Develop Plan of Action Post Security Assessment
After assessing security, system owners create a plan to address and resolve issues.
Plain language
After a security assessment, the system owner must create a plan to fix any issues that were found. This is important because without a plan, problems might go unresolved, leaving the system vulnerable to attacks, which could lead to data breaches or disruptions to business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Apr 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner.
Why it matters
If no post-assessment plan of action and milestones is produced, identified vulnerabilities may not be remediated or tracked, increasing likelihood of compromise and residual risk.
Operational notes
After each security assessment, produce a POA&M listing each finding, owner, due date and milestone status; review it regularly and record closure evidence for remediation.
Implementation tips
- System owners should draft a detailed action plan to address each security issue found. They can do this by listing out each problem and assigning a person or team to fix it, along with a deadline for completion.
- Involve IT managers in setting priorities within the plan. They should evaluate which issues need immediate attention and which can be scheduled for later, ensuring critical vulnerabilities are dealt with first.
- System owners should consult with cybersecurity experts to ensure the action plan is comprehensive. This might involve having a professional review the plan to verify that all possible solutions have been considered.
- Communicate the action plan to all relevant staff members. System owners should hold a meeting to present the plan, explain the actions needed, and ensure everyone understands their roles in the process.
- Regularly check progress against the plan. The system owner should track progress on resolving each issue and adjust timelines if necessary, ensuring accountability by updating stakeholders regularly.
Audit / evidence tips
- AskThe security assessment report: Request the document detailing all identified issues and vulnerabilities GoodIs a comprehensive report that matches the common vulnerabilities found in similar organisations
- AskThe plan of action and milestones document: Request the document that outlines how each security issue will be resolved GoodShows well-defined actions with dates and responsible individuals
- AskMeeting records: Request minutes or notes from meetings where the action plan was discussed GoodIncludes names of attendees, decisions made, and action items from the meeting
- AskProgress updates: Request reports or logs detailing progress on addressing each security issue GoodShows resolved issues marked as complete and notes on any delays with reasons provided
- AskExpert review certification: Request evidence that the action plan was reviewed by a qualified cybersecurity expert GoodIncludes dates and the expert's credentials, affirming that the plan is sound
Cross-framework mappings
How ISM-1564 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.32 | ISM-1564 requires the system owner to produce a POA&M after a security assessment to address identified weaknesses through defined action... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.34 | ISM-1564 requires the system owner to produce a plan of action and milestones (POA&M) at the conclusion of a security assessment to remed... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.