Cybersecurity events are analysed in a timely manner
Timely analysis of events to spot and manage security incidents.
Plain language
This control is about ensuring that when security alerts pop up on your systems, somebody is looking at them quickly. It's like a fire alarm sounding in your house - if nobody checks why it's ringing, a small fire could turn into something much worse. Without reviewing these alerts promptly, hackers might sneak in and cause serious damage before anyone even notices.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
18 May 2026
E8 maturity levels
ML2
Official control statement
Cyber security events are analysed in a timely manner to identify cyber security incidents.
Why it matters
Delayed event analysis can let threats persist undetected, leading to severe breaches with longer incident recovery times.
Operational notes
Triage security alerts within 24 hours, correlate logs/EDR/SIEM sources, and record analysis outcomes to confirm whether events meet incident criteria.
Implementation tips
- IT staff should ensure all security event logs from critical systems are centralised so they can be monitored easily. This can be done by setting up a logging system that collects data from all your key computers and servers.
- The security officer should assign team members to monitor these logs at regular intervals. This might mean setting up a schedule where staff commit a couple of hours each day to review the logs.
- System administrators should configure alerts for unusual activities within these logs. This involves setting up notifications that get sent to the team if unusual patterns or attempts to breach security are detected.
- Managers should make sure there's a clear process for analysing and responding to alerts. This could be a simple checklist or guide that explains what to do when an alert comes up, who to contact, and how to take action.
Audit / evidence tips
- AskHow regularly are the event logs analysed to detect security incidents?
- GoodThere is a documented policy that specifies daily analysis of security logs with a record of who performed the analysis
- AskWhat happens when a cybersecurity event is identified?
- GoodThe organisation has a clear, documented process with timely reporting to relevant stakeholders, such as the chief information security officer
Cross-framework mappings
How E8-AC-ML2.8 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| Annex A 5.7 | Annex A 5.7 requires organisations to collect and analyse information security threat information to produce threat intelligence | |
| Annex A 5.25 | E8-AC-ML2.8 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| Annex A 5.28 | E8-AC-ML2.8 requires timely analysis of cyber security events to identify cyber security incidents | |
| Annex A 8.16 | E8-AC-ML2.8 requires cyber security events to be analysed in a timely manner to identify incidents | |
| handshake Supports (1) expand_less | ||
| Annex A 5.26 | E8-AC-ML2.8 requires timely analysis of cyber security events so incidents are identified early | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1961 | ISM-1961 mandates timely analysis of event logs from non-internet-facing network devices to detect cyber security events | |
| handshake Supports (4) expand_less | ||
| ISM-0120 | ISM-0120 requires equipping cyber security personnel with tools and data sources to monitor for key indicators of compromise | |
| ISM-1430 | ISM-1430 requires organizations to store DHCPv6 lease data centrally, helping to align with E8-AC-ML2.8 by providing crucial telemetry fo... | |
| ISM-1526 | ISM-1526 requires system owners to continuously monitor system security and manage cyber threats and risks for each system | |
| ISM-1960 | E8-AC-ML2.8 requires organisations to analyse cyber security events in a timely manner to identify incidents | |
| link Related (5) expand_less | ||
| ISM-1228 | E8-AC-ML2.8 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| ISM-1906 | E8-AC-ML2.8 requires prompt analysis of cyber security events so incidents are identified quickly | |
| ISM-1907 | E8-AC-ML2.8 requires organisations to analyse cyber security events in a timely manner to determine whether they are incidents | |
| ISM-1986 | E8-AC-ML2.8 requires timely analysis of cyber security events to identify cyber security incidents across the environment | |
| ISM-1987 | E8-AC-ML2.8 requires timely analysis of cyber security events so that incidents can be identified | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.