Enact cyber incident response plan after an incident is identified
Start the response plan immediately after a cyber incident is detected.
Plain language
If your business experiences a cyber incident, you need to act fast by following a pre-made plan. Without this immediate response, the damage from the incident could worsen, impacting your operations and reputation.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Following the identification of a cyber security incident, the cyber security incident response plan is enacted.
Why it matters
If the incident response plan isn’t enacted immediately after an incident is identified, containment is delayed, increasing spread, downtime, data loss and recovery cost.
Operational notes
Define clear activation triggers (e.g., confirmed compromise), who can declare an incident, and the first-hour actions (containment, comms, escalation) to enact the plan fast.
Implementation tips
- The IT team should create a detailed incident response plan by identifying key contacts, steps to take, and resources needed for different types of cyber incidents.
- The security officer should ensure everyone involved knows their role in the plan by organising regular training and drills.
- The system administrator should keep the incident response plan updated by reviewing it quarterly and after any significant changes in technology or structure.
- Business leaders should support the response plan by ensuring everyone has the necessary tools and authority to act quickly when an incident occurs.
Audit / evidence tips
-
AskDoes the organisation have a formal cyber incident response plan in place?
-
GoodThe organisation should have a comprehensive response plan that is regularly reviewed and tested, with evidence of training and drills
Cross-framework mappings
How E8-RA-ML2.13 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| extension Depends on (1) expand_less | ||
| Annex A 5.24 | E8-RA-ML2.13 requires enacting the incident response plan once an incident is identified | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1019 | ISM-1019 creates a DoS response plan for video conferencing and IP telephony services | |
| handshake Supports (3) expand_less | ||
| ISM-0123 | ISM-0123 requires prompt reporting of cyber security incidents to the CISO (or delegate) after they occur or are discovered | |
| ISM-0125 | ISM-0125 requires an organisation to develop, implement and maintain a cyber security incident register to record incidents | |
| ISM-1618 | ISM-1618 requires that the CISO oversees the organisation’s response to cyber security incidents | |
| extension Depends on (2) expand_less | ||
| ISM-0043 | E8-RA-ML2.13 requires enacting the cyber security incident response plan after an incident is identified | |
| ISM-0576 | E8-RA-ML2.13 requires the organisation to enact the cyber incident response plan immediately after an incident is identified | |
| link Related (1) expand_less | ||
| ISM-1819 | E8-RA-ML2.13 requires that once a cyber security incident is identified, the organisation enacts its cyber security incident response plan | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.