Cybersecurity incident response plan is enacted after incident identification
Activate the cybersecurity response plan as soon as an incident is identified.
Plain language
This control means that your business needs to have a plan ready to respond to cyber attacks as soon as they're identified. Without it, a cyber attack could cause more damage because you might not be prepared to act quickly, costing you time, money, and your reputation.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Following the identification of a cyber security incident, the cyber security incident response plan is enacted.
Why it matters
If the incident response plan is not enacted immediately after identification, containment is delayed and the incident can spread, increasing financial loss and reputational damage.
Operational notes
Maintain a defined on-call incident response roster with clear activation triggers, and run regular drills so the plan is enacted immediately upon incident identification.
Implementation tips
- The security officer should create a detailed cybersecurity incident response plan, outlining specific actions to take when an attack occurs.
- The IT team needs to train staff regularly on the incident response plan, ensuring everyone knows their role and responsibilities.
- System administrators should run regular simulations of cyber incidents to test and refine the plan, learning from any gaps discovered.
- The chief information security officer should ensure the incident response plan includes up-to-date contact information for all key personnel.
- IT managers should review and update the plan at least annually or when significant changes occur in the business or threat landscape.
Audit / evidence tips
-
AskDoes the organisation have a documented cybersecurity incident response plan?
-
GoodThe organisation has an up-to-date and comprehensive plan that covers all necessary steps during a cyber incident
-
AskHow often is the incident response plan tested and updated?
-
GoodSimulations are conducted regularly, and the plan is reviewed and updated annually
Cross-framework mappings
How E8-AC-ML2.11 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.26 | E8-AC-ML2.11 requires activating the cyber security incident response plan immediately after an incident is identified | |
| extension Depends on (1) expand_less | ||
| Annex A 5.24 | E8-AC-ML2.11 requires activating the incident response plan once an incident is identified | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| extension Depends on (2) expand_less | ||
| ISM-0043 | E8-AC-ML2.11 requires that the incident response plan is enacted after identifying a cyber security incident | |
| ISM-0576 | E8-AC-ML2.11 requires enacting the cyber security incident response plan once an incident is identified | |
| link Related (1) expand_less | ||
| ISM-1819 | E8-AC-ML2.11 requires that once a cyber security incident is identified, the organisation enacts its cyber security incident response plan | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.