Analyse Cyber Security Events Promptly
Timely analysis of security events to spot incidents.
Plain language
This control is about quickly looking at any signs of unusual activity on your computers and networks to see if there might be a security problem. It's important because if you miss or overlook these signs, you might not catch a cyber incident before it causes real harm, like data breaches or system downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system monitoringSection
Event logging and monitoringTopic
Event Log MonitoringOfficial control statement
Cyber security events are analysed in a timely manner to identify cyber security incidents.
Why it matters
Delayed event analysis can let genuine incidents go unnoticed, increasing dwell time and the likelihood of data compromise, loss and reputational harm.
Operational notes
Review key security logs daily (or continuously), tune alert rules, and use SIEM automation to triage events quickly and escalate suspected incidents within defined SLAs.
Implementation tips
- IT staff should set up automatic alerts for unusual activities: Use software to monitor systems for anything odd, like too many login attempts or unexpected data transfers. The software should notify the IT team right away so they can check if it’s something suspicious.
- Managers should ensure the IT team has the resources they need: Make sure they have the right tools and enough staff time to monitor alerts. Consider budgeting for training and software that helps in detecting issues quickly.
- System owners should have clear procedures in place: Develop a step-by-step guide on what to do when a suspicious event is detected. This should cover who to inform, what information to gather, and how to assess the seriousness of the threat.
- The IT team should conduct regular training sessions: Train staff on what unusual activity looks like and how to report it. Use real-world examples to make the training more effective and relatable.
- Assign a point of contact for security incidents: Designate a person or team who is responsible for handling incidents when detected. Ensure this information is communicated so everyone knows who to contact when something unusual is found.
Audit / evidence tips
-
Askthe logs of security alerts: Request records showing the alerts generated and how they were followed up
GoodAlerts are reviewed promptly and documented follow-ups show the outcome
-
Askthe incident response plan: Request the document outlining how the organisation handles detected incidents
GoodThe document is comprehensive, up-to-date, and practised regularly
-
Asktraining records for IT staff: Request evidence of regular training sessions pertaining to identifying and responding to cyber events
GoodTraining is relevant, regular, and includes all necessary personnel
-
Asksoftware tool reports: Request reports from tools that monitor for unusual activity
GoodReports show active monitoring, regular updates, and correct configurations
-
Askto see results of recent incident testing exercises: Request documentation of any simulations or tests performed to assess the response to cyber events
GoodSimulations are conducted effectively, with actionable insights and noted improvements
Cross-framework mappings
How ISM-1228 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| extension Depends on (1) expand_less | ||
| Annex A 8.15 | ISM-1228 requires organisations to analyse cyber security events promptly to identify incidents | |
| link Related (1) expand_less | ||
| Annex A 5.25 | ISM-1228 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (9) expand_less | ||
| handshake Supports (2) expand_less | ||
| extension Depends on (1) expand_less | ||
| link Related (4) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.