Report cyber security incidents to the Chief Information Security Officer promptly
Notify the Chief Information Security Officer quickly after discovering cyber attacks.
Plain language
This control is about making sure that any cyber attacks or suspicious activities are reported quickly to the person in charge of your organisation's cybersecurity. This is important because the sooner they know about a problem, the quicker they can act to fix it and protect your business from potential damage.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.
Why it matters
Delayed incident reporting can worsen damage, lead to missed regulatory deadlines, and hinder timely containment and remediation actions.
Operational notes
Define a 24/7 reporting path so incidents are notified to the CISO (or delegate) immediately on detection, with clear triggers, contacts, and required incident details.
Implementation tips
- The IT team should establish a clear process for reporting cyber incidents. This can be done by creating a simple online form or hotline that staff members can use when they notice anything suspicious.
- The Chief Information Security Officer (CISO) or their delegate should provide regular training to all employees about recognising cyber threats. This includes covering phishing emails and suspicious system behaviour.
- The IT department should implement a monitoring system for logging cybersecurity events. Use a system that can alert the team and the Chief Information Security Officer immediately when potential incidents occur.
- The security officer should schedule regular check-ins with department heads to ensure awareness of the incident reporting process. This is done through monthly meetings or newsletters.
Audit / evidence tips
- AskHow do employees report cybersecurity incidents?
- GoodEmployees report incidents through a clearly defined process, and all reports are logged promptly
- AskWhat training is provided to staff about cyber incident awareness?
- GoodRegular training sessions are held, and materials are available that cover how to recognise and report incidents
Cross-framework mappings
How E8-MF-ML2.10 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.26 | E8-MF-ML2.10 requires cyber security incidents to be reported to the Chief Information Security Officer (CISO) or delegates as soon as po... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-0142 | ISM-0142 requires organisations to report the compromise or suspected compromise of cryptographic equipment or associated keying material... | |
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0140 | E8-MF-ML2.10 requires cyber security incidents to be reported internally to the CISO (or delegate) as soon as possible after they occur o... | |
| ISM-1803 | ISM-1803 calls for an incident register capturing key incident details | |
| handshake Supports (1) expand_less | ||
| ISM-1478 | ISM-1478 requires the CISO to oversee the organisation’s cyber security program and ensure compliance with cyber security policy and asso... | |
| extension Depends on (2) expand_less | ||
| ISM-0043 | E8-MF-ML2.10 requires that incidents be reported promptly to the CISO (or delegate) | |
| ISM-0252 | E8-MF-ML2.10 requires prompt reporting of cyber security incidents to the CISO (or delegate) | |
| link Related (2) expand_less | ||
| ISM-0123 | E8-MF-ML2.10 requires cyber security incidents to be reported to the CISO or delegates as soon as possible after occurrence or discovery | |
| ISM-0733 | ISM-0733 requires that the CISO is fully aware of all cyber security incidents within their organisation | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.