Skip to content
Control Stack logo Control Stack
ISM-0141 ASD Information Security Manual (ISM)

Report Cyber Incidents Promptly to Designated Contacts

Service providers must report cyber incidents quickly to a specified contact as part of their contract.

Responsive Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for procurement and outsourcingincident reportingcontracts and clausessupplier managementinformation sharing

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Responsive

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2022

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for procurement and outsourcing

Section

Managed services and cloud services

Topic

Contractual Security Requirements With Service Providers
Official control statement
The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are discovered is documented in contractual arrangements with service providers.

Source: ASD Information Security Manual (ISM)

Plain language

This control means that if a company providing you service experiences any cyber incidents, they must let you know right away. It's important because if they don't, unidentified issues could spread, harming your business, damaging your reputation, or leading to data breaches.

Why it matters

Delayed incident reporting by service providers can lead to unchecked breaches, escalating damage and costs, and reputation loss due to incomplete response efforts.

Operational notes

Include incident reporting timeframes and a designated contact in service contracts. Exercise reporting channels with providers to confirm prompt notification.

Implementation tips

  • Procurement team should ensure contracts include reporting requirements: Make sure any contract with a service provider clearly states that they must report any cyber incidents as soon as they happen. Include the specific contact person on your team who should be notified.
  • IT manager should establish a standard reporting process: Set up a simple, clear procedure that service providers should follow to report incidents. Provide them with a phone number or email address that is monitored regularly.
  • Business owner should review incident response timelines: Meet with your service provider to agree on a timeline for reporting incidents—from discovery to notification. Document these in the contract to hold each party accountable.
  • HR or training officer should educate relevant staff: Conduct a workshop to ensure key staff understand what constitutes a reportable incident and who in your organisation should respond and follow-up.
  • Compliance officer should set up regular check-ins: Schedule regular meetings with service providers to discuss reporting requirements and any incidents they've encountered or lessons learned from them. Document these discussions in writing.

Audit / evidence tips

  • Ask: the contract with the service provider: Ensure it includes a clause about incident reporting requirements

    Good: has explicit names, contact methods, and timeframes

  • Good: includes clear descriptions, time of notification, and follow-up actions

  • Ask: how they handle incident reports and if any recent examples have been processed as per the contract

    Good: will show familiarity with the process and mention any recent incidents

  • Good: includes a visible, organised tracking method

  • Good: shows regular and timely communications documented and filed

Cross-framework mappings

How ISM-0141 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 5.19 ISM-0141 requires a specific supplier-relationship outcome: service provider contracts must document prompt cyber incident reporting to a...
Annex A 5.20 ISM-0141 requires supplier agreements to explicitly include prompt cyber incident reporting to a designated contact

E8

Control Notes Details
Partially overlaps (2)
E8-MF-ML2.11 E8-MF-ML2.11 requires organisations to report cyber security incidents to ASD as soon as possible after they occur or are discovered
E8-RA-ML2.11 E8-RA-ML2.11 requires prompt reporting of cyber incidents to the CISO (or delegate) when incidents occur or are discovered
Supports (3)
E8-RA-ML2.12 E8-RA-ML2.12 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered
E8-AH-ML2.16 E8-AH-ML2.16 requires cyber security incidents to be reported promptly to the CISO (or delegate)
E8-AH-ML2.17 E8-AH-ML2.17 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered

Mapping detail

Mapping

Direction

Controls