Framework of practical better practice guidance to assist Australian directors oversee and engage with management on cyber security risk.

The Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre have collaborated to produce the Cyber Security Governance Principles – a framework to assist Australian directors oversee cybersecurity risk and promote a culture of cybersecurity resilience.

Top 10 questions

Ten questions

Roles and responsibilities

  1. Does the board understand cyber risks well enough to oversee and challenge?
  2. Who has primary responsibility for cyber security in our management team?

    Cyber strategy
  3. Who has internal responsibility for the management and protection of our key digital assets and data?
  4. Where, and with whom, are our key digital assets and data located?

    Cyber risk management

  5. Is cyber risk specifically identified in the organisation’s risk management framework?
  6. How regularly does management present to the board or risk committee on the effectiveness of cyber risk controls?

    Cyber resilient culture
  7. Is cyber security training mandatory across the organisation and is it differentiated by area or role?
  8. How is the effectiveness of training measured?

    Cyber incident planning
  9. Do we have a Cyber Incident Response Plan, including a comprehensive communications strategy, informed by simulation exercises and testing?
  10. Can we access external support if necessary to assist with a significant cyber security incident


“Directors have a critical role to play and must seek

to lift their own cyber literacy levels, recognising

that this is a key risk that can never be eliminated but

can be effectively managed.”

Hon Clare O’Neil MP
Minister for Home Affairs and Minister for Cyber Securit

Checklist for NFP directors

For not-for-profit directors there is a checklist of practical low-cost steps to enhance cyber security resilience. That includes how to:

1. Set clear roles and responsibilities

2. Develop, implement and evolve a comprehensive cyber strategy

3. Embed cyber security in existing risk management practices

4. Promote a culture of cyber resilience

5. Plan for a significant cyber security incident

You can read the full report here.

About this research

About the AICD
The AICD is committed to strengthening society
through world-class governance. We aim to be
the independent and trusted voice of governance,
building the capability of a community of leaders
for the benefit of society. Our membership
includes directors and senior leaders from
business, government and the not-for-profit
sectors.
About the CSCRC
The CSCRC is dedicated to fostering the next
generation of Australian cyber security talent,
developing innovative projects to strengthen
our nation’s cyber security capabilities. We
build effective collaborations between industry,
government and researchers, creating real-world
solutions for pressing cyber-related problems.


Stairs on pink background

How healthy charities are building organisational health

Not-for-profit organisations share their stories on practices they have adopted to stay healthy.

Read the full article.

Three capabilities to boost the not-for-profit sector’s impact

COVID-19 made the not-for-profit sector’s value clearer than ever, with demand doubling for many services. But now the sector is under immense strain. Sam Sayers, CEO of the Australian Scholarships Foundation, and Roland Dillon, Partner at McKinsey & Company, discuss the path forward. Read the full article.