Develop Insider Threat Mitigation Programs
Create and manage a program to address threats from within the organisation.
Plain language
An insider threat mitigation program helps organisations manage risks that come from their own employees, contractors, or business partners. This is crucial because trusted insiders can sometimes accidentally or intentionally cause harm, like leaking sensitive information or damaging systems, which can hurt the organisation's reputation and bottom line.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
An insider threat mitigation program is developed, implemented and maintained.
Why it matters
Without an insider threat mitigation program, malicious or inadvertent insiders can exfiltrate sensitive data, cause fraud, and disrupt services, damaging trust and compliance.
Operational notes
Maintain the insider threat program by monitoring and reviewing indicators (access anomalies, privilege misuse) and regularly updating detection rules, reporting paths and response playbooks.
Implementation tips
- The HR team, alongside the IT and security teams, should develop a clear policy that defines what an insider threat is and outlines the behaviours that raise red flags. They can do this by researching best practices and adapting them to the specific context of the organisation.
- Managers should organise regular training sessions for all employees about the signs of insider threats and what to do if they notice anything suspicious. This can be done by bringing in a security expert to conduct workshops or by using online training modules.
- IT staff should set up systems to monitor and log network activities to detect unusual patterns that could indicate insider threats. This can include tracking access to sensitive data and monitoring for unusual downloads or data transfers.
- Executives should establish a cross-departmental team to regularly review insider threat cases and program effectiveness. The team can meet quarterly to discuss potential incidents, review past cases, and update policies as necessary.
- The security lead should create a response plan detailing the steps to take during an insider threat incident. This includes notifying the appropriate authorities, conducting an internal investigation, and applying disciplinary measures if needed.
Audit / evidence tips
- AskThe insider threat policy document GoodA detailed policy document that clearly defines insider threats and sets out expected behaviours and reporting procedures
- GoodIs comprehensive training materials and a list showing regular attendance by all employees
- AskReports from the monitoring and logging systems GoodIncludes detailed logs showing proactive monitoring and timely responses to potential incidents
- GoodThorough records of meetings with noted action items and follow-ups
- AskThe insider threat incident response plan GoodPlan is one that outlines step-by-step responses to various threat scenarios and includes contact details for responsible parties
Cross-framework mappings
How ISM-1625 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.24 | ISM-1625 requires the organisation to develop, implement and maintain an insider threat mitigation program to address threats from within... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.10 | ISM-1625 requires an insider threat mitigation program that sets expectations and reduces opportunities for misuse by insiders | |
| Annex A 5.28 | ISM-1625 requires the organisation to run an insider threat mitigation program, which typically includes investigative and response capab... | |
| Annex A 5.32 | Annex A 5.32 requires procedures to protect intellectual property rights from misuse, infringement or theft | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-AH-ML2.15 | ISM-1625 requires an insider threat mitigation program that includes detection and triage of suspicious internal behaviour and misuse | |
| E8-RA-ML3.8 | ISM-1625 requires the organisation to implement and maintain a program to mitigate insider threats, including monitoring and detection of... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.