CISO's Role in Cyber Security Incident Response
The CISO is responsible for managing the organisation's reactions to cyber security threats.
Plain language
The Chief Information Security Officer (CISO) is like the safety manager for the digital side of a business. They make sure that the company knows how to handle any cyber security threats or issues. If this isn't done, the organisation might not respond quickly to a cyber attack, leading to data loss, financial damage, or reputational harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO oversees their organisation's response to cyber security incidents.
Why it matters
Without CISO oversight, incident response can be delayed or misdirected, increasing attack impact and risking regulatory, legal and financial consequences.
Operational notes
Have the CISO review incident response plans and major response decisions, and ensure timely communication to executives and key stakeholders during incidents.
Implementation tips
- CISOs should create a clear plan: They need to develop a detailed incident response plan that outlines what to do if a cyber security threat is detected. This plan should include steps for identifying, handling, and recovering from incidents.
- The IT team should set up regular training: They need to train staff on how to recognise and report cyber threats. This can be done through workshops or e-learning modules that explain the role each person plays during an incident.
- Managers should organise practice drills: They should conduct simulated cyber attack exercises so employees know their roles and the plan can be tested for effectiveness. This involves setting up a fake scenario and timing the response.
- The communication team should develop a public communication strategy: They need to prepare templates for customer and public notifications in case of a data breach. This includes having a pre-written media statement reviewed by legal advisors.
- The CISO should review and update policies: Regularly revisiting the incident response plan and updating it based on lessons learned from drills and actual incidents is crucial. This might involve making notes about what worked well and what didn't, then making relevant changes.
Audit / evidence tips
- AskThe incident response plan: Request the document that outlines how the organisation will respond to cyber security incidents GoodWould include a comprehensive, up-to-date plan with clear instructions and assignments
- AskTraining records: Request documentation of staff training sessions on incident response GoodShows regular training with all relevant employees attending
- AskIncident logs: Request to see records of past incidents that the organisation has responded to GoodShows detailed logs with clear follow-up actions and resolutions
- AskTo see evidence of practice drills: Request documents summarising any mock exercises or drills conducted GoodHas records showing regular exercises and improvements made from lessons learned
- AskCommunication templates: Request copies of pre-prepared public communications for a potential data breach GoodIncludes approved templates ready for rapid use
Cross-framework mappings
How ISM-1618 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.26 | ISM-1618 requires that the CISO oversees the organisation’s response to cyber security incidents | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.24 | ISM-1618 requires that the CISO oversees the organisation’s response to cyber security incidents | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | ISM-1618 requires that the CISO oversees the organisation’s response to cyber security incidents | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| extension Depends on (3) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.