Skip to main content

This section of the ISM provides guidance on system owners.

System ownership

System owners are responsible for ensuring the secure operation of their systems; however, system owners may delegate the day-to-day management and operation of their systems to system managers.

Security Control: 1071; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Each system has a designated system owner.

Gaining authorisation to operate systems

System owners are responsible for obtaining authorisation to operate each of their systems from its authorising officer.

Security Control: 1525; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
System owners register each system with the system’s authorising officer.

Security Control: 0027; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
System owners obtain authorisation to operate each system from the system’s authorising officer.

Monitoring cyber threats, security risks and security controls

Once authorisation to operate has been obtained, regular monitoring of cyber threats, security risks and security controls associated with systems and their operating environments, as outlined in continuous monitoring plans, are followed.

Security Control: 1526; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
System owners monitor security risks and the effectiveness of security controls for each system.

Annual reporting of system security status

Annual reporting on the security status of their systems to their authorising officers (e.g. by providing outcomes of any vulnerability scans and penetration tests) can assist authorising officers in maintaining awareness of the security posture of systems.

Security Control: 1587; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
System owners report the security status of each system to its authorising officer at least annually.

Further information

Further information on monitoring systems and their operating environments can be found in the Guidelines for System Monitoring.