Integrate Cyber Security Across Business Functions
Leaders ensure cyber security is a part of every business area.
Plain language
This control is about making sure cyber security is part of every part of the business. If cyber security isn't considered everywhere, small mistakes can lead to big problems like data breaches, financial loss, and damage to the business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesTopic
Embedding Cyber SecurityOfficial control statement
The board of directors or executive committee ensures that cyber security is integrated throughout all business functions within their organisation.
Why it matters
Without board-driven integration across business functions, security becomes siloed, creating inconsistent risk decisions and higher breach likelihood.
Operational notes
Set executive-owned security KPIs for each business unit and review progress quarterly to keep security embedded in business planning and delivery.
Implementation tips
- Business leaders should start by outlining their security expectations across the organisation by holding a meeting with department heads. Use this session to explain the importance of cyber security and how each department can play a role. Provide examples relevant to each department’s work.
- Department heads should identify specific areas where cyber security measures need to be integrated. They can do this by reviewing their current processes to pinpoint where sensitive data is accessed or stored. Make a list of these areas and identify potential risks.
- Designate a cyber security coordinator in each department. This person should work with the IT department to develop a plan to address the specific security needs identified. They can participate in regular training to stay updated on best practices.
- Managers should ensure that all department staff receive basic cyber security awareness training. This can be accomplished by organising mandatory workshops or e-learning sessions covering key topics like recognising phishing emails and using strong passwords.
- Reinforce a culture of security by regularly updating all staff about cyber security policies and any changes. Use internal newsletters or team meetings to communicate updates and remind staff of their role in protecting the organisation.
Audit / evidence tips
- AskThe minutes from meetings where security integration was discussed GoodIncludes participant names, roles, agenda topics discussed, and action items
- AskDocumentation on department coordinators and their action plans: Evaluate the plans for specific actions and timelines. A well-documented plan should include coordinator names, actions to improve security, and progress updates
- GoodTraining record includes the date, attendees, topics covered, and feedback collected
Cross-framework mappings
How ISM-1998 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.4 | Annex A 5.4 requires management to require all personnel to apply information security in accordance with established policies and proced... | |
| handshake Supports (5) expand_less | ||
| Annex A 5.1 | ISM-1998 requires the board or executive committee to ensure cyber security is integrated throughout all business functions | |
| Annex A 5.2 | ISM-1998 requires executive leadership to ensure cyber security is embedded across all business functions, which depends on clear ownersh... | |
| Annex A 5.35 | ISM-1998 requires the board or executive committee to ensure cyber security is integrated across business functions and remains effective... | |
| Annex A 5.36 | ISM-1998 requires executive leadership to integrate cyber security across all business functions, which implies ongoing oversight of how ... | |
| Annex A 6.3 | ISM-1998 requires the board or executive committee to ensure cyber security is integrated across all business functions | |
| link Related (1) expand_less | ||
| Annex A 5.8 | ISM-1998 requires executive leadership to ensure cyber security is integrated throughout all business functions within the organisation | |
ISO 42001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 6.1.2 | Annex A 6.1.2 requires defined responsible AI development objectives and their integration into development activities | |
| Annex A 9.3 | Annex A 9.3 requires the organisation to identify and document objectives to guide responsible AI use, including how AI will be used acro... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.