Skip to content
arrow_back
ISM-1966
search
ISM-1966 policy ASD Information Security Manual (ISM)

Register Management of Organisational Systems

The CISO keeps an updated list of all systems used by the organisation.

Proactive NC OS P ASD Information Security ManualGuidelines for cyber security rolesasset inventoryasset managementaudit testing
record_voice_over

Plain language

The Chief Information Security Officer (CISO) needs to keep an updated list of all systems the organisation uses, like the software and tools everyone relies on every day. This is important because if you don't know what systems are in use, it could lead to outdated or insecure systems slipping through the cracks, increasing the risk of hacking or system failures.

Framework

ASD Information Security Manual (ISM)

Control effect

Proactive

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2024

Control Stack last updated

19 May 2026

E8 maturity levels

N/A

Guideline

Guidelines for cyber security roles

Section

Chief information security officer

Topic

Overseeing the Cyber Security Program

Official control statement

The CISO develops, implements, maintains and verifies on a regular basis a register of systems used by their organisation.
policy ASD Information Security Manual (ISM) ISM-1966
priority_high

Why it matters

Without a current register of organisational systems, unknown or unmanaged systems can be missed for monitoring, patching and decommissioning, increasing breach and outage risk.

settings

Operational notes

Review and verify the system register monthly by reconciling it with asset discovery/CMDB data; record system owner, purpose, location and lifecycle status (new/changed/decommissioned).

build

Implementation tips

  • The CISO should conduct a comprehensive review of all digital systems: This involves identifying all software applications, platforms, and tools currently in use. They can do this by sending out a survey to all departments asking them to list the programs they rely on.
  • IT managers should help by categorising systems: This means organising the systems into groups based on their function, such as communication tools, financial systems, or customer management tools. This can be done by reviewing the list collected from departments and placing each system into the appropriate category.
  • Department heads should regularly update their system lists: Each department needs to have a designated person responsible for informing the CISO about any new systems or changes to existing ones. This can be set up as a monthly task using a shared online document or form.
  • Training sessions should be held by the HR team: Educate staff on the importance of notifying the CISO when they start using new systems. Regular workshops or brief reminders during team meetings can reinforce this practice.
  • System audits should be scheduled by the CISO: These are periodic checks to make sure the list is accurate and complete. The CISO should set calendar reminders to review and verify the system register quarterly, ensuring it's up to date with the latest information.
fact_check

Audit / evidence tips

  • AskThe system register document: Request to see the complete list of systems that the organisation uses GoodList will have clear names, responsible departments, and recent update dates
  • AskEmail or meeting records: Request evidence of communications or meetings where system lists are discussed and updated
  • AskTo see samples of completed department surveys
  • AskTraining attendance records from HR: Request records that show which staff have attended training sessions on system management
  • AskDocumentation of the last system audit: Request to see the results of the most recent audit conducted by the CISO GoodReport will show a thorough review and actions for any issues
link

Cross-framework mappings

How ISM-1966 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
sync_alt Partially overlaps (1) expand_less
Annex A 5.9 Annex A 5.9 requires maintaining an inventory of information and associated assets, including ownership

E8

Control Notes Details
handshake Supports (2) expand_less
E8-PA-ML1.1 ISM-1966 requires the CISO to maintain and regularly verify a register of organisational systems
E8-PO-ML1.1 ISM-1966 requires the CISO to maintain and regularly verify a register of organisational systems

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls