Reporting Suspicious Online Contact Awareness
Staff learn to recognise and report suspicious online contact.
Plain language
This control is about making sure that everyone in your organisation knows how to spot and report any suspicious contact they might experience online, like strange emails from unknown sources. It matters because ignoring these signs can lead to serious issues like data breaches, which can harm your reputation and cost you time and money to fix.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Dec 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel are advised of what suspicious contact via online services is and how to report it.
Why it matters
Failing to report suspicious online contact promptly can lead to exposure of sensitive information, resulting in data breaches and reputational damage.
Operational notes
Train staff to recognise suspicious online contact (e.g., probing, grooming, unusual requests) and require prompt reporting via the security incident channel.
Implementation tips
- Managers should ensure all staff attend security awareness training. Organise a workshop where employees learn to identify signs of phishing, scam emails, and other suspicious activities. Use examples of real-world incidents to make the training relatable and engaging.
- IT departments should provide clear instructions for reporting suspicious contacts. Develop a simple one-page guide that explains who to contact and what information to share when reporting suspicious emails or messages. Ensure this guide is accessible to all employees, such as on the company intranet.
- HR departments should incorporate cyber safety into the onboarding process. Include a session on recognising and reporting suspicious online contacts in new employee orientation. Provide them with key contact points and resources for ongoing support.
- Compliance officers should regularly review and update reporting procedures. Schedule quarterly meetings to assess the effectiveness of reporting processes and make adjustments as needed. Gather feedback from employees about the ease of reporting to ensure the process remains user-friendly.
- Team leaders should foster an open culture about reporting cyber threats. Encourage team discussions where employees can share experiences and strategies for dealing with suspicious online contact. Reinforce that reporting such incidents is a critical part of protecting the organisation.
Audit / evidence tips
-
Askthe cybersecurity awareness training records
Goodincludes signed attendance sheets and up-to-date training materials tailored to spotting suspicious contacts online
-
Goodis a simple, well-organised document that's distributed across the organisation
-
Askexamples of communications related to recent suspicious incident reports
Goodshows timely reporting and resolution details within the organisation’s incident management framework
-
Goodincludes constructive feedback and documented efforts to address any concerns
-
Askrecords of communications or sessions conducted during onboarding processes
Goodis a comprehensive onboarding plan that integrates cybersecurity education effectively
Cross-framework mappings
How ISM-0817 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 6.3 | Annex A 6.3 requires organisations to deliver information security awareness and training appropriate to roles, including behavioural exp... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.