ISM-0123 policy ASD Information Security Manual (ISM)

Report Cyber Security Incidents Promptly

Inform the chief information security officer quickly after any cyber incident is found.

Responsive ML2 ML3 NC OS P ASD Information Security ManualGuidelines for cyber security incidents incident reporting incident management

record_voice_over

Plain language

When a cyber security problem is spotted, you need to tell the head of IT security about it right away. This is crucial because if you wait too long, the problem could grow, potentially stealing sensitive data or shutting down your systems.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Responsive

Classifications

NC, OS, P, S, TS

ISM last updated

May 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML2, ML3

Guideline

Guidelines for cyber security incidents

Section

Managing cyber security incidents

Topic

Reporting Cyber Security Incidents

Official control statement

Cyber security incidents are reported to the chief information security officer, or one of their delegates, as soon as possible after they occur or are discovered.

policy ASD Information Security Manual (ISM) ISM-0123

priority_high

Why it matters

Delayed reporting of cyber incidents can lead to prolonged exposure, escalating damage, and increased data breach costs for the organisation.

settings

Operational notes

Define incident triggers and timeframes, and ensure staff can report to the CISO or delegates 24/7 via a monitored channel with escalation paths and contact details.

02 - Implement

build

Implementation tips

Designate a primary point of contact: The office manager should assign a specific person or a team to be responsible for identifying and reporting any cyber security incidents. Ensure this person knows how to spot unusual activity and how to alert the chief information security officer quickly.
Create a reporting procedure: The IT team should develop a clear and simple guide that explains the steps to take when an incident is noticed. This should include who to contact and how to contact them, such as by phone, email, or an incident reporting tool.
Conduct regular training: The HR department should organise regular training sessions for all staff to understand what constitutes a cyber security incident and how to report it. Use simple examples and role-playing to make the training engaging and memorable.
Set up an incident response channel: The IT department should establish a dedicated communication channel, like a specific email or chat group, where incidents can be reported immediately. Make sure all employees know about this channel and how to access it.
Review and update incident response plans: The security team should periodically revisit the incident response plan to ensure it includes updated contact information and reflects any changes in personnel or technology. Schedule these reviews at least annually and after any major cyber incident.

03 - Audit

fact_check

Audit / evidence tips

AskThe incident reporting procedure document: Request to see the written procedures employees should follow when reporting incidents GoodIncludes clear steps, relevant contacts, and is easily understood by non-technical staff
GoodIs a clear explanation that matches the documented procedure
AskTo see how the dedicated communication channel for incident reporting is structured GoodIs active, used regularly and known to staff
GoodInvolves interactive elements and practical examples that make the process memorable
AskRecords or logs of past incident reports submitted GoodShows prompt reporting, consistent with the established procedure

04 - Mappings

link

Cross-framework mappings

How ISM-0123 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 5.24	ISM-0123 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after they occur or are discovered
sync_alt Partially overlaps (1) expand_less
Annex A 6.8	Annex A 6.8 requires defined channels and mechanisms for personnel and relevant parties to promptly report security events and suspected ...
handshake Supports (1) expand_less
Annex A 5.26	Annex A 5.26 requires incident response to follow documented procedures, which include internal notification and escalation steps

E8

Control	Notes	Details
sync_alt Partially overlaps (2) expand_less

E8-MF-ML2.11	E8-MF-ML2.11 requires prompt external reporting of cyber security incidents to ASD

E8-RA-ML2.12	E8-RA-ML2.12 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered
handshake Supports (4) expand_less

E8-AH-ML2.17	E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered
E8-AH-ML2.18	ISM-0123 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after they occur or are discovered

E8-MF-ML2.12	ISM-0123 requires prompt reporting of cyber security incidents to the CISO (or delegate) after occurrence or discovery

E8-RA-ML2.13	ISM-0123 requires prompt reporting of cyber security incidents to the CISO (or delegate) after they occur or are discovered
link Related (4) expand_less

E8-AC-ML2.9	ISM-0123 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after occurrence or discovery

E8-AH-ML2.16	E8-AH-ML2.16 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after they occur or are disco...

E8-MF-ML2.10	E8-MF-ML2.10 requires cyber security incidents to be reported to the CISO or delegates as soon as possible after occurrence or discovery

E8-RA-ML2.11	ISM-0123 requires prompt reporting of cyber security incidents to the CISO (or delegate) upon occurrence or discovery

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.