CISO Role in Disaster Recovery Planning
The CISO helps to ensure recovery plans are in place to maintain essential services during a disaster.
Plain language
The Chief Information Security Officer (CISO) plays a crucial role in creating and maintaining plans to keep your essential business services running if a disaster strikes, like a cyberattack or a natural event. If these plans aren't in place, an unexpected incident could stop the entire operation, leading to financial loss, data breaches, and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO contributes to the development, implementation and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster.
Why it matters
If the CISO does not contribute to BCP/DR planning, recovery priorities may miss business-critical services, extending outages and increasing financial and reputational harm.
Operational notes
Have the CISO review and sign off BCP/DR plans, ensure critical services and recovery objectives are defined, and run scheduled exercises to keep plans current.
Implementation tips
- CISOs should collaborate with business leaders to identify all critical services that need protection in case disaster strikes. This involves listing services that, if interrupted, would have severe business and financial impacts, and prioritising them for recovery efforts.
- The IT team should draft a disaster recovery plan that details how to restore each critical service identified. They can achieve this by mapping out each required step from backup restoration to verifying functionality, ensuring all details are clearly documented and accessible.
- Managers should organise regular practice runs of the disaster recovery plan to ensure everyone who needs to be involved knows their role. This means setting up mock disaster events and running through the recovery steps to find any weaknesses in the plan.
- System owners must ensure that any technology required for recovery is regularly tested and updated. This includes checking that backups are current and that any software used in recovery can operate on newer systems.
- HR should develop a communication plan to keep all employees informed during a disaster. This includes setting up a phone tree or mass notification system to quickly and clearly communicate instructions or updates during an event.
Audit / evidence tips
- AskThe disaster recovery plan document: Ensure it includes clear steps for restoring essential services and names responsible team members GoodWill include a comprehensive, step-by-step plan with stakeholder roles defined
- GoodIncludes a dated assessment with clear priorities and justifications
- AskTraining records related to disaster recovery: Check that regular drills or training sessions are held and documented GoodRecord shows that practice runs or refreshers happen at least annually with noted attendance and feedback
- GoodIncludes a testing schedule and successful test outcomes
- GoodHas a readily accessible plan with a structured hierarchy and templates for messages
Cross-framework mappings
How ISM-0734 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.29 | ISM-0734 requires the CISO to contribute to developing, implementing and maintaining business continuity and disaster recovery plans so b... | |
| Annex A 5.30 | ISM-0734 demands the CISO to assist in business continuity and disaster recovery planning to ensure business-critical services can be sus... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |
| Annex A 7.5 | Annex A 7.5 requires organisations to design and implement protection against physical and environmental threats, including natural disas... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RB-ML1.1 | ISM-0734 involves the CISO contributing to BC/DR plans so critical services are supported during disasters | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.