Report cybersecurity incidents to ASD immediately
Notify ASD quickly when a cybersecurity incident occurs or is discovered.
Plain language
This control is about reporting any cybersecurity incidents to the Australian Signals Directorate (ASD) as soon as you find out about them. It's important because a delay in reporting could allow a cyber attack to cause more damage and affect more people.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.
Why it matters
Delayed reporting to ASD can worsen an incident, extending attacker dwell time, increasing damage, and raising national security and reputational risk.
Operational notes
Report suspected/confirmed incidents to ASD ASAP via approved channels; train staff on triggers and keep contact details, templates and IR playbooks current.
Implementation tips
- The IT team should set up a clear process for identifying cybersecurity incidents. This can involve installing security software that alerts them to unusual activities.
- The security officer should ensure all staff know how to recognise and report a cybersecurity incident. This can be done through regular training sessions and clear instructions on whom to contact.
- The system administrator should maintain an incident log that includes details of what happened and when it was reported. This log can be a spreadsheet or a database designed for tracking incidents.
- The security manager should develop a relationship with ASD representatives. This can include setting up regular check-in meetings to discuss cybersecurity concerns and ensure reporting procedures are understood.
- The cybersecurity officer should create a contact list with phone numbers and email addresses for reporting incidents to ASD. Distribute this list to key personnel in the organisation.
Audit / evidence tips
-
AskHow does the organisation ensure incidents are reported to the ASD promptly?
-
GoodThe response plan includes a step to notify ASD, and there's a log showing incidents were reported promptly with timestamps
-
AskWhat training is in place to teach staff how to recognise and report incidents?
-
GoodTraining records show sessions were held regularly, and materials cover how to report incidents to ASD
Cross-framework mappings
How E8-MF-ML2.11 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.8 | Annex A 6.8 requires the organisation to provide defined channels so personnel and relevant parties can promptly report security events a... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.5 | E8-MF-ML2.11 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| extension Depends on (1) expand_less | ||
| Annex A 5.25 | E8-MF-ML2.11 requires reporting cyber security incidents to ASD as soon as possible after occurrence or discovery | |
| link Related (1) expand_less | ||
| Annex A 5.24 | E8-MF-ML2.11 requires timely reporting of cyber security incidents to ASD after occurrence or discovery | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-0043 | E8-MF-ML2.11 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0123 | E8-MF-ML2.11 requires prompt external reporting of cyber security incidents to ASD | |
| ISM-0141 | E8-MF-ML2.11 requires organisations to report cyber security incidents to ASD as soon as possible after they occur or are discovered | |
| ISM-0142 | E8-MF-ML2.11 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| extension Depends on (1) expand_less | ||
| ISM-1228 | E8-MF-ML2.11 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| link Related (1) expand_less | ||
| ISM-0140 | E8-MF-ML2.11 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.