Report Cyber Incidents Promptly to Designated Contacts
Service providers must report cyber incidents quickly to a specified contact as part of their contract.
Plain language
This control means that if a company providing you service experiences any cyber incidents, they must let you know right away. It's important because if they don't, unidentified issues could spread, harming your business, damaging your reputation, or leading to data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are discovered is documented in contractual arrangements with service providers.
Why it matters
Delayed incident reporting by service providers can lead to unchecked breaches, escalating damage and costs, and reputation loss due to incomplete response efforts.
Operational notes
Include incident reporting timeframes and a designated contact in service contracts. Exercise reporting channels with providers to confirm prompt notification.
Implementation tips
- Procurement team should ensure contracts include reporting requirements: Make sure any contract with a service provider clearly states that they must report any cyber incidents as soon as they happen. Include the specific contact person on your team who should be notified.
- IT manager should establish a standard reporting process: Set up a simple, clear procedure that service providers should follow to report incidents. Provide them with a phone number or email address that is monitored regularly.
- Business owner should review incident response timelines: Meet with your service provider to agree on a timeline for reporting incidents—from discovery to notification. Document these in the contract to hold each party accountable.
- HR or training officer should educate relevant staff: Conduct a workshop to ensure key staff understand what constitutes a reportable incident and who in your organisation should respond and follow-up.
- Compliance officer should set up regular check-ins: Schedule regular meetings with service providers to discuss reporting requirements and any incidents they've encountered or lessons learned from them. Document these discussions in writing.
Audit / evidence tips
-
Askthe contract with the service provider: Ensure it includes a clause about incident reporting requirements
Goodhas explicit names, contact methods, and timeframes
-
Goodincludes clear descriptions, time of notification, and follow-up actions
-
Askhow they handle incident reports and if any recent examples have been processed as per the contract
Goodwill show familiarity with the process and mention any recent incidents
-
Goodincludes a visible, organised tracking method
-
Goodshows regular and timely communications documented and filed
Cross-framework mappings
How ISM-0141 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-0141 requires a specific supplier-relationship outcome: service provider contracts must document prompt cyber incident reporting to a... | |
| Annex A 5.20 | ISM-0141 requires supplier agreements to explicitly include prompt cyber incident reporting to a designated contact | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-MF-ML2.11 | E8-MF-ML2.11 requires organisations to report cyber security incidents to ASD as soon as possible after they occur or are discovered | |
| E8-RA-ML2.11 | E8-RA-ML2.11 requires prompt reporting of cyber incidents to the CISO (or delegate) when incidents occur or are discovered | |
| handshake Supports (3) expand_less | ||
| E8-RA-ML2.12 | E8-RA-ML2.12 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| E8-AH-ML2.16 | E8-AH-ML2.16 requires cyber security incidents to be reported promptly to the CISO (or delegate) | |
| E8-AH-ML2.17 | E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.