Enhancing Cyber Security Skills and Experience
The board supports cyber security training for all staff using internal and external opportunities.
Plain language
This control is about ensuring everyone in your organisation gets proper training on cyber security. It's important because if your staff aren't aware of the latest security threats and how to handle them, your organisation could be at risk of data breaches, financial losses, or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The board of directors or executive committee supports the development of cyber security skills and experience for all personnel via internal and external cyber security awareness raising and training opportunities.
Why it matters
Without executive-backed cyber security training and awareness, staff are more likely to make avoidable errors, enabling breaches and data loss.
Operational notes
Have executives sponsor role-based cyber security training and awareness, track completion, and fund external courses to build staff skills and experience.
Implementation tips
- The HR team should review current training programs to ensure they include cyber security awareness. They can do this by auditing existing resources and reaching out to training providers specialised in cyber security.
- Managers should schedule regular cyber security workshops for their teams. They can engage internal experts or hire external consultants to teach staff about the latest threats and safe practices.
- The IT team should set up an internal portal with cyber security resources. This can include training videos, best practice guides, and a contact list for questions or reporting suspicious activity.
- Executives should endorse cyber security training by leading by example. They can participate in training sessions and promote their importance in company meetings and newsletters.
- The procurement department should budget for external cyber security training opportunities. This involves researching reputable training providers and allocating funds from the annual training budget.
Audit / evidence tips
- AskTraining materials: Request copies of the cyber security training content used in sessions GoodIs well-organised, up-to-date content with practical examples
- AskAttendance records: Request lists of attendees for recent cyber security training events GoodShows regular and inclusive training involvement
- AskFeedback forms: Request the feedback gathered after cyber security training sessions GoodReveals high satisfaction ratings and action plans for addressing any issues noted
- AskA training schedule: Request past and planned training schedules GoodShows consistent and well-publicised training opportunities throughout the year
- AskThe training budget: Request the annual budget allocated to cyber security training GoodIndicates a dedicated and sufficient budget with a high usage percentage
Cross-framework mappings
How ISM-2004 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 5.4 | ISM-2004 requires board/executive support for developing cyber security skills and experience via awareness and training opportunities | |
| Annex A 6.3 | Annex A 6.3 requires organisations to provide appropriate awareness, education and training with regular policy and procedure updates rel... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.