Understand Critical Systems and Their Security
Board members must know their systems' importance, what they protect, and how well they're secured.
Plain language
This control means that top leaders, like board members, need to understand which of their organisation's systems are most crucial and how they're being protected. This matters because if these key systems aren't well-protected, the organisation could face data breaches, financial losses, or damage to its reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The board of directors or executive committee understands the business criticality of their organisation's systems, including at least a basic understanding of what exists, their value, where they reside, who has access, who might seek access, how they are protected, and how that protection is verified.
Why it matters
If the board lacks visibility of critical systems, location, access and assurance, key assets may go unprotected or unverified, increasing breach, loss and reputational risk.
Operational notes
Provide the board a current critical-system register (value, hosting, owners), key access/threat summaries, and evidence of control effectiveness (assurance reports, test results) each quarter.
Implementation tips
- IT managers should create a list of all important systems and present it to the board. They can do this by inventorying systems based on their role in operations and the data they handle. Ensure this list explains the significance of each system in non-technical terms.
- Security teams need to identify and document who has access to critical systems. They should do this by reviewing user access lists and confirming users' roles justify their access. Regularly update this information to keep it current.
- The executive committee should schedule regular briefings about security protection measures. Invite IT and security staff to explain the types of protections in place, like firewalls or encryption, and what they do. Ensure communication is free from technical jargon.
- IT departments should perform a risk assessment to identify who might want to access critical systems and why. Create scenarios considering various threats such as unauthorised access or data breaches. Present the findings to management with clear potential impacts.
- Establish a system to verify the effectiveness of security measures. This could be done by organising internal audits or engaging third-party experts to test defences. Ensure results are reported to the board, highlighting areas needing improvement.
Audit / evidence tips
-
Askthe inventory of critical systems: Request a comprehensive list of all essential systems used by the organisation
Goodincludes detailed notes on each system's role and why it's critical
-
Askdocumentation on access controls: Request records showing who has access to these critical systems and why
Goodincludes up-to-date access records with clear justifications
-
Asksecurity briefing records: Request minutes or summaries from meetings where security measures were explained to the board
Goodincludes attendance lists and topics discussed in non-technical language
-
Askthe results of recent risk assessments: Request reports detailing potential threats and their likelihood
Goodprovides a thorough risk overview with direct links to protective measures
-
Askevidence of the security verification process: Request reports from any audits or testing of security systems
Goodincludes detailed audit outcomes and planned follow-up actions
Cross-framework mappings
How ISM-2005 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (5) expand_less | ||
| Annex A 5.9 | Annex A 5.9 requires an accurate and maintained inventory of information and associated assets, including ownership | |
| Annex A 5.15 | ISM-2005 requires the board or executive committee to understand critical systems, where they reside, and who has access, including how c... | |
| Annex A 5.18 | ISM-2005 requires executives to understand who has access to critical systems and how that access is controlled and verified | |
| Annex A 5.35 | ISM-2005 requires executives to understand how critical systems are protected and how that protection is verified | |
| Annex A 8.2 | ISM-2005 requires the board or executive committee to understand critical systems and who has access, including the adequacy of protectio... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.