Maintaining a Cyber Security Incident Register
Create and keep a log of any cyber security incidents that occur.
Plain language
A cyber security incident register is like a diary where you write down any security mishaps that happen in your business, like a data breach or a suspicious email. This is important because if you don't keep track, you might not notice patterns or recurring problems, which could make your organisation vulnerable to future attacks.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
A cyber security incident register is developed, implemented and maintained.
Why it matters
Without a maintained cyber security incident register, recurring incidents can be missed, trends go unrecognised and response times increase.
Operational notes
Maintain a central incident register: record date/time, impact, indicators, actions and closure; review regularly to identify trends and improve response.
Implementation tips
- The office manager should create a simple spreadsheet to record cyber incidents. Include columns for the date, time, description of the incident, what was affected, and how it was resolved.
- The IT team should regularly update the incident register. Each time an incident occurs, they should add a new entry as soon as possible after the incident is managed.
- Managers should ensure staff know how to report incidents. They can conduct short training sessions, explaining what counts as an incident and showing how to use the register or notify the IT team.
-
Look atrepeated incidents or new patterns and discuss these with the IT team to improve security measures
- The board or school principal should receive a summary report quarterly. The office manager can prepare a brief overview of the incidents and preventive measures taken, presenting it during a meeting.
Audit / evidence tips
-
Askthe latest version of the cyber security incident register: Request the actual document or file where incidents are recorded
Goodregister is up-to-date, with clear and comprehensive information for each incident
-
Askseveral team members how they report a cyber incident
Goodshows staff are aware and comfortable with the reporting process
-
Goodprocess is easy to follow, ensuring reliable data entry
-
Asktraining materials or schedules that show staff were trained on incident reporting. Ensure the sessions cover critical aspects of recognising and reporting incidents
Goodrecord shows comprehensive and regular training
Cross-framework mappings
How ISM-0125 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.24 | ISM-0125 requires an organisation to develop, implement and maintain a cyber security incident register to record incidents | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.8 | Annex A 6.8 requires mechanisms and defined channels for prompt reporting of security events and suspected weaknesses | |
| handshake Supports (1) expand_less | ||
| Annex A 5.27 | Annex A 5.27 requires that knowledge gained from information security incidents is used to strengthen and improve information security co... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| E8-AC-ML2.9 | ISM-0125 requires an organisation to develop, implement and maintain a cyber security incident register to record incidents | |
| E8-RA-ML2.13 | ISM-0125 requires an organisation to develop, implement and maintain a cyber security incident register to record incidents | |
| E8-AH-ML2.16 | E8-AH-ML2.16 requires immediate reporting of cyber security incidents to the CISO (or delegate) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.