Understand Critical Systems and Their Security
Board members must know their systems' importance, what they protect, and how well they're secured.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
The board of directors or executive committee understands the business criticality of their organisation's systems, including at least a basic understanding of what exists, their value, where they reside, who has access, who might seek access, how they are protected, and how that protection is verified.
Source: ASD Information Security Manual (ISM)
Plain language
This control means that top leaders, like board members, need to understand which of their organisation's systems are most crucial and how they're being protected. This matters because if these key systems aren't well-protected, the organisation could face data breaches, financial losses, or damage to its reputation.
Why it matters
If the board lacks visibility of critical systems, location, access and assurance, key assets may go unprotected or unverified, increasing breach, loss and reputational risk.
Operational notes
Provide the board a current critical-system register (value, hosting, owners), key access/threat summaries, and evidence of control effectiveness (assurance reports, test results) each quarter.
Implementation tips
- IT managers should create a list of all important systems and present it to the board. They can do this by inventorying systems based on their role in operations and the data they handle. Ensure this list explains the significance of each system in non-technical terms.
- Security teams need to identify and document who has access to critical systems. They should do this by reviewing user access lists and confirming users' roles justify their access. Regularly update this information to keep it current.
- The executive committee should schedule regular briefings about security protection measures. Invite IT and security staff to explain the types of protections in place, like firewalls or encryption, and what they do. Ensure communication is free from technical jargon.
- IT departments should perform a risk assessment to identify who might want to access critical systems and why. Create scenarios considering various threats such as unauthorised access or data breaches. Present the findings to management with clear potential impacts.
- Establish a system to verify the effectiveness of security measures. This could be done by organising internal audits or engaging third-party experts to test defences. Ensure results are reported to the board, highlighting areas needing improvement.
Audit / evidence tips
-
Ask: the inventory of critical systems: Request a comprehensive list of all essential systems used by the organisation
Good: includes detailed notes on each system's role and why it's critical
-
Ask: documentation on access controls: Request records showing who has access to these critical systems and why
Good: includes up-to-date access records with clear justifications
-
Ask: security briefing records: Request minutes or summaries from meetings where security measures were explained to the board
Good: includes attendance lists and topics discussed in non-technical language
-
Ask: the results of recent risk assessments: Request reports detailing potential threats and their likelihood
Good: provides a thorough risk overview with direct links to protective measures
-
Ask: evidence of the security verification process: Request reports from any audits or testing of security systems
Good: includes detailed audit outcomes and planned follow-up actions
Cross-framework mappings
How ISM-2005 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Supports (5) | ||
| Annex A 5.9 | Annex A 5.9 requires an accurate and maintained inventory of information and associated assets, including ownership | |
| Annex A 5.15 | ISM-2005 requires the board or executive committee to understand critical systems, where they reside, and who has access, including how c... | |
| Annex A 5.18 | ISM-2005 requires executives to understand who has access to critical systems and how that access is controlled and verified | |
| Annex A 5.35 | ISM-2005 requires executives to understand how critical systems are protected and how that protection is verified | |
| Annex A 8.2 | ISM-2005 requires the board or executive committee to understand critical systems and who has access, including the adequacy of protectio... | |