Report Cyber Security Incidents Promptly
Inform the chief information security officer quickly after any cyber incident is found.
Plain language
When a cyber security problem is spotted, you need to tell the head of IT security about it right away. This is crucial because if you wait too long, the problem could grow, potentially stealing sensitive data or shutting down your systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for cyber security incidentsOfficial control statement
Cyber security incidents are reported to the chief information security officer, or one of their delegates, as soon as possible after they occur or are discovered.
Why it matters
Delayed reporting of cyber incidents can lead to prolonged exposure, escalating damage, and increased data breach costs for the organisation.
Operational notes
Define incident triggers and timeframes, and ensure staff can report to the CISO or delegates 24/7 via a monitored channel with escalation paths and contact details.
Implementation tips
- Designate a primary point of contact: The office manager should assign a specific person or a team to be responsible for identifying and reporting any cyber security incidents. Ensure this person knows how to spot unusual activity and how to alert the chief information security officer quickly.
- Create a reporting procedure: The IT team should develop a clear and simple guide that explains the steps to take when an incident is noticed. This should include who to contact and how to contact them, such as by phone, email, or an incident reporting tool.
- Conduct regular training: The HR department should organise regular training sessions for all staff to understand what constitutes a cyber security incident and how to report it. Use simple examples and role-playing to make the training engaging and memorable.
- Set up an incident response channel: The IT department should establish a dedicated communication channel, like a specific email or chat group, where incidents can be reported immediately. Make sure all employees know about this channel and how to access it.
- Review and update incident response plans: The security team should periodically revisit the incident response plan to ensure it includes updated contact information and reflects any changes in personnel or technology. Schedule these reviews at least annually and after any major cyber incident.
Audit / evidence tips
-
Askthe incident reporting procedure document: Request to see the written procedures employees should follow when reporting incidents
Goodincludes clear steps, relevant contacts, and is easily understood by non-technical staff
-
Goodis a clear explanation that matches the documented procedure
-
Askto see how the dedicated communication channel for incident reporting is structured
Goodis active, used regularly and known to staff
-
Goodinvolves interactive elements and practical examples that make the process memorable
-
Askrecords or logs of past incident reports submitted
Goodshows prompt reporting, consistent with the established procedure
Cross-framework mappings
How ISM-0123 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.24 | ISM-0123 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after they occur or are discovered | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.8 | Annex A 6.8 requires defined channels and mechanisms for personnel and relevant parties to promptly report security events and suspected ... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.26 | Annex A 5.26 requires incident response to follow documented procedures, which include internal notification and escalation steps | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| handshake Supports (4) expand_less | ||
| link Related (4) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.