Regular Cyber Security Reporting to Audit Committee
The CISO reports cyber security updates directly to the organisation's risk committee.
Plain language
This control is about the Chief Information Security Officer (CISO) keeping the organisation's audit and risk committee updated on cyber security matters. It's important because regular updates help ensure that top decision-makers are aware of cyber risks and can make informed decisions to protect the organisation from cyber threats.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO regularly reports directly to their organisation's audit, risk and compliance committee (or equivalent) on cyber security matters.
Why it matters
Without regular CISO reporting to the audit committee, cyber risk oversight weakens, delaying decisions on threats and increasing likelihood and impact of a breach.
Operational notes
Schedule CISO updates to the audit/risk committee with a standing agenda: current threats, incidents, control gaps, and risk acceptance decisions with owners and due dates.
Implementation tips
- The CISO should schedule regular meetings with the audit, risk, and compliance committee. These should occur at least quarterly to discuss current cyber security issues and upcoming changes that may affect risk levels. The CISO can prepare a simple presentation to outline key points and discuss potential actions.
- The IT team should compile regular updates on the organisation's current cyber security posture. This involves gathering information on any incidents, potential threats, or system vulnerabilities. Use a simple dashboard or a summary report to make the information easy to understand and report to the CISO.
- The risk committee members need to be educated on common cyber security terms and issues. The CISO can set up brief training sessions or provide reading material that explains these concepts in simple language, helping committee members understand the reports fully.
- The organisation should maintain clear communication channels between the IT department and the audit committee. The IT manager should regularly provide insights or flags of any significant concerns that need the committee’s attention, using email or scheduled meetings.
- Audit committee members should have access to past cyber security incident reports to understand trends over time. The CISO can facilitate this by organising reports into an accessible repository, such as a shared drive or database, where members can review them.
Audit / evidence tips
-
Askthe meeting minutes from audit committee updates
Goodis minutes showing regular discussion on security issues, risks, and decisions made by the committee
-
Askthe CISO's presentation materials used during meetings: Review these for key topics like incident statistics, risk assessments, and mitigation strategies
Goodpresentation will clearly outline current security issues and actionable insights for the committee
-
Askthe incident reports summarised in meetings
Goodreport contains specific cases and resolutions that align with stated security strategies
-
Askthe committee members if they felt informed enough about the cyber security matters: Listen for feedback on the clarity and usefulness of information provided by the CISO
Goodindicates they understood the information and felt capable of making informed decisions
-
Askevidence of CISO's preparation for meetings
Goodagenda will include all key topics intended for discussion and align with the known risks and organisational priorities
Cross-framework mappings
How ISM-1918 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.35 | ISM-1918 requires the CISO to report regularly on cybersecurity matters to the organisation’s audit, risk and compliance committee | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.