Championing Cyber Security at an Executive Level
Executives set a good example to promote a healthy cyber security culture in the organisation.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
The board of directors or executive committee champions a positive cyber security culture within their organisation, including through leading by example.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about ensuring the leaders of an organisation promote good cyber security practices by setting a positive example. When executives actively support cyber security, it encourages everyone to follow suit, reducing risks like data breaches or other damaging cyber incidents.
Why it matters
Without board/executive championing of cyber security, staff follow suit, weakening culture and increasing likelihood of incidents, breaches and losses.
Operational notes
Executives/board should visibly lead by example (briefings, messaging, compliance), sponsor security initiatives, and fund priorities to reinforce a positive cyber security culture.
Implementation tips
- Executives should regularly speak about the importance of cyber security during staff meetings. They can do this by starting each meeting with a brief update on what the organisation is doing to protect its data and why it matters for everyone's work.
- HR should integrate cyber security expectations into job descriptions and performance reviews. This can be done by including specific behaviours or goals related to security, showing that cyber security is part of everyone's job.
- Managers should organise regular training sessions on cyber security for employees. This can involve inviting experts to talk about recent threats and providing practical tips on how to spot phishing emails or secure personal devices.
- The IT team should provide executives with regular updates on the organisation's cyber security status. This involves creating easy-to-understand reports that highlight key threats, recent incidents, and steps being taken, allowing executives to speak knowledgeably about security efforts.
- Executives should lead by example by following all cyber security practices themselves. This includes using strong passwords, not writing them down, and being cautious about the links and attachments they open, showing commitment to security best practices.
Audit / evidence tips
-
Ask: meeting agendas and minutes where cyber security was discussed
Good: is seeing regular discussions on cyber security initiatives and decisions
-
Good: includes clear expectations for cyber security awareness and actions in these documents
-
Ask: training records of cyber security sessions attended by employees
Good: is consistent participation from staff across all departments with up-to-date training content
-
Good: report is clear, concise, and actionable
-
Ask: to see evidence of executives practising security measures themselves, such as using password managers or security software logs
Good: is finding records or logs confirming executives' adherence to security protocols
Cross-framework mappings
How ISM-2001 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Supports (4) | ||
| Annex A 5.1 | ISM-2001 requires executive-level championing of cyber security culture, including demonstrating commitment and setting expectations | |
| Annex A 5.4 | ISM-2001 requires the board or executive committee to champion a positive cyber security culture through visible leadership and example | |
| Annex A 6.3 | ISM-2001 requires the board or executive committee to champion a positive cyber security culture by leading by example | |
| Annex A 6.8 | ISM-2001 requires executives to champion a cyber security culture, including encouraging appropriate behaviours and accountability | |