Cyber security incidents are reported promptly to CISO
Report security incidents quickly to the security chief or their team.
Plain language
If a cyber security incident happens, it's important to let the person in charge of security know as soon as possible. This helps the organisation respond quickly to limit the damage and prevent further issues from developing. Without this control, an incident might go unnoticed, leading to severe consequences like data breaches or loss of trust.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.
Why it matters
Delayed incident reporting risks escalating breaches, potentially compromising sensitive data and damaging organisational reputation.
Operational notes
Document and publicise an incident reporting workflow with CISO/delegate contact paths, and run periodic drills to ensure incidents are reported immediately on discovery.
Implementation tips
- The IT team should set up an internal procedure for reporting cyber security incidents. This can be done by creating a simple, easy-to-follow guide for staff on what incidents to report, how, and to whom.
- Security officers should establish a dedicated communication channel, like a phone line or an email address, for reporting incidents. Make sure this channel is monitored regularly by trained personnel.
- Systems administrators must ensure all staff know who the Chief Information Security Officer (CISO) or their delegate is. This can be achieved through regular communication and training sessions.
- The HR department should include incident reporting protocols as part of new employee onboarding. They can do this by integrating it into the initial training materials and orientation sessions.
- Security officers should conduct periodic drills or exercises simulating security incidents to ensure staff are familiar with the reporting procedure.
- The IT team should regularly review and update the incident reporting procedure to keep up with evolving cyber threats. Make sure any changes are communicated to all staff promptly.
Audit / evidence tips
- AskAre team members aware of the procedure for reporting cyber security incidents?
- GoodStaff training files indicate regular sessions covering incident reporting, with clear documentation of procedures shared
- AskIs there a dedicated communication channel for incident reporting?
- GoodA dedicated, monitored communication channel is available, with clear instructions on usage, showing evidence of regular monitoring
- AskHow quickly are incidents reported to the CISO or their delegate?
- GoodLogs display consistent timestamps of quick reporting to the CISO or delegate, with incidents reported within the expected timeframe
Cross-framework mappings
How E8-AC-ML2.9 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.26 | E8-AC-ML2.9 requires cyber security incidents to be reported promptly to the CISO (or delegate) after they occur or are discovered | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.8 | Annex A 6.8 requires the organisation to provide defined channels for prompt reporting of security events and suspected weaknesses | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-0142 | E8-AC-ML2.9 requires all cyber security incidents to be reported to the CISO (or delegate) as soon as possible | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0140 | E8-AC-ML2.9 requires cyber security incidents to be reported promptly to the CISO (or delegate) | |
| ISM-1803 | E8-AC-ML2.9 requires cyber security incidents to be reported promptly to the CISO (or delegate) | |
| ISM-1819 | ISM-1819 requires that once a cyber security incident is identified, the organisation activates its incident response plan | |
| handshake Supports (4) expand_less | ||
| ISM-0125 | ISM-0125 requires an organisation to develop, implement and maintain a cyber security incident register to record incidents | |
| ISM-0733 | E8-AC-ML2.9 requires cyber security incidents to be reported promptly to the CISO (or delegate) | |
| ISM-1478 | ISM-1478 requires the CISO to oversee the organisation’s cyber security program and ensure compliance with cyber security obligations | |
| ISM-1618 | E8-AC-ML2.9 requires cyber security incidents to be reported promptly to the CISO (or delegate) | |
| link Related (2) expand_less | ||
| ISM-0123 | E8-AC-ML2.9 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after occurrence or discovery | |
| ISM-0714 | ISM-0714 requires the organisation to appoint a CISO to provide cyber security leadership and guidance | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.