Cybersecurity incident response plan is enacted after incident identification
Activate the cybersecurity response plan as soon as an incident is identified.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Responsive
🛠️ E8 mitigation strategy
Application control
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML2
Following the identification of a cyber security incident, the cyber security incident response plan is enacted.
Source: ASD Essential Eight
Plain language
This control means that your business needs to have a plan ready to respond to cyber attacks as soon as they're identified. Without it, a cyber attack could cause more damage because you might not be prepared to act quickly, costing you time, money, and your reputation.
Why it matters
If the incident response plan is not enacted immediately after identification, containment is delayed and the incident can spread, increasing financial loss and reputational damage.
Operational notes
Maintain a defined on-call incident response roster with clear activation triggers, and run regular drills so the plan is enacted immediately upon incident identification.
Implementation tips
- The security officer should create a detailed cybersecurity incident response plan, outlining specific actions to take when an attack occurs.
- The IT team needs to train staff regularly on the incident response plan, ensuring everyone knows their role and responsibilities.
- System administrators should run regular simulations of cyber incidents to test and refine the plan, learning from any gaps discovered.
- The chief information security officer should ensure the incident response plan includes up-to-date contact information for all key personnel.
- IT managers should review and update the plan at least annually or when significant changes occur in the business or threat landscape.
Audit / evidence tips
-
Ask: Does the organisation have a documented cybersecurity incident response plan?
-
Good: The organisation has an up-to-date and comprehensive plan that covers all necessary steps during a cyber incident
-
Ask: How often is the incident response plan tested and updated?
-
Good: Simulations are conducted regularly, and the plan is reviewed and updated annually
Cross-framework mappings
How E8-AC-ML2.11 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 5.26 | E8-AC-ML2.11 requires that, once a cyber security incident is identified, the organisation activates its incident response plan | |
| Related (1) | ||
| Annex A 5.24 | Annex A 5.24 requires defining and communicating incident management processes, roles and responsibilities so the organisation is prepare... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Depends on (2) | ||
| ISM-0043 | E8-AC-ML2.11 requires organisations to enact the cyber security incident response plan immediately after an incident is identified | |
| ISM-0576 | E8-AC-ML2.11 requires enacting the cyber security incident response plan after incident identification | |
| Related (1) | ||
| ISM-1819 | ISM-1819 requires the organisation to enact its cyber security incident response plan once an incident is identified | |