the CISO of any cyber incidents. Set up automatic alerts through email or a secure messaging platform each time an incident is reported.
- IT security team should document incidents: Keep a detailed record of what happens during each incident, complete with timelines and response actions. Use a shared system where the CISO can access and review these records anytime.
- Office Manager should coordinate regular updates: Schedule a weekly briefing with the CISO to review all incidents reported during the period. Use this time to discuss any changes in response strategies or upcoming risks.
- HR should train staff: Educate employees about the importance of reporting cybersecurity incidents. Provide simple guidelines on how to escalate issues to ensure the CISO is informed quickly.
- Procurement should ensure tools are in place: Acquire the right tools for tracking and managing incidents. Ensure these tools have user-friendly reporting features so that incidents can be logged and accessed by the CISO efficiently.
Audit / evidence tips
-
Askthe incident communication plan: Request a written document that outlines how cyber incidents are communicated to the CISO
Goodincludes clear procedures and contact channels for alerting the CISO
-
Askto see incident logs: Request access to recent cybersecurity incident records
Goodshows complete logs with time stamps and actions taken
-
Askmeeting records: Request minutes or notes from the CISO’s regular briefing meetings
Goodincludes dates, attendees, and summarized discussions of incidents
-
Askabout staff training records: Obtain proof of staff training on reporting incidents
Goodshows high participation rates and relevant, up-to-date content
-
Asktool usage reports: Request data on the usage of tools designed for incident tracking and reporting
Goodshows regular, documented usage and CISO engagement
Cross-framework mappings
How ISM-0733 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.24 | Annex A 5.24 requires the organisation to define and communicate incident management processes and roles to be prepared to manage incidents | |
| link Related (1) expand_less | ||
| Annex A 5.2 | ISM-0733 requires that the CISO is fully aware of all cyber security incidents within their organisation | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-MF-ML2.12 | E8-MF-ML2.12 requires enacting the incident response plan after identification of a cyber incident | |
| link Related (4) expand_less | ||
| E8-AC-ML2.9 | ISM-0733 requires that the CISO is fully aware of all cyber security incidents within their organisation | |
| E8-MF-ML2.10 | ISM-0733 requires that the CISO is fully aware of all cyber security incidents within their organisation | |
| E8-RA-ML2.11 | ISM-0733 requires that the CISO is fully aware of all cyber security incidents within their organisation | |
| E8-AH-ML2.16 | ISM-0733 requires that the CISO is fully aware of all cyber security incidents within their organisation | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.