Cyber incident response plan is enacted after identification
Activate the response plan immediately after identifying a cyber incident.
Plain language
This control is like having a pre-set plan of action for when a cyber attack happens. It's crucial because acting quickly can stop a problem from getting worse. Without it, a business could face greater damage or downtime if an attack happens and no one knows what to do next.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Following the identification of a cyber security incident, the cyber security incident response plan is enacted.
Why it matters
Delays in enacting an incident response plan can amplify damage, extend downtime and lead to loss of sensitive data.
Operational notes
Define triggers for incident identification and empower the on-call lead to immediately activate the IR plan, notify stakeholders and start containment steps.
Implementation tips
- The IT manager should develop a detailed cyber incident response plan, outlining specific actions to take in the event of a cyber attack.
- A security officer should ensure that all staff members are trained on their roles in the incident response plan, regularly conducting practice drills.
- The IT team should establish clear communication channels so that everyone knows who to contact immediately when a cyber incident is detected.
- System administrators should regularly review and update the incident response plan to include new threats or changes in technology.
Audit / evidence tips
-
AskCan you describe the process for enacting the incident response plan once a cyber incident is identified?
-
GoodA detailed incident response plan is accessible and has been recently reviewed and updated
-
AskHow often do you conduct drills for the incident response plan?
-
GoodDrills are conducted regularly, with records showing increased readiness and updated procedures
Cross-framework mappings
How E8-AH-ML2.18 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.26 | E8-AH-ML2.18 requires that once a cyber security incident is identified, the organisation enacts (activates) its incident response plan | |
| extension Depends on (1) expand_less | ||
| Annex A 5.24 | E8-AH-ML2.18 requires that once an incident is identified, the organisation enacts its incident response plan | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| ISM-0123 | ISM-0123 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after they occur or are discovered | |
| ISM-1618 | ISM-1618 requires that the CISO oversees the organisation’s response to cyber security incidents | |
| extension Depends on (2) expand_less | ||
| ISM-0043 | E8-AH-ML2.18 requires that the organisation enacts the cyber security incident response plan immediately after identifying an incident | |
| ISM-0576 | E8-AH-ML2.18 requires that the incident response plan is enacted following identification of a cyber security incident | |
| link Related (1) expand_less | ||
| ISM-1819 | E8-AH-ML2.18 requires that following identification of a cyber security incident, the cyber security incident response plan is enacted | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.