Report cyber security incidents to ASD promptly
Report cyber security incidents to ASD as soon as they're found.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Responsive
🛠️ E8 mitigation strategy
Application hardening
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
ML2
Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.
Source: ASD Essential Eight
Plain language
This control is about making sure that any cyber attacks or suspicious activity in your organisation's computer systems are reported to the Australian Signals Directorate (ASD) as soon as you find out about them. This is important because quick reporting helps ASD provide guidance to limit damage and stop similar attacks from happening to anyone else.
Why it matters
Delayed reporting to ASD allows attackers to operate undetected, increasing damage and reducing the chance to mitigate further attacks.
Operational notes
Define incident triage and an ASD notification workflow so incidents are reported promptly with accurate, complete details.
Implementation tips
- The IT team should set up a process for detecting cyber security incidents. This can be done by using monitoring tools that alert staff when anomalies are detected.
- The IT manager should establish a clear incident reporting procedure. This involves creating a checklist of what needs to be reported and in what format to the ASD.
- The security officer should train staff on recognising and reporting incidents. Provide training sessions that cover what an incident looks like and whom to inform.
- System administrators should ensure communication channels with the ASD are streamlined. This involves having the correct contact details and communication protocols ready.
- The IT team should regularly review and test the incident reporting process. Conduct mock drills to ensure everyone knows what to do and can act quickly.
Audit / evidence tips
-
Ask: Is there a defined process for reporting cyber incidents to ASD?
-
Good: The policy should clearly outline the steps and responsible persons for reporting incidents to ASD
-
Ask: How quickly are incidents typically reported to ASD?
-
Good: Incident reports should show prompt reporting to ASD, ideally within a few hours of discovery
-
Ask: Have staff been trained on incident recognition and reporting?
-
Good: There should be documentation of recent staff training sessions related to incident reporting and recognition
Cross-framework mappings
How E8-AH-ML2.17 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.26 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| Supports (2) | ||
| Annex A 5.5 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| Annex A 6.8 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| ISM-0043 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| Supports (2) | ||
| ISM-0123 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| ISM-0141 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| Related (1) | ||
| ISM-0140 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |