Report cyber security incidents to ASD promptly
Report cyber security incidents to ASD as soon as they're found.
Plain language
This control is about making sure that any cyber attacks or suspicious activity in your organisation's computer systems are reported to the Australian Signals Directorate (ASD) as soon as you find out about them. This is important because quick reporting helps ASD provide guidance to limit damage and stop similar attacks from happening to anyone else.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.
Why it matters
Delayed reporting to ASD allows attackers to operate undetected, increasing damage and reducing the chance to mitigate further attacks.
Operational notes
Define incident triage and an ASD notification workflow so incidents are reported promptly with accurate, complete details.
Implementation tips
- The IT team should set up a process for detecting cyber security incidents. This can be done by using monitoring tools that alert staff when anomalies are detected.
- The IT manager should establish a clear incident reporting procedure. This involves creating a checklist of what needs to be reported and in what format to the ASD.
- The security officer should train staff on recognising and reporting incidents. Provide training sessions that cover what an incident looks like and whom to inform.
- System administrators should ensure communication channels with the ASD are streamlined. This involves having the correct contact details and communication protocols ready.
- The IT team should regularly review and test the incident reporting process. Conduct mock drills to ensure everyone knows what to do and can act quickly.
Audit / evidence tips
- AskIs there a defined process for reporting cyber incidents to ASD?
- GoodThe policy should clearly outline the steps and responsible persons for reporting incidents to ASD
- AskHow quickly are incidents typically reported to ASD?
- GoodIncident reports should show prompt reporting to ASD, ideally within a few hours of discovery
- AskHave staff been trained on incident recognition and reporting?
- GoodThere should be documentation of recent staff training sessions related to incident reporting and recognition
Cross-framework mappings
How E8-AH-ML2.17 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.26 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| handshake Supports (2) expand_less | ||
| Annex A 5.5 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| Annex A 6.8 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-0043 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| handshake Supports (2) expand_less | ||
| ISM-0123 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| ISM-0141 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| link Related (1) expand_less | ||
| ISM-0140 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.