Ensure Adequate Cyber Security Personnel Are Acquired
The CISO must recruit qualified cyber security staff to support the organisation's activities.
Plain language
This control is about making sure there are enough people with the right skills to protect your organisation's computer systems and data. Without enough cyber security staff, your organisation might be vulnerable to attacks, putting sensitive information at risk and potentially harming your reputation or operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO ensures sufficient cyber security personnel, with the right skills and experience, are acquired to support cyber security activities within their organisation.
Why it matters
Insufficient cyber security staff can delay monitoring and incident response, weaken controls, and increase the likelihood of successful attacks and outages.
Operational notes
Review cyber security headcount and skills quarterly against workload and threat changes; address gaps via hiring, uplift training, or specialist support.
Implementation tips
- Management should identify the skills and number of cyber security employees needed for their organisation. This involves consulting with team leads and reviewing current security tools and systems to determine gaps or needs.
- HR should develop job descriptions for the necessary cyber security roles. These should be based on identified skills and responsibilities, and align with industry standards and the organisation’s strategic goals.
- The CISO should coordinate with recruitment teams to actively source and attract qualified candidates. This could involve attending industry events, using specialised job boards, or partnering with universities offering cyber security programs.
- The IT team should establish an onboarding and ongoing training program for new recruits. This includes an introduction to the organisation’s systems, security policies, and regular upskilling opportunities to keep staff updated with the latest cyber security threats and tools.
- Management should review the cyber security staffing plan annually to ensure it meets current and future needs. This involves conducting interviews with current staff and assessing any new threats or technologies impacting security needs.
Audit / evidence tips
-
Askthe cyber security staffing plan: Request a document that outlines current staff levels and future hiring needs
Goodincludes clear links between identified security needs and staffing plans
-
Askjob descriptions and qualifications: Review the roles and required qualifications for cyber security positions
Goodshows that job descriptions accurately reflect necessary skills and responsibilities
-
Askrecruitment and hiring records: Request data on recent hiring activities for cyber security roles
Goodshows a proactive approach to recruiting qualified candidates
-
Asktraining and development programs: Request details of cyber security training provided to staff
Goodincludes relevant and regular training content that addresses current and emerging threats
-
Askannual reviews of cyber staffing needs: Request reports or minutes from meetings where staffing needs were discussed
Goodreflects consideration of both current needs and future challenges
Cross-framework mappings
How ISM-2020 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.2 | Annex A 6.2 requires employment contractual agreements to clearly state the information security responsibilities of both personnel and t... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.2 | ISM-2020 requires the CISO to acquire sufficient cyber security personnel with the right skills and experience | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.