Cybersecurity incidents must be reported immediately to the CISO
Report any cybersecurity incidents to the Chief Information Security Officer as soon as they happen.
Plain language
This control is about making sure that any cyber attacks or breaches are quickly reported to the person who oversees computer security in your business. This matters because the sooner you report a problem, the faster it can be dealt with to prevent further harm or data loss.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.
Why it matters
Delayed incident reporting can impede effective response, risking greater data loss, reputational damage, and non-compliance penalties.
Operational notes
Publish clear CISO/delegate reporting channels and escalation steps; train staff to report incidents immediately and test the process with regular exercises.
Implementation tips
- Security Officer should inform all employees about the importance of reporting cyber incidents immediately and clearly define what constitutes an incident.
- IT team should establish a straightforward reporting process for employees, such as a dedicated email address or phone number to use when security incidents occur.
- System administrator should set up real-time alerts and monitoring tools to automatically notify the security team when certain thresholds indicating potential incidents are crossed.
- HR department should integrate cybersecurity incident reporting protocols into employee onboarding training.
- Security Officer should conduct regular training sessions for staff on recognising and reporting cybersecurity incidents to ensure readiness.
Audit / evidence tips
- AskHow are cybersecurity incidents reported and to whom?
- GoodThe protocol documents should show a designated and clear procedure for incident reporting directly to the CISO, including contact methods and responsible individuals
- AskHow quickly do incidents get reported to the CISO?
- GoodIncident reports should show that communication with the CISO or their delegate happens immediately or very soon after detection
Cross-framework mappings
How E8-AH-ML2.16 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.24 | E8-AH-ML2.16 requires prompt reporting of cyber security incidents to the CISO (or delegate) | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.8 | Annex A 6.8 requires mechanisms and defined channels for prompt reporting of security events and suspected weaknesses | |
| handshake Supports (1) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires that information security roles and responsibilities are defined and allocated | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-0043 | E8-AH-ML2.16 requires immediate reporting of cyber security incidents to the CISO (or delegate) | |
| ISM-0576 | E8-AH-ML2.16 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible | |
| sync_alt Partially overlaps (6) expand_less | ||
| ISM-0140 | E8-AH-ML2.16 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after they occur or are disco... | |
| ISM-0142 | E8-AH-ML2.16 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after occurrence or discovery | |
| ISM-1088 | ISM-1088 requires personnel to rapidly report potential compromise of mobile devices, removable media, or credentials, particularly when ... | |
| ISM-1618 | E8-AH-ML2.16 requires cyber security incidents to be reported immediately to the CISO (or delegate) | |
| ISM-1803 | ISM-1803 mandates the documentation of cyber security incidents in a register, including timing, details, actions, and reporting pathways | |
| ISM-1819 | ISM-1819 requires the organisation to enact its cyber security incident response plan following identification of an incident | |
| handshake Supports (3) expand_less | ||
| ISM-0125 | E8-AH-ML2.16 requires immediate reporting of cyber security incidents to the CISO (or delegate) | |
| ISM-0141 | E8-AH-ML2.16 requires cyber security incidents to be reported promptly to the CISO (or delegate) | |
| ISM-1478 | ISM-1478 requires the CISO to oversee the cyber security program and ensure the organisation complies with relevant cyber security polici... | |
| extension Depends on (1) expand_less | ||
| ISM-1881 | ISM-1881 requires timely reporting of cyber incidents (without customer data involvement) to customers and the public | |
| link Related (3) expand_less | ||
| ISM-0123 | E8-AH-ML2.16 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after they occur or are disco... | |
| ISM-0714 | ISM-0714 requires appointing a CISO to lead and guide cyber security across IT and OT | |
| ISM-0733 | E8-AH-ML2.16 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after occurrence or discovery | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.