Procedures for Handling Malicious Code Infections
Systems with malware are isolated, scanned, cleansed, or restored to stop the infection.
Plain language
If your computer system gets a virus or other malicious software, it's important to take specific steps to stop it from spreading and causing extra trouble. This control is crucial because failing to act quickly could lead to bigger issues like data theft, a shut down of your systems, or high costs to fix the damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
When malicious code is detected, the following steps are taken to handle the infection: - the infected systems are isolated - all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary - antivirus applications are used to remove the infection from infected systems and media - if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.
Why it matters
If infections aren’t quickly isolated and previously connected media scanned, malware can spread and persist, causing outages, data loss and costly rebuilds.
Operational notes
On detection, immediately isolate infected hosts, scan/quarantine all recently connected media, attempt AV removal, and restore from known-good backups or rebuild if removal is unreliable.
Implementation tips
- The IT team should isolate infected systems immediately. This means disconnecting the affected computer or device from the network to prevent the virus from spreading. Make sure to have a clear procedure in place that guides which cables to unplug or how to switch off wireless connections.
- Managers should ensure that all devices connected to the infected system are scanned. This includes any USB drives or external hard drives used recently. Use reliable antivirus software for scanning and have a checklist to ensure all potential sources of infection are checked.
- The IT department should remove the virus using antivirus applications. Select antivirus tools that are effective against a range of threats, update them regularly, and conduct thorough scans on all affected systems. If unsure what software to use, consult the Australian Cyber Security Centre's (ACSC) guidelines.
- System owners should prepare for situations where the virus can’t be removed. Keep regular backups and test restoration processes periodically. Make sure backups are recent and stored securely off the network, ready to be used if the system needs to be restored.
- IT managers should establish a protocol for rebuilding systems if necessary. This involves reinstalling the operating system and applications from scratch, ensuring all security updates are applied. Create a step-by-step procedure document to guide this process in emergency situations.
Audit / evidence tips
-
Askthe incident response procedure documentation: This should cover how to isolate an infected system and the assigned team
GoodDetailed steps including who is responsible and a record of the last procedure review
-
GoodDated reports showing infected devices were scanned and actions to clean them were initiated
-
Askrecords of system backups: Check how often backups are done and where they are stored
GoodDocumentation that backups are done regularly, with a point-in-time copy stored securely and tested for restorability
-
GoodAn updated list showing regularly maintained antivirus tools in accordance with ACSC guidelines
-
Askprotocol documentation for system rebuilding: This should detail how systems are rebuilt if the virus can't be removed
GoodA clear protocol exists, detailing each step, with records showing staff informed and trained
Cross-framework mappings
How ISM-0917 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.26 | ISM-0917 defines a specific set of documented response steps for malicious code infections, including isolation, scanning media, removal,... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.7 | ISM-0917 requires organisations to handle detected malware by containing it (isolation), assessing spread (scanning connected media), era... | |
| Annex A 8.13 | ISM-0917 requires organisations to isolate malware-infected systems, scan potentially exposed media, attempt removal using antivirus, and... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | ISM-0917 requires specific operational actions to contain and remediate a malicious code infection (isolation, scanning of media, removal... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RB-ML1.4 | E8-RB-ML1.4 requires organisations to test restoring data, applications, and settings from backups during disaster recovery exercises | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.