Timely analysis of cyber security events to identify incidents
Quickly review cyber events to spot security incidents.
Plain language
This control is about quickly looking at the data from cyber security systems to find signs of a problem. It's like checking security camera footage soon after it's recorded so you can spot any break-ins. Without this, small security issues might grow into big ones before anyone notices.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Cyber security events are analysed in a timely manner to identify cyber security incidents.
Why it matters
Without timely event analysis, incidents may go unnoticed, resulting in delayed responses and increased damage from threats.
Operational notes
Ensure cyber events are reviewed within defined SLAs and suspect patterns are escalated promptly to prevent incident escalation.
Implementation tips
- The IT team should regularly review system alerts to detect any unusual activity. This can be done by setting up a schedule to check alerts at least daily.
- Security officers should establish a process for investigating alerts. They can do this by creating an incident response plan that outlines the steps to follow when an alert is deemed suspicious.
- The system administrator should ensure that logs are centralised in one system for easier access. They can accomplish this by configuring log management software to collect logs from all critical systems.
- The security team should train staff on recognising suspicious activity and responding appropriately. This training should include practical exercises to help staff understand what to look for and how to report it.
Audit / evidence tips
- AskHow quickly are cybersecurity events reviewed? GoodDocuments show daily reviews of logs and incidents are logged within hours of detection
- AskWhat process is in place to confirm that investigations occur after alerts? GoodInvestigation logs confirm each alert is reviewed, with details of the response actions taken
- AskIs log data centralised? GoodSystem settings show logs are collected from all critical areas and accessible from a single platform
Cross-framework mappings
How E8-RA-ML2.10 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.25 | E8-RA-ML2.10 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| Annex A 8.16 | E8-RA-ML2.10 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| handshake Supports (1) expand_less | ||
| Annex A 8.17 | E8-RA-ML2.10 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1906 | E8-RA-ML2.10 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| ISM-1907 | E8-RA-ML2.10 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| ISM-1961 | E8-RA-ML2.10 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| ISM-1986 | E8-RA-ML2.10 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| handshake Supports (3) expand_less | ||
| ISM-1526 | ISM-1526 requires system owners to monitor systems and associated cyber threats and risks on an ongoing basis | |
| ISM-1960 | ISM-1960 supports E8-RA-ML2.10 by ensuring timely review of perimeter events | |
| ISM-1987 | E8-RA-ML2.10 requires timely analysis of cyber security events to determine whether they constitute incidents | |
| link Related (1) expand_less | ||
| ISM-1228 | ISM-1228 requires timely analysis of cyber security events to determine whether they constitute incidents | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.