E8-RA-ML2.13 ASD Essential Eight

Enact cyber incident response plan after an incident is identified

Start the response plan immediately after a cyber incident is detected.

Responsive ML2 Essential Eight E8 Restrict Admin Privileges Maturity Level 2 Incident management Management responsibility Roles and responsibilities

🏛️ Framework

ASD Essential Eight

🧭 Control effect

Responsive

🛠️ E8 mitigation strategy

Restrict administrative privileges

🔐 Classifications

N/A

🗓️ Official last update

N/A

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML2

Official control statement

Following the identification of a cyber security incident, the cyber security incident response plan is enacted.

Source: ASD Essential Eight

Plain language

If your business experiences a cyber incident, you need to act fast by following a pre-made plan. Without this immediate response, the damage from the incident could worsen, impacting your operations and reputation.

Why it matters

If the incident response plan isn’t enacted immediately after an incident is identified, containment is delayed, increasing spread, downtime, data loss and recovery cost.

Operational notes

Define clear activation triggers (e.g., confirmed compromise), who can declare an incident, and the first-hour actions (containment, comms, escalation) to enact the plan fast.

Implementation tips

The IT team should create a detailed incident response plan by identifying key contacts, steps to take, and resources needed for different types of cyber incidents.
The security officer should ensure everyone involved knows their role in the plan by organising regular training and drills.
The system administrator should keep the incident response plan updated by reviewing it quarterly and after any significant changes in technology or structure.
Business leaders should support the response plan by ensuring everyone has the necessary tools and authority to act quickly when an incident occurs.

Audit / evidence tips

Ask: Does the organisation have a formal cyber incident response plan in place?
Good: The organisation should have a comprehensive response plan that is regularly reviewed and tested, with evidence of training and drills

Cross-framework mappings

How E8-RA-ML2.13 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Depends on (1)
Annex A 5.24	E8-RA-ML2.13 requires enacting the incident response plan once an incident is identified

ASD ISM

Control	Notes	Details
Partially meets (1)
ISM-1019	ISM-1019 creates a DoS response plan for video conferencing and IP telephony services
Supports (3)
ISM-0123	ISM-0123 requires prompt reporting of cyber security incidents to the CISO (or delegate) after they occur or are discovered
ISM-0125	ISM-0125 requires an organisation to develop, implement and maintain a cyber security incident register to record incidents
ISM-1618	ISM-1618 requires that the CISO oversees the organisation’s response to cyber security incidents
Depends on (2)
ISM-0043	E8-RA-ML2.13 requires enacting the cyber security incident response plan after an incident is identified
ISM-0576	E8-RA-ML2.13 requires the organisation to enact the cyber incident response plan immediately after an incident is identified
Related (1)
ISM-1819	E8-RA-ML2.13 requires that once a cyber security incident is identified, the organisation enacts its cyber security incident response plan