E8-AC-ML2.11 bolt ASD Essential Eight

Cybersecurity incident response plan is enacted after incident identification

Activate the cybersecurity response plan as soon as an incident is identified.

Responsive ML2 Essential EightApplication control incident response incident management crisis operations roles

record_voice_over

Plain language

This control means that your business needs to have a plan ready to respond to cyber attacks as soon as they're identified. Without it, a cyber attack could cause more damage because you might not be prepared to act quickly, costing you time, money, and your reputation.

01 - Overview

Framework

ASD Essential Eight

Control effect

Responsive

E8 mitigation strategy

Application control

Classifications

N/A

Official last update

N/A

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML2

Official control statement

Following the identification of a cyber security incident, the cyber security incident response plan is enacted.

bolt ASD Essential Eight E8-AC-ML2.11

priority_high

Why it matters

If the incident response plan is not enacted immediately after identification, containment is delayed and the incident can spread, increasing financial loss and reputational damage.

settings

Operational notes

Maintain a defined on-call incident response roster with clear activation triggers, and run regular drills so the plan is enacted immediately upon incident identification.

02 - Implement

build

Implementation tips

The security officer should create a detailed cybersecurity incident response plan, outlining specific actions to take when an attack occurs.
The IT team needs to train staff regularly on the incident response plan, ensuring everyone knows their role and responsibilities.
System administrators should run regular simulations of cyber incidents to test and refine the plan, learning from any gaps discovered.
The chief information security officer should ensure the incident response plan includes up-to-date contact information for all key personnel.
IT managers should review and update the plan at least annually or when significant changes occur in the business or threat landscape.

03 - Audit

fact_check

Audit / evidence tips

AskDoes the organisation have a documented cybersecurity incident response plan?
GoodThe organisation has an up-to-date and comprehensive plan that covers all necessary steps during a cyber incident
AskHow often is the incident response plan tested and updated?
GoodSimulations are conducted regularly, and the plan is reviewed and updated annually

04 - Mappings

link

Cross-framework mappings

How E8-AC-ML2.11 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 5.26	E8-AC-ML2.11 requires activating the cyber security incident response plan immediately after an incident is identified
extension Depends on (1) expand_less
Annex A 5.24	E8-AC-ML2.11 requires activating the incident response plan once an incident is identified

ASD ISM

Control	Notes	Details
extension Depends on (2) expand_less
ISM-0043	E8-AC-ML2.11 requires that the incident response plan is enacted after identifying a cyber security incident
ISM-0576	E8-AC-ML2.11 requires enacting the cyber security incident response plan once an incident is identified
link Related (1) expand_less
ISM-1819	E8-AC-ML2.11 requires that once a cyber security incident is identified, the organisation enacts its cyber security incident response plan

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.