Monitor Cyber Security Workforce and Skill Gaps
Executives should stay informed on hiring and skills gaps in their cyber security team.
Plain language
This control is about making sure that the people at the top of an organisation, like the board of directors, are aware of what's happening with the cyber security team. They need to know if there are enough qualified people, if those people have the right skills, and if they are staying with the company. If the leaders aren't paying attention, the organisation might not have the right people to protect it from cyber threats, leading to potential data breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The board of directors or executive committee maintains awareness of key cyber security recruitment activities, retention rates for cyber security personnel, and cyber security skills and experience gaps within their organisation.
Why it matters
Without executive oversight of cyber security recruitment, retention and skill gaps, key roles may remain unfilled and capability erodes, increasing breach likelihood and business impact.
Operational notes
Provide quarterly board/executive reporting on cyber recruitment pipelines, retention metrics and skills-gap analysis, with actions, owners and dates to close capability shortfalls.
Implementation tips
- HR personnel should regularly review job descriptions and compare them with the current skill sets of the cyber security team. This means looking at what skills are needed versus what the team members currently have and identifying any gaps. Use feedback from team managers to adjust job requirements and provide training recommendations.
- The IT manager should set up quarterly meetings with the board to present a report on cyber security staffing. Prepare a simple presentation that outlines key metrics like the number of open positions, time taken to fill roles, and retention rates, highlighting any ongoing challenges and successes in recruitment.
- Team leaders in cyber security should conduct skill assessments of their team members every six months. Use these assessments to map out which skills are present and which are lacking in the team. This information can then inform training plans or identify where new hires are needed.
- Executives should promote a culture of continuous learning by encouraging team members to attend external training and certification courses. Work with HR to establish a professional development plan that includes budget and time off for staff training.
- The board of directors should support conducting an annual review of the cyber security workforce's effectiveness. Engage an external consultant to evaluate whether the team structure is aligned with the latest cyber security threats and make recommendations for improvements.
Audit / evidence tips
-
Askthe cyber security staffing report: Request the latest report presented to the board about hiring activities and workforce status
Goodincludes up-to-date statistics and clearly articulated challenges and solutions discussed by the board
-
Askskill assessment records: Request records of the skill assessments for the cyber security team
Goodshows that these assessments are completed regularly and contain actionable insights
-
Askmeeting minutes: Request minutes from meetings where cyber security staffing was discussed
Goodshows clear documentation of decisions and follow-up actions regarding staffing and skill gaps
-
Asktraining and development plans: Request copies of professional development plans for the cyber security team
Goodshows a strategic approach to developing workforce skills, including timelines and outcomes
-
Askconsultant reports: Request any external consultant evaluations of the cyber security team’s structure and effectiveness
Goodprovides evidence of how external advice was incorporated into workforce planning
Cross-framework mappings
How ISM-2003 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 5.2 | ISM-2003 requires the board/executive to maintain awareness of cyber security recruitment activity, retention rates, and cyber security s... | |
| Annex A 6.3 | ISM-2003 requires executives to track cyber security skills and experience gaps (as well as recruitment and retention signals) to ensure ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.