Regular Review of Cyber Security Program
The CISO ensures the cyber security program stays relevant to combat threats and seize opportunities.
Plain language
The cybersecurity boss needs to frequently check and update the company's plan for dealing with online threats. This is important because if they fall behind, the company could become vulnerable to new types of cyber attacks, leading to potential data breaches or financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO regularly reviews and updates their organisation's cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities.
Why it matters
Without regular reviews and updates, the cyber security program can drift from current threats and business priorities, increasing likelihood of incidents and reputational harm.
Operational notes
Run biannual CISO-led program reviews; update the security roadmap, priorities and metrics using recent incidents, threat intel and business changes, and track actions to closure.
Implementation tips
- The CISO should schedule regular reviews of the cybersecurity plan. This involves setting quarterly meetings with the IT team to discuss any changes in the threat landscape and making updates to the plan accordingly.
- The IT team should monitor emerging cyber threats. This can be done by subscribing to cybersecurity alerts from the Australian Cyber Security Centre (ACSC) and sharing relevant updates with the CISO during review meetings.
- The training manager should update employee cybersecurity training programs. Collaborate with the IT team to ensure that the training reflects the latest cybersecurity practices and threat information.
- The CISO should involve senior management in cybersecurity discussions. Organise briefing sessions to communicate the importance of the updated cybersecurity measures and to get their support.
- The finance manager should ensure budget allocations for cybersecurity tools and resources are regularly reviewed. Work with the CISO to prioritise spending on the most critical areas identified during reviews.
Audit / evidence tips
-
Askthe schedule of cybersecurity program reviews: Request the calendar of past and upcoming review meetings
Goodis a detailed schedule with completed and planned reviews marked
-
Askminutes from the review meetings: Review the written records of these meetings
Goodincludes thorough documentation with specific updates noted
-
Askrecent threat intelligence reports: Request any reports or alerts received from the ACSC or other sources
Goodshows the threats were acknowledged and the plan adjusted accordingly
-
Askupdated cybersecurity training materials: Request copies of the latest training documents for staff
Goodwill show recent updates consistent with the latest review findings
-
Askthe budget records for cybersecurity spending: Request documents that show how cybersecurity funds have been allocated and used. Look to see if they align with priorities identified in the reviews
Goodis evidence of budget adjustments following the review outcomes
Cross-framework mappings
How ISM-1617 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.1 | ISM-1617 calls for the CISO to regularly review and update the cyber security program to ensure its relevance | |
| Annex A 5.35 | Annex A 5.35 requires an independent review of the organisation’s information security approach and its implementation at planned interva... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.6 | ISM-1617 calls for the CISO to maintain the cyber security program’s currency in addressing threats and needs | |
| Annex A 5.36 | ISM-1617 requires the CISO to regularly review and update the cyber security program for alignment with evolving threats and opportunities | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.