Skip to main content

This section of the ISM provides guidance on development and maintenance of security documentation.

Cyber security strategy

A cyber security strategy sets out an organisation's guiding principles, objectives and priorities for cyber security, typically over a three to five year period. In addition, a cyber security strategy may also cover an organisation's threat environment, cyber security initiatives (an action plan) or investments the organisation plans to make as part of its cyber security program. Without a cyber security strategy, organisations risk failing to adequately plan for and manage security and business risks within their organisation.

Security Control: 0039; Revision: 4; Updated: May-19; Applicability: O, P, S, TS
A cyber security strategy is developed and implemented for the organisation.

Approval of security documentation

If security documentation is not approved, personnel will have difficulty ensuring appropriate policies, processes and procedures are in place. Having approval not only assists in the implementation of policies, processes and procedures, it also ensures personnel are aware of cyber security issues and security risks.

Security Control: 0047; Revision: 4; Updated: May-19; Applicability: O, P, S, TS
Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer.

Maintenance of security documentation

Threat environments are dynamic. If security documentation is not kept up-to-date to reflect the current threat environment, security controls and processes may cease to be effective. In such a situation, resources could be devoted to areas that have reduced effectiveness or are no longer relevant.

Security Control: 0888; Revision: 5; Updated: May-19; Applicability: O, P, S, TS
Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement.

Communication of security documentation

It is important that once security documentation has been approved, either initially or following any changes, it is published and communicated to all stakeholders. If security documentation is not communicated to stakeholders they will be unaware of what policies and procedures have been implemented for systems and their use.

Security Control: 1602; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
Security documentation, including notification of subsequent changes, is communicated to all stakeholders.

Further information

Further information on intrusion detection and prevent policy can be found in the Guidelines for Cyber Security Incidents.

Further information on cyber security incident registers can be found in the Guidelines for Cyber Security Incidents.

Further information on ICT equipment and media registers can be found in the Guidelines for Physical Security.

Further information on authorised Radio Frequency devices for SECRET and TOP SECRET area registers can be found in the Guidelines for Physical Security.

Further information on cable registers can be found in the Guidelines for Communications Infrastructure.

Further information on cable labelling process and procedures can be found in the Guidelines for Communications Infrastructure.

Further information on telephone systems usage policy can be found in the Guidelines for Communications Systems.

Further information on fax machine and multifunction device usage policy can be found in the Guidelines for Communications Systems.

Further information on mobile device management policy and mobile device usage policy, as well as mobile device emergency sanitisation process and procedures, can be found in the Guidelines for Enterprise Mobility.

Further information on ICT equipment management policy, as well as ICT equipment sanitisation and disposal processes and procedures, can be found in the Guidelines for ICT Equipment.

Further information on media management policy and removable media usage policy, as well as media sanitisation, destruction and disposal processes and procedures, can be found in the Guidelines for Media.

Further information on system administration process and procedures can be found in the Guidelines for System Management.

Further information on patch management process and procedures can be found in the Guidelines for System Management.

Further information on software registers can be found in the Guidelines for System Management.

Further information on change management process and procedures can be found in the Guidelines for System Management.

Further information on digital preservation policy, as well as data backup and restoration processes and procedures, can be found in the Guidelines for System Management.

Further information on event logging policy, as well as event log auditing process and procedures, can be found in the Guidelines for System Monitoring.

Further information on database registers can be found in the Guidelines for Database Systems.

Further information on email usage policy can be found in the Guidelines for Email.

Further information on network device registers can be found in the Guidelines for Networking.

Further information on web usage policy can be found in the Guidelines for Gateways.

Further information on data transfer process and procedures can be found in the Guidelines for Data Transfers.