Define Cyber Security Roles for Leadership
The board sets specific cyber security roles and duties for themselves and the whole organisation.
Plain language
It's essential for the board of directors or top executives to clearly define who is responsible for different aspects of cyber security within the company. If this isn't done, responsibilities can fall through the cracks, meaning potential security threats might not be managed properly, leading to data breaches or financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesTopic
Embedding Cyber SecurityOfficial control statement
The board of directors or executive committee defines clear roles and responsibilities for cyber security both within the board of directors or executive committee and broadly within their organisation.
Why it matters
Undefined cyber security roles at board/executive level create governance gaps, weakening oversight and increasing risk of strategic security incidents.
Operational notes
Maintain a board/executive RACI for cyber security; assign named owners for oversight, risk appetite, reporting cadence, and major security decisions, and review quarterly.
Implementation tips
- Board members should identify key areas of cyber security risk: The board needs to sit down and list out all the major cyber threats that could impact the business. Doing a simple brainstorming session can help, where they collectively consider what could go wrong and what part of the business would be affected.
- Executives should assign specific cyber security responsibilities: Each executive or board member should be assigned specific duties, like overseeing data protection or ensuring systems stay updated. This can be done by discussing individual strengths and aligning responsibilities with those strengths.
- Organisational leaders should communicate these roles: Once roles are defined at the top, communicate them clearly to the entire organisation. This could be done through a company-wide email or a presentation at an all-hands meeting where everyone understands who handles what.
- The board should provide clear protocols for reporting issues: Establish straightforward steps for employees to report any suspicious activity or security concerns. This might be as simple as setting up a dedicated email or a hotline number everyone knows about.
- Leadership should review roles and responsibilities regularly: Set a schedule for revisiting these roles, perhaps quarterly, to ensure they remain relevant and effective. Use these meetings to assess how well responsibilities are being met and adjust as needed.
Audit / evidence tips
-
Askthe cyber security roles and responsibilities document: Request to see the official document that details each board member's or executive's responsibilities
Goodincludes a dated document with individual names and their specific duties
-
Goodincludes detailed minutes with action items and a follow-up plan
-
Askevidence of internal communication about these roles: Request to see the emails or announcements sent out to staff about board-assigned responsibilities
Goodshows clear internal messaging with a copy of the email or presentation slides
-
Askdocuments that describe how incidents should be reported by staff. Examine the instructions for clarity and accessibility
Goodwill show simple, actionable steps that any employee can follow
-
Goodindicates these meetings happen regularly and include feedback
Cross-framework mappings
How ISM-1997 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.24 | ISM-1997 requires the board or executive committee to define clear cyber security roles and responsibilities across the organisation | |
| handshake Supports (3) expand_less | ||
| Annex A 5.1 | ISM-1997 requires leadership to define cyber security roles and responsibilities within the board/executive and across the organisation | |
| Annex A 5.36 | Annex A 5.36 requires regular reviews to confirm compliance with the organisation’s information security policies, rules and standards | |
| Annex A 6.5 | Annex A 6.5 requires that information security responsibilities and duties that remain valid after termination or role change are defined... | |
| link Related (1) expand_less | ||
| Annex A 5.2 | ISM-1997 requires the board or executive committee to define clear cyber security roles and responsibilities across the organisation, inc... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.