Responding to Data Spills by Restricting Access
When a data spill occurs, notify the data owner and limit access to protect information.
Plain language
Imagine one of your staff accidentally sends confidential customer details to the wrong email list. This is a data spill. It's crucial to act fast by telling the person in charge of that information and restricting who can see it. If you don't, more people might see the confidential data, which can lead to privacy breaches and loss of trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
When a data spill occurs, data owners are advised and access to the data is restricted.
Why it matters
If access isn’t promptly restricted and data owners advised after a data spill, unauthorised disclosure may occur, increasing impact and undermining trust.
Operational notes
On a data spill, immediately advise data owners and restrict access to affected data; review access logs and confirm restrictions remain until containment is complete.
Implementation tips
- Data Owners should be promptly notified: As soon as a data spill is detected, the person who manages the affected information should be informed immediately. This can be done through a quick phone call or an email marked as urgent.
- IT Team should restrict access: The IT staff need to limit who can access the spilled data to prevent further exposure. They can do this by removing access privileges to the affected files or folders in the system as soon as possible.
- Managers need to inform affected parties: The manager must notify any parties whose data might have been compromised. This should be done transparently and swiftly, explaining what data was affected and what steps are being taken to address the situation.
- HR should provide guidance: The HR department should offer support and guidance to the employee involved in the spill, ensuring they understand what went wrong and how to avoid similar incidents in the future.
- Procurement should review third-party agreements: If the data spill involves information shared with outside partners, the procurement team should check existing agreements to ensure there's a clear protocol for handling such incidents, including any notification requirements.
Audit / evidence tips
-
Askincident response logs: Request a report detailing when the data spill was identified, who was notified, and what immediate actions were taken
Goodis a detailed log showing swift notification to all relevant parties
-
Goodshows prompt and appropriate restriction of access to affected data
-
Askhow the team handles data spills and verifies restricted access
Goodshows they understand protocol steps and can cite past incident handling
-
Goodincludes prompt, transparent communication detailing the incident and impact
-
Goodcontains clear procedural guidelines and vendor obligations
Cross-framework mappings
How ISM-0133 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.3 | Annex A 8.3 requires organisations to restrict access to information and associated assets in accordance with an access control policy | |
| handshake Supports (1) expand_less | ||
| Annex A 5.18 | ISM-0133 requires advising the data owner and restricting access to the affected data as part of data spill response | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML3.1 | ISM-0133 requires notifying the data owner and restricting access to data when a data spill occurs to contain further unauthorised exposure | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.