Annual Security Status Reporting for Systems
System owners must annually report each system's security status to an authorising officer.
Plain language
System owners have to check and report how secure their systems are at least once a year to the person in charge of approving them. This is important because it keeps everyone aware of any risks or weaknesses in the systems, so they can fix problems before they lead to data leaks or other issues that could damage the organisation's reputation or operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
July 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesSection
System ownersOfficial control statement
System owners report the security status of each system to its authorising officer at least annually.
Why it matters
Missing annual security status reports can conceal system risks, leaving issues unreported to the authorising officer and increasing breach likelihood.
Operational notes
Schedule annual security status reports and submit them to the authorising officer; include changes, incidents, outstanding risks and remediation progress.
Implementation tips
- System owners should schedule an annual review with the authorising officer to discuss the system's security. They can do this by setting a fixed date each year and preparing a short report on recent security assessments and updates done on the system. This ensures that the officer is kept informed and can advise on necessary actions.
- System owners should create a checklist of security measures currently in place for the system. This checklist might include antivirus software status, firewall rules, and whether regular software updates are being applied. Reviewing and updating this checklist before meeting with the authorising officer helps provide a clear picture of the system's security.
- The IT team should run a security assessment on each system before the annual review. This could involve vulnerability scanning and checking access controls to find any weak points. The results should be compiled into a report to inform discussions during the formal review.
- System owners should organise a follow-up session after the review meeting to outline any required improvements. They can work with IT and staff concerned with system security to address any weaknesses identified during the initial review. Documenting these plans helps track progress and ensure accountability.
- The business manager should ensure records of these reviews are maintained. Using a simple filing system, they can store reports, checklists, and meeting notes in a central location. This makes it easy to retrieve documents for auditing or subsequent reviews.
Audit / evidence tips
-
Askthe most recent system security status report: Request the report submitted to the authorising officer
Goodreport will be dated within the last year and provide a thorough assessment that matches system characteristics
-
Goodrecord will be signed by both parties and include agreed steps to improve system security
-
Askto see the security measure checklist: Verify the checklist contains current information on antivirus use, firewall settings, software updates, and other security practices
Goodchecklist is regularly updated, reflecting the last review findings
Cross-framework mappings
How ISM-1587 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.1 | ISM-1587 requires system owners to provide an annual security status report for each system to the authorising officer | |
| Annex A 5.35 | ISM-1587 requires system owners to report the security status of each system to the system’s authorising officer at least annually | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.