Register Management of Organisational Systems
The CISO keeps an updated list of all systems used by the organisation.
Plain language
The Chief Information Security Officer (CISO) needs to keep an updated list of all systems the organisation uses, like the software and tools everyone relies on every day. This is important because if you don't know what systems are in use, it could lead to outdated or insecure systems slipping through the cracks, increasing the risk of hacking or system failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO develops, implements, maintains and verifies on a regular basis a register of systems used by their organisation.
Why it matters
Without a current register of organisational systems, unknown or unmanaged systems can be missed for monitoring, patching and decommissioning, increasing breach and outage risk.
Operational notes
Review and verify the system register monthly by reconciling it with asset discovery/CMDB data; record system owner, purpose, location and lifecycle status (new/changed/decommissioned).
Implementation tips
- The CISO should conduct a comprehensive review of all digital systems: This involves identifying all software applications, platforms, and tools currently in use. They can do this by sending out a survey to all departments asking them to list the programs they rely on.
- IT managers should help by categorising systems: This means organising the systems into groups based on their function, such as communication tools, financial systems, or customer management tools. This can be done by reviewing the list collected from departments and placing each system into the appropriate category.
- Department heads should regularly update their system lists: Each department needs to have a designated person responsible for informing the CISO about any new systems or changes to existing ones. This can be set up as a monthly task using a shared online document or form.
- Training sessions should be held by the HR team: Educate staff on the importance of notifying the CISO when they start using new systems. Regular workshops or brief reminders during team meetings can reinforce this practice.
- System audits should be scheduled by the CISO: These are periodic checks to make sure the list is accurate and complete. The CISO should set calendar reminders to review and verify the system register quarterly, ensuring it's up to date with the latest information.
Audit / evidence tips
-
Askthe system register document: Request to see the complete list of systems that the organisation uses
Goodlist will have clear names, responsible departments, and recent update dates
-
Askemail or meeting records: Request evidence of communications or meetings where system lists are discussed and updated
-
Askto see samples of completed department surveys
-
Asktraining attendance records from HR: Request records that show which staff have attended training sessions on system management
-
Askdocumentation of the last system audit: Request to see the results of the most recent audit conducted by the CISO
Goodreport will show a thorough review and actions for any issues
Cross-framework mappings
How ISM-1966 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.9 | Annex A 5.9 requires maintaining an inventory of information and associated assets, including ownership | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-PA-ML1.1 | ISM-1966 requires the CISO to maintain and regularly verify a register of organisational systems | |
| E8-PO-ML1.1 | ISM-1966 requires the CISO to maintain and regularly verify a register of organisational systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.