Ensure Cyber Security Docs Are Communicated
Make sure all stakeholders are informed about cyber security documents and their updates.
Plain language
This control is about making sure everyone involved in an organisation is updated about the security documents and any changes made to them. It's like ensuring the whole team knows the latest game plan—if not, mistakes can happen, leaving your business vulnerable to cyber threats like data breaches or fraud.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Cyber security documentation, including notification of subsequent changes, is communicated to all stakeholders.
Why it matters
If security document updates aren’t communicated, stakeholders may follow outdated guidance, causing inconsistent controls and higher breach risk.
Operational notes
Notify all stakeholders when cyber security documents change. Use change alerts and include updates in weekly security briefings; track acknowledgements.
Implementation tips
- Managers should regularly schedule meetings to update all team members about new or changed security documents. They can do this by setting a monthly meeting where updated documents are discussed and questions are answered in plain language.
- The IT team should establish a centralised online location where all security documents and their updates are stored. They might use a secure intranet or a cloud-based solution to ensure everyone has access to the latest versions easily.
- HR should collaborate with the IT department to ensure new employees are briefed on security documentation during their orientation. This can be done through an introductory training session that explains the importance and basics of cyber security practices.
- A designated staff member should be responsible for notifying all stakeholders of any changes to security documents. This could involve emailing the updates and summaries to ensure everyone stays informed and compliant.
- The board or leadership team should review and approve any changes to critical security documents. This can be done in quarterly meetings where the implications of changes are discussed, and consensus is reached to maintain oversight.
Audit / evidence tips
-
Askthe schedule of meetings related to security document updates
Goodshows regular gatherings where various departments are represented
-
Askdocumentation of the employee onboarding process regarding security training. Examine if it includes up-to-date information on security practices. A well-documented process shows consistent and ongoing updates to training materials
-
Aska copy of the email or memo notifications sent to stakeholders about document updates. Review if these notifications occur promptly and include summaries of changes. Good communication should be clear, detailed, and prompt
Cross-framework mappings
How ISM-1602 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| Annex A 5.1 | ISM-1602 requires cyber security documentation (and subsequent changes) to be communicated to all stakeholders | |
| Annex A 5.4 | Annex A 5.4 requires management to ensure all personnel apply information security consistent with the organisation’s policies and proced... | |
| Annex A 5.37 | ISM-1602 requires cyber security documentation, including change notifications, to be communicated to stakeholders | |
| Annex A 6.3 | ISM-1602 requires cyber security documentation and changes to be communicated to all stakeholders | |
| handshake Supports (2) expand_less | ||
| Annex A 5.8 | Annex A 5.8 requires integrating information security into how projects are run, including ensuring stakeholders follow security requirem... | |
| Annex A 5.10 | Annex A 5.10 requires organisations to identify, document and implement rules for acceptable use and handling of information and associat... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.