Cybersecurity events are analysed to identify incidents timely
Timely analyse cybersecurity events to identify incidents quickly.
Plain language
This control is about quickly looking at suspicious online activities to find any problems or attacks. By doing this quickly, you can stop bad things like hackers stealing data or damaging systems before they cause too much harm.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 May 2026
E8 maturity levels
ML2
Official control statement
Cyber security events are analysed in a timely manner to identify cyber security incidents.
Why it matters
Delayed analysis of cyber security events can miss incidents, prolong attacker access, and increase data loss, system damage and recovery costs.
Operational notes
Monitor logs continuously and triage alerts within defined SLAs; correlate events and escalate suspected incidents promptly for investigation.
Implementation tips
- IT Team: Set up systems to automatically collect logs from all your internet-facing servers. Use software that can track activity like login attempts and data access.
- Security Officer: Regularly check these logs to spot unusual patterns, like repeated failed login attempts or accessing data at odd hours. Use software that highlights suspicious activity.
- System Administrator: Ensure that log files are protected. Set permissions so that only authorised personnel can view or change them to prevent tampering.
- IT Team: Use alerts to notify the security team immediately when potential incidents are detected. This could involve setting thresholds for certain activities that, when exceeded, trigger an alert.
Audit / evidence tips
- AskHow are logs from internet-facing servers collected and managed?
- GoodLogs are automatically collected, securely stored, and reviewed regularly for signs of incidents
- AskHow quickly are cybersecurity events analysed?
- GoodThe organisation analyses events within hours of occurrence and has evidence of timely identification of incidents
- AskWhat measures are in place to protect log integrity?
- GoodLog files have restricted access and any changes are logged and monitored
Cross-framework mappings
How E8-MF-ML2.9 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| Annex A 5.7 | Annex A 5.7 requires organisations to collect and analyse information about information security threats to produce actionable threat int... | |
| Annex A 5.25 | E8-MF-ML2.9 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| Annex A 8.16 | E8-MF-ML2.9 requires cyber security events to be analysed in a timely manner to identify incidents | |
| handshake Supports (1) expand_less | ||
| Annex A 8.15 | E8-MF-ML2.9 requires cyber security events to be analysed in a timely manner to identify incidents | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-2089 | ISM-2089 requires organisations to monitor AI model performance metrics and investigate anomalies | |
| handshake Supports (1) expand_less | ||
| ISM-1526 | ISM-1526 requires system owners to continuously monitor each system’s security and manage associated threats, risks and controls within d... | |
| extension Depends on (1) expand_less | ||
| ISM-1906 | E8-MF-ML2.9 requires timely analysis of cyber security events to identify incidents | |
| link Related (6) expand_less | ||
| ISM-1228 | E8-MF-ML2.9 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| ISM-1907 | E8-MF-ML2.9 requires timely analysis of cyber security events to identify incidents | |
| ISM-1960 | E8-MF-ML2.9 requires timely analysis of cybersecurity events to identify incidents | |
| ISM-1961 | E8-MF-ML2.9 requires cyber security events to be analysed promptly to identify incidents | |
| ISM-1986 | E8-MF-ML2.9 requires timely analysis of cyber security events to identify incidents | |
| ISM-1987 | E8-MF-ML2.9 requires timely analysis of cyber security events to identify incidents | |
ISO 42001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.2.6 | Annex A 6.2.6 requires documented processes for ongoing operation of an AI system, including system/performance monitoring and support | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.