Ensure Board Cyber Security Literacy for Compliance
Executive leaders must understand cyber security to meet legal and regulatory responsibilities.
Plain language
This control means that the board of directors or top executives need to understand enough about cyber security to make informed decisions and ensure the company complies with laws and regulations. If they don’t, the organisation could face legal penalties, financial losses, or damage to its reputation if a cyber attack occurs.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The board of directors or executive committee maintains a sufficient level of cyber security literacy to fulfil both their fiduciary duties and any legislative or regulatory obligations.
Why it matters
Lack of board cyber literacy can lead to uninformed decisions, resulting in regulatory breaches and severe reputational and financial harm.
Operational notes
Provide quarterly board briefings on cyber risk, regulatory duties and incidents; record attendance and actions to evidence literacy.
Implementation tips
- Board Chair should organise regular cyber security training sessions. Work with a qualified cyber security professional to deliver workshops tailored to the organisation's needs, explaining current cyber threats and how they impact the business.
- CEO should ensure a cyber security expert is present at board meetings. Invite a knowledgeable internal or external adviser to discuss cyber risks and strategies in straightforward terms, enabling informed decision-making.
- HR should incorporate cyber security awareness into the onboarding process for new executives. Develop a program that introduces essential concepts and responsibilities related to cyber security, using simple examples and case studies.
- Chief Information Officer should provide monthly updates on cyber security matters to the board. Prepare written reports and in-person briefings that summarise recent incidents, upcoming threats, and the measures taken to safeguard the organisation.
- Legal Counsel should review the organisation's obligations under current cyber security laws and regulations. Given the board a summary document explaining these responsibilities clearly and highlight any changes or updates required.
Audit / evidence tips
- AskThe latest board meeting minutes
- AskTraining records of board members GoodRecord shows regular participation of members in sessions that are relevant to current threats and regulatory requirements
- AskAny external advisory reports presented to the board
- AskThe organisation's cyber security policy: Look particularly at the involvement of executive leaders in the policy creation and review process GoodPolicy will have clear input from the board and be updated with emerging threats and compliance needs
- AskA summary of laws and regulations relating to cyber security compliance reviewed by the board GoodSummary should detail the board's understanding and steps taken to remain compliant
Cross-framework mappings
How ISM-2002 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| Annex A 5.1 | ISM-2002 requires the board or executive committee to maintain sufficient cyber security literacy to meet fiduciary and regulatory obliga... | |
| Annex A 5.31 | ISM-2002 requires the board or executive committee to be cyber-literate enough to fulfil fiduciary duties and legislative or regulatory o... | |
| Annex A 5.34 | Annex A 5.34 requires the organisation to comply with privacy and PII obligations arising from laws and regulations | |
| Annex A 5.35 | ISM-2002 requires the board or executive committee to maintain cyber security literacy sufficient for governance and regulatory compliance | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.