Skip to content
Control Stack logo Control Stack
ISM-1617 ASD Information Security Manual (ISM)

Regular Review of Cyber Security Program

The CISO ensures the cyber security program stays relevant to combat threats and seize opportunities.

Proactive Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for cyber security rolesGovernanceManagement responsibilityIndependent reviewAwareness and training

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Proactive

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Sept 2020

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for cyber security roles

Section

Chief information security officer

Topic

Overseeing the Cyber Security Program
Official control statement
The CISO regularly reviews and updates their organisation's cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities.

Source: ASD Information Security Manual (ISM)

Plain language

The cybersecurity boss needs to frequently check and update the company's plan for dealing with online threats. This is important because if they fall behind, the company could become vulnerable to new types of cyber attacks, leading to potential data breaches or financial losses.

Why it matters

Without regular reviews and updates, the cyber security program can drift from current threats and business priorities, increasing likelihood of incidents and reputational harm.

Operational notes

Run biannual CISO-led program reviews; update the security roadmap, priorities and metrics using recent incidents, threat intel and business changes, and track actions to closure.

Implementation tips

  • The CISO should schedule regular reviews of the cybersecurity plan. This involves setting quarterly meetings with the IT team to discuss any changes in the threat landscape and making updates to the plan accordingly.
  • The IT team should monitor emerging cyber threats. This can be done by subscribing to cybersecurity alerts from the Australian Cyber Security Centre (ACSC) and sharing relevant updates with the CISO during review meetings.
  • The training manager should update employee cybersecurity training programs. Collaborate with the IT team to ensure that the training reflects the latest cybersecurity practices and threat information.
  • The CISO should involve senior management in cybersecurity discussions. Organise briefing sessions to communicate the importance of the updated cybersecurity measures and to get their support.
  • The finance manager should ensure budget allocations for cybersecurity tools and resources are regularly reviewed. Work with the CISO to prioritise spending on the most critical areas identified during reviews.

Audit / evidence tips

  • Ask: the schedule of cybersecurity program reviews: Request the calendar of past and upcoming review meetings

    Good: is a detailed schedule with completed and planned reviews marked

  • Ask: minutes from the review meetings: Review the written records of these meetings

    Good: includes thorough documentation with specific updates noted

  • Ask: recent threat intelligence reports: Request any reports or alerts received from the ACSC or other sources

    Good: shows the threats were acknowledged and the plan adjusted accordingly

  • Ask: updated cybersecurity training materials: Request copies of the latest training documents for staff

    Good: will show recent updates consistent with the latest review findings

  • Ask: the budget records for cybersecurity spending: Request documents that show how cybersecurity funds have been allocated and used. Look to see if they align with priorities identified in the reviews

    Good: is evidence of budget adjustments following the review outcomes

Cross-framework mappings

How ISM-1617 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially overlaps (2)
Annex A 5.1 ISM-1617 calls for the CISO to regularly review and update the cyber security program to ensure its relevance
Annex A 5.35 ISM-1617 requires the CISO to regularly review and update the organisation’s cyber security program to keep it relevant to current threat...
Supports (2)
Annex A 5.6 ISM-1617 calls for the CISO to maintain the cyber security program’s currency in addressing threats and needs
Annex A 5.36 ISM-1617 requires the CISO to regularly review and update the cyber security program for alignment with evolving threats and opportunities

Mapping detail

Mapping

Direction

Controls