Executive Planning for Cyber Incident Preparedness
Executives must plan and practice handling major cyber incidents to know their responsibilities.
Plain language
Planning and practising for potential cyber attacks is crucial for executives, as this ensures they know exactly what to do when a serious threat occurs. Without a plan, the organisation risks confusion and delayed responses, which can lead to significant losses or damage to its reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The board of directors or executive committee plans for major cyber security incidents, including by participating in exercises, and understand their duties in relation to such cyber security incidents.
Why it matters
If the board/executive committee does not plan and rehearse for major cyber incidents, critical decisions may be delayed or wrong, worsening legal, financial and operational impacts.
Operational notes
Schedule executive-led cyber incident exercises; document board/executive duties, delegations and decision thresholds, then update plans and playbooks after each exercise.
Implementation tips
- Board Members should organise regular cyber incident response exercises to simulate real-world scenarios. Use tabletop exercises where everyone discusses their roles and the steps they would take in an emergency situation. This helps identify any gaps in the plan and ensures everyone understands their responsibilities.
- The Executive Committee should appoint a Cyber Security Lead to develop a detailed incident response plan. This plan should outline each executive's duties during an incident and be reviewed quarterly to ensure it stays up to date with the latest threats.
- Human Resources should coordinate with managers to ensure all staff are aware of the cyber incident response plan. Organise training sessions that explain the plan in plain language, highlighting what is expected from each member of the team when an attack occurs.
- Information Technology Managers should maintain an updated contact list of key personnel involved in incident response. This includes having a clear communication strategy if a cyber incident occurs, ensuring that everyone knows who to contact and how information will be shared quickly.
- The Organisation’s CEO should schedule regular briefings with the Cyber Security Lead to stay informed of industry trends and threats. This ongoing communication helps adjust strategies and ensures that executives can make informed decisions during a crisis.
Audit / evidence tips
-
Askthe incident response meeting notes: Request the minutes from any cyber security planning exercises conducted
Goodincludes detailed records of regular planning sessions with executive and board member attendance
-
Goodincludes a comprehensive, updated document with specific roles and tested procedures
-
Asktraining attendance records: Check when and how often executives and relevant staff have attended cyber security training sessions
Goodincludes frequent training sessions with full attendance by relevant decision-makers
-
Goodis a well-organised document with current contacts and an efficient communication chain
-
Askfeedback from exercise participants: Request any feedback or improvement suggestions gathered after planning exercises. Look to see if feedback is acted upon and documented in follow-up actions
Goodincludes reflection on past exercises and incremental improvements made over time
Cross-framework mappings
How ISM-2006 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.2 | ISM-2006 requires the board/executive committee to understand their duties in relation to major cyber security incidents and to participa... | |
| Annex A 5.24 | ISM-2006 requires the board/executive committee to plan and practise for major cyber security incidents (e.g | |
| handshake Supports (2) expand_less | ||
| Annex A 5.26 | ISM-2006 requires executives to plan for major cyber incidents and practise their response so they understand their duties | |
| Annex A 5.29 | Annex A 5.29 requires the organisation to plan for maintaining information security at an appropriate level during disruptions | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.