Cybersecurity incident response plan enacted after incident identification
Activate the response plan immediately once a cyber incident is detected.
Plain language
This control is about having a plan ready to respond to cyber incidents as soon as they're detected. It matters because quick action can reduce damage from attacks, limit downtime, and protect sensitive information from being misused.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Following the identification of a cyber security incident, the cyber security incident response plan is enacted.
Why it matters
Delays in enacting the incident response plan after an incident is identified can worsen breaches, slow recovery, and increase damage.
Operational notes
Define who can declare an incident and trigger the response plan; practise activation regularly so containment and communications start immediately.
Implementation tips
- Security officer should ensure there is a clear incident response plan in place by developing a document that details roles, responsibilities, and step-by-step actions following a cyber incident.
- IT team should regularly update the incident response plan by reviewing it quarterly and making necessary changes to reflect new threats or organisational changes.
- System administrator should test the incident response plan by conducting simulated incident scenarios to ensure staff know their roles and responsibilities.
- Management should communicate the incident response plan to all staff by organising training sessions to familiarise employees with the procedures and steps involved.
- Security officer should coordinate a review after a real or simulated incident by gathering input from all involved to identify areas of improvement.
Audit / evidence tips
-
AskDoes the organisation have a documented incident response plan?
-
GoodThe organisation provides a current incident response plan that outlines roles, responsibilities, and specific incident management procedures
-
AskHow often is the incident response plan tested?
-
GoodThe organisation conducts regular tests of the incident response plan, with documented results and evidence of improvements made thereafter
Cross-framework mappings
How E8-MF-ML2.12 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.29 | Annex A 5.29 requires planning to maintain information security during disruptions | |
| extension Depends on (2) expand_less | ||
| Annex A 5.24 | E8-MF-ML2.12 requires the organisation to enact its incident response plan once a cyber incident is identified | |
| Annex A 5.25 | E8-MF-ML2.12 requires enacting the incident response plan after a cyber security incident is identified | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-1019 | ISM-1019 requires an organisation to develop, implement and maintain a DoS response plan specifically for video conferencing and IP telep... | |
| ISM-1805 | ISM-1805 requires a denial-of-service (DoS) response plan specifically for video conferencing and IP telephony, including identification,... | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1618 | E8-MF-ML2.12 requires the organisation to activate its cyber security incident response plan immediately after a cyber incident is identi... | |
| handshake Supports (3) expand_less | ||
| ISM-0123 | ISM-0123 requires prompt reporting of cyber security incidents to the CISO (or delegate) after occurrence or discovery | |
| ISM-0733 | E8-MF-ML2.12 requires enacting the incident response plan after identification of a cyber incident | |
| ISM-1784 | E8-MF-ML2.12 requires the organisation to enact its incident response plan once an incident is identified | |
| extension Depends on (2) expand_less | ||
| ISM-0043 | E8-MF-ML2.12 requires that following identification of a cyber security incident, the incident response plan is enacted | |
| ISM-0576 | E8-MF-ML2.12 requires enacting the incident response plan after identifying a cyber incident | |
| link Related (1) expand_less | ||
| ISM-1819 | E8-MF-ML2.12 requires that once a cyber security incident is identified, the organisation enacts (activates) its cyber security incident ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.