Register Systems with Authorising Officers
System owners must register their systems with the designated authorising officer for oversight.
Plain language
System owners must inform a designated authorising officer about each system they manage. This is important because it ensures the right person is aware and can provide oversight, reducing the risk of systems being mismanaged or neglected, which can lead to security breaches or operational failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Dec 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesSection
System ownersOfficial control statement
System owners register each system with its authorising officer.
Why it matters
If systems aren’t registered with an authorising officer, they may operate without formal authorisation, oversight or accountability, increasing unmanaged security risk.
Operational notes
Maintain a central system register and notify the authorising officer on onboarding, major changes, ownership transfer and decommissioning to keep authorisation current.
Implementation tips
- System owners should identify the authorising officer for their system. To do this, consult the organisational chart or ask your direct supervisor to confirm who is responsible for the oversight of your systems.
- System owners must compile a comprehensive overview of their systems. This includes documenting the purpose, main functions, and any sensitive data it handles. A simple document or spreadsheet with these details can help keep everything organised.
- Authorising officers should set regular check-ins with system owners. This helps stay updated on any changes or concerns. These meetings can be scheduled monthly or quarterly, depending on the system's complexity or sensitivity.
- System owners should create and maintain an easy-to-follow registration form for new systems. This form should capture details such as system name, purpose, primary users, and technical environments. Having a standardised form makes it easier to consistently register systems.
- IT teams should support system owners by providing templates or guidelines for system registration. This ensures that all necessary details are captured and that the appropriate information is shared with authorising officers, removing ambiguity or errors.
Audit / evidence tips
- AskThe system registration list: Request the document or system database where all active systems are listed along with their authorising officers GoodShows a complete list with clear officer assignment for every system
- AskThe meeting schedule with authorising officers: Request the calendar or record of meetings between system owners and their authorising officers GoodIs documentation showing regular meetings with notes on discussions
- AskTo see the registration forms: Request the completed registration forms for all systems GoodIs clear, detailed forms for each system, signed by the authorising officer
- AskCommunication records between system owners and authorising officers: Request emails or meeting records GoodIncludes regular updates and feedback from the officers to the system owners
- AskTo see the initial system registration process document: Request the guidelines or templates used for registering systems GoodShows a well-documented process that guides system owners on registering new systems
Cross-framework mappings
How ISM-1525 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |
| handshake Supports (1) expand_less | ||
| Annex A 5.9 | Annex A 5.9 mandates a maintained inventory of information and associated assets and their owners | |
ISO 42001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 3.2 | Annex A 3.2 requires defined and allocated AI roles and responsibilities across the AI lifecycle | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.