Develop and Maintain Cyber Security Incident Plans
Organisations must create and keep an updated cyber security incident management and response plan.
Plain language
Every organisation needs a plan for handling cyber security incidents, like a blueprint for tackling unexpected problems with your computer systems. This is important because if you're unprepared, a cyber attack can lead to major disruptions, loss of sensitive information, and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
A cyber security incident management policy, and associated cyber security incident response plan, is developed, implemented and maintained.
Why it matters
Without a robust incident plan, organisations risk prolonged disruptions and data breaches, damaging trust and escalating recovery costs.
Operational notes
Regularly update and drill response plans to ensure team readiness and adapt to emerging threats and evolving business processes.
Implementation tips
- The business owner or manager should initiate the creation of a cyber security incident response plan by consulting with their IT expert. Discuss likely scenarios where your computer systems could be compromised and outline clear steps for each situation. This plan should be documented and easily accessible to key team members.
- The IT team should implement regular training sessions for all staff on the incident response plan. Use these sessions to walk through the procedures so everyone knows their role when an incident occurs. Role-playing different scenarios can be a practical way to ensure the team understands the plan.
- Management should appoint a response team leader whose role is to coordinate during a cyber incident. This person should have in-depth knowledge of the incident response plan and be empowered to make decisions quickly. Make sure this leader knows how to reach external technical support quickly if needed.
- The response plan should be reviewed and updated regularly by the IT team to ensure it covers any new cyber threats. Schedule a bi-annual review to discuss changes needed and improve the plan based on any past incidents. Document these reviews and any changes made.
- The business owner should ensure there is a communication strategy for notifying affected parties in the event of a cyber incident. Develop templates for communicating with customers and regulatory bodies to save time during an incident. Update these templates regularly to reflect current regulations and company policy.
Audit / evidence tips
-
Askthe documented incident response plan: Request a copy of the response plan created by the organisation
Goodincludes a detailed, clearly written plan that is up to date and customised to the specific needs of the organisation
-
Asktraining records: Check the schedule and attendance of incident response training sessions
Goodshows consistent, regular training with documented improvements and active participation from team members
-
Askto see the list of designated incident response team members: Verify the list of people who are responsible for managing incidents
Goodincludes a current, clearly defined list with designated roles and contact details
-
Askmeeting minutes or reports from incident plan reviews: Request records of past review meetings or reports
Goodincludes detailed notes and actions taken following the reviews
-
Askcommunication templates: Request examples of prepared messages for stakeholders during an incident
Goodincludes updated, professional-looking templates that meet current communication needs
Cross-framework mappings
How ISM-0576 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.29 | Annex A 5.29 requires the organisation to plan for maintaining information security during disruptions | |
| Annex A 5.37 | Annex A 5.37 requires operational procedures for information processing to be documented and made available to relevant personnel | |
| handshake Supports (5) expand_less | ||
| Annex A 5.4 | ISM-0576 requires the organisation to have an implemented and maintained incident management policy and incident response plan that perso... | |
| Annex A 5.5 | ISM-0576 requires an incident management policy and incident response plan that are implemented and maintained, which typically include e... | |
| Annex A 5.23 | Annex A 5.23 requires that incidents drive improvements to security controls through learning and corrective action | |
| Annex A 5.26 | Annex A 5.26 requires incidents to be responded to in line with documented procedures | |
| Annex A 5.27 | Annex A 5.27 requires organisations to use knowledge from incidents to strengthen and improve information security controls | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| extension Depends on (4) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.