Annual Review of Cyber Security Documentation
Cyber security documents are checked yearly to ensure they are up-to-date.
Plain language
This control is all about making sure your business's cyber security documents are kept up-to-date. It's like checking your pantry every year to toss expired items and restock essentials. If you don't do this, you might accidentally be following outdated advice, which could leave your organisation vulnerable to cyber threats.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Cyber security documentation is reviewed at least annually and includes a 'current as at [date]' or equivalent statement.
Why it matters
If cyber security documentation is not reviewed at least annually, staff may follow outdated guidance, raising security risk and audit non-compliance.
Operational notes
Set an annual review cadence for all cyber security documents and add a “current as at [date]” line on each; track ownership and evidence of review.
Implementation tips
- The IT manager should organise an annual review of all cyber security documents. Start by setting a date, then gather all existing documents and ensure the right experts review them. They should check if each document is still relevant and up-to-date.
- HR and the IT department should collaborate to update the 'current as at' date on all cyber security documents. Identify each document's last review date and adjust any policies or instructions that have changed since then.
- The office manager should ensure that any changes made to documents during the review process are communicated to all staff. This can be done with a simple email or a quick office meeting, highlighting the key changes.
- The business owner should appoint someone to be responsible for overseeing the annual review process. This person will ensure that reviews are completed on time and that documents are properly stored for future reference.
- The school principal should hold a debriefing session after the review to discuss lessons learned and improvements needed. This can help make the next review process smoother and ensure everyone is on the same page.
Audit / evidence tips
- AskThe review schedule: Request the calendar or timeline that shows when cyber security documentation reviews are planned. Look to see if reviews are scheduled at least once a year GoodWould include clear, recurring dates for annual reviews
- AskA sample of updated documents: Request a few updated cyber security documents GoodIncludes documents with recent dates and evidence of updates
- AskMeeting notes from the review: Request the notes or minutes from the document review meeting GoodIncludes comprehensive notes with clearly documented outcomes
- AskThe communication log: Request evidence showing how updates were communicated to staff GoodIncludes multiple forms of communication, like emails and meeting transcripts
- AskTo see the updated document storage: Request to see where the reviewed documents are stored. Look to ensure there is a clear and accessible filing system GoodIncludes a well-organised digital or physical filing system with clear labels
Cross-framework mappings
How ISM-0888 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.1 | ISM-0888 requires cyber security documentation to be reviewed at least annually and to include a clear 'current as at [date]' statement | |
| handshake Supports (1) expand_less | ||
| Annex A 5.37 | Annex A 5.37 requires operating procedures for information processing facilities to be documented and made available to personnel who nee... | |
ISO 42001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.4 | Annex A 5.4 requires continuous life-cycle assessment and documentation of AI impacts on individuals or groups | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.