Championing Cyber Security at an Executive Level
Executives set a good example to promote a healthy cyber security culture in the organisation.
Plain language
This control is about ensuring the leaders of an organisation promote good cyber security practices by setting a positive example. When executives actively support cyber security, it encourages everyone to follow suit, reducing risks like data breaches or other damaging cyber incidents.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The board of directors or executive committee champions a positive cyber security culture within their organisation, including through leading by example.
Why it matters
Without board/executive championing of cyber security, staff follow suit, weakening culture and increasing likelihood of incidents, breaches and losses.
Operational notes
Executives/board should visibly lead by example (briefings, messaging, compliance), sponsor security initiatives, and fund priorities to reinforce a positive cyber security culture.
Implementation tips
- Executives should regularly speak about the importance of cyber security during staff meetings. They can do this by starting each meeting with a brief update on what the organisation is doing to protect its data and why it matters for everyone's work.
- HR should integrate cyber security expectations into job descriptions and performance reviews. This can be done by including specific behaviours or goals related to security, showing that cyber security is part of everyone's job.
- Managers should organise regular training sessions on cyber security for employees. This can involve inviting experts to talk about recent threats and providing practical tips on how to spot phishing emails or secure personal devices.
- The IT team should provide executives with regular updates on the organisation's cyber security status. This involves creating easy-to-understand reports that highlight key threats, recent incidents, and steps being taken, allowing executives to speak knowledgeably about security efforts.
- Executives should lead by example by following all cyber security practices themselves. This includes using strong passwords, not writing them down, and being cautious about the links and attachments they open, showing commitment to security best practices.
Audit / evidence tips
-
Askmeeting agendas and minutes where cyber security was discussed
Goodis seeing regular discussions on cyber security initiatives and decisions
-
Goodincludes clear expectations for cyber security awareness and actions in these documents
-
Asktraining records of cyber security sessions attended by employees
Goodis consistent participation from staff across all departments with up-to-date training content
-
Goodreport is clear, concise, and actionable
-
Askto see evidence of executives practising security measures themselves, such as using password managers or security software logs
Goodis finding records or logs confirming executives' adherence to security protocols
Cross-framework mappings
How ISM-2001 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |
| handshake Supports (4) expand_less | ||
| Annex A 5.1 | ISM-2001 requires executive-level championing of cyber security culture, including demonstrating commitment and setting expectations | |
| Annex A 5.4 | ISM-2001 requires the board or executive committee to champion a positive cyber security culture through visible leadership and example | |
| Annex A 6.3 | ISM-2001 requires the board or executive committee to champion a positive cyber security culture by leading by example | |
| Annex A 6.8 | ISM-2001 requires executives to champion a cyber security culture, including encouraging appropriate behaviours and accountability | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.