Ensure Adequate Cyber Security Personnel Are Acquired
The CISO must recruit qualified cyber security staff to support the organisation's activities.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesThe CISO ensures sufficient cyber security personnel, with the right skills and experience, are acquired to support cyber security activities within their organisation.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure there are enough people with the right skills to protect your organisation's computer systems and data. Without enough cyber security staff, your organisation might be vulnerable to attacks, putting sensitive information at risk and potentially harming your reputation or operations.
Why it matters
Insufficient cyber security staff can delay monitoring and incident response, weaken controls, and increase the likelihood of successful attacks and outages.
Operational notes
Review cyber security headcount and skills quarterly against workload and threat changes; address gaps via hiring, uplift training, or specialist support.
Implementation tips
- Management should identify the skills and number of cyber security employees needed for their organisation. This involves consulting with team leads and reviewing current security tools and systems to determine gaps or needs.
- HR should develop job descriptions for the necessary cyber security roles. These should be based on identified skills and responsibilities, and align with industry standards and the organisation’s strategic goals.
- The CISO should coordinate with recruitment teams to actively source and attract qualified candidates. This could involve attending industry events, using specialised job boards, or partnering with universities offering cyber security programs.
- The IT team should establish an onboarding and ongoing training program for new recruits. This includes an introduction to the organisation’s systems, security policies, and regular upskilling opportunities to keep staff updated with the latest cyber security threats and tools.
- Management should review the cyber security staffing plan annually to ensure it meets current and future needs. This involves conducting interviews with current staff and assessing any new threats or technologies impacting security needs.
Audit / evidence tips
-
Ask: the cyber security staffing plan: Request a document that outlines current staff levels and future hiring needs
Good: includes clear links between identified security needs and staffing plans
-
Ask: job descriptions and qualifications: Review the roles and required qualifications for cyber security positions
Good: shows that job descriptions accurately reflect necessary skills and responsibilities
-
Ask: recruitment and hiring records: Request data on recent hiring activities for cyber security roles
Good: shows a proactive approach to recruiting qualified candidates
-
Ask: training and development programs: Request details of cyber security training provided to staff
Good: includes relevant and regular training content that addresses current and emerging threats
-
Ask: annual reviews of cyber staffing needs: Request reports or minutes from meetings where staffing needs were discussed
Good: reflects consideration of both current needs and future challenges
Cross-framework mappings
How ISM-2020 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 6.2 | ISM-2020 requires the CISO to acquire enough cyber security personnel with appropriate skills and experience | |
| Depends on (1) | ||
| Annex A 5.2 | ISM-2020 requires the CISO to acquire sufficient cyber security personnel with the right skills and experience | |