Report cyber incidents to the CISO promptly
Report security incidents to the security officer quickly after finding them.
Plain language
This control means that whenever there's a suspected cyber security incident, such as a data breach or hacking attempt, it needs to be reported to the Chief Information Security Officer (CISO) or their delegate immediately. This matters because quick reporting allows the organisation to respond swiftly, minimising potential damage and costs.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.
Why it matters
Failure to promptly report incidents to the CISO can delay crisis management, worsening data breaches and increasing recovery costs.
Operational notes
Escalate suspected cyber security incidents to the CISO (or delegate) via the defined process immediately upon discovery, and record time and details.
Implementation tips
- Security Officer: Ensure all staff know who the CISO or their delegate is so they can report incidents quickly.
- IT Team: Set up a clear and simple procedure for staff to report security incidents, such as a dedicated phone line or email address.
- System Administrator: Regularly review and test the incident reporting procedure to make sure it’s efficient and easy to use.
- Business Manager: Include a basic overview of what constitutes a cyber incident in staff training sessions so everyone has a clear understanding.
Audit / evidence tips
-
AskHow are staff trained to recognise and report cybersecurity incidents?
-
GoodShows regular and comprehensive training sessions have been conducted and documented
-
AskIs there a procedure in place for reporting incidents to the CISO promptly?
-
GoodThe procedure is documented, accessible, and includes clear steps and contact information
Cross-framework mappings
How E8-RA-ML2.11 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.24 | E8-RA-ML2.11 calls for prompt incident reporting to the CISO (or delegate) | |
| Annex A 6.8 | E8-RA-ML2.11 requires prompt incident escalation to the CISO (or delegate) | |
| handshake Supports (2) expand_less | ||
| Annex A 5.23 | Annex A 5.23 requires lessons from incidents to be used to improve security controls | |
| Annex A 5.26 | E8-RA-ML2.11 requires incidents to be reported to the CISO promptly for governance | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| ISM-0043 | E8-RA-ML2.11 requires prompt incident reporting to the CISO (or delegate) | |
| ISM-0142 | ISM-0142 requires organisations to report the compromise or suspected compromise of cryptographic equipment or associated keying material... | |
| ISM-0576 | E8-RA-ML2.11 requires reporting cyber incidents to the CISO promptly | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0140 | E8-RA-ML2.11 requires cyber security incidents to be reported promptly to the CISO (or delegate) after they occur or are discovered | |
| ISM-0141 | E8-RA-ML2.11 requires prompt reporting of cyber incidents to the CISO (or delegate) when incidents occur or are discovered | |
| ISM-0733 | E8-RA-ML2.11 requires cyber security incidents to be reported to the CISO (or delegate) promptly | |
| ISM-1088 | ISM-1088 requires personnel to rapidly report potential compromise of mobile devices, removable media, or credentials, particularly in ov... | |
| ISM-1803 | E8-RA-ML2.11 focuses on timely reporting of incidents to the CISO (or delegate) | |
| handshake Supports (1) expand_less | ||
| ISM-1478 | ISM-1478 requires the CISO to oversee the cyber security program and ensure compliance with cyber security policy and related obligations | |
| extension Depends on (1) expand_less | ||
| ISM-1618 | ISM-1618 requires that the CISO oversees the organisation’s response to cyber security incidents | |
| link Related (1) expand_less | ||
| ISM-0123 | E8-RA-ML2.11 requires cyber security incidents to be reported to the CISO (or delegate) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.