Cyber security incidents are reported promptly to CISO
Report security incidents quickly to the security chief or their team.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Responsive
🛠️ E8 mitigation strategy
Application control
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML2
Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.
Source: ASD Essential Eight
Plain language
If a cyber security incident happens, it's important to let the person in charge of security know as soon as possible. This helps the organisation respond quickly to limit the damage and prevent further issues from developing. Without this control, an incident might go unnoticed, leading to severe consequences like data breaches or loss of trust.
Why it matters
Delayed incident reporting risks escalating breaches, potentially compromising sensitive data and damaging organisational reputation.
Operational notes
Document and publicise an incident reporting workflow with CISO/delegate contact paths, and run periodic drills to ensure incidents are reported immediately on discovery.
Implementation tips
- The IT team should set up an internal procedure for reporting cyber security incidents. This can be done by creating a simple, easy-to-follow guide for staff on what incidents to report, how, and to whom.
- Security officers should establish a dedicated communication channel, like a phone line or an email address, for reporting incidents. Make sure this channel is monitored regularly by trained personnel.
- Systems administrators must ensure all staff know who the Chief Information Security Officer (CISO) or their delegate is. This can be achieved through regular communication and training sessions.
- The HR department should include incident reporting protocols as part of new employee onboarding. They can do this by integrating it into the initial training materials and orientation sessions.
- Security officers should conduct periodic drills or exercises simulating security incidents to ensure staff are familiar with the reporting procedure.
- The IT team should regularly review and update the incident reporting procedure to keep up with evolving cyber threats. Make sure any changes are communicated to all staff promptly.
Audit / evidence tips
-
Ask: Are team members aware of the procedure for reporting cyber security incidents?
-
Good: Staff training files indicate regular sessions covering incident reporting, with clear documentation of procedures shared
-
Ask: Is there a dedicated communication channel for incident reporting?
-
Good: A dedicated, monitored communication channel is available, with clear instructions on usage, showing evidence of regular monitoring
-
Ask: How quickly are incidents reported to the CISO or their delegate?
-
Good: Logs display consistent timestamps of quick reporting to the CISO or delegate, with incidents reported within the expected timeframe
Cross-framework mappings
How E8-AC-ML2.9 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| ISM-0142 | E8-AC-ML2.9 requires all cyber security incidents to be reported to the CISO (or delegate) as soon as possible | |
| Partially overlaps (1) | ||
| ISM-1819 | ISM-1819 requires that once a cyber security incident is identified, the organisation activates its incident response plan | |
| Supports (2) | ||
| ISM-0125 | ISM-0125 requires an organisation to develop, implement and maintain a cyber security incident register to record incidents | |
| ISM-1478 | ISM-1478 requires the CISO to oversee the organisation’s cyber security program and ensure compliance with cyber security obligations | |
| Depends on (1) | ||
| ISM-1618 | ISM-1618 requires that the CISO oversees the organisation’s response to cyber security incidents | |
| Related (3) | ||
| ISM-0123 | ISM-0123 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after occurrence or discovery | |
| ISM-0714 | ISM-0714 requires the organisation to appoint a CISO to provide cyber security leadership and guidance | |
| ISM-0733 | ISM-0733 requires that the CISO is fully aware of all cyber security incidents within their organisation | |