ISM-1228 policy ASD Information Security Manual (ISM)

Analyse Cyber Security Events Promptly

Timely analysis of security events to spot incidents.

Detective ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system monitoring incident detection security monitoring event triage

record_voice_over

Plain language

This control is about quickly looking at any signs of unusual activity on your computers and networks to see if there might be a security problem. It's important because if you miss or overlook these signs, you might not catch a cyber incident before it causes real harm, like data breaches or system downtime.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Feb 2022

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML2, ML3

Guideline

Guidelines for system monitoring

Section

Event logging and monitoring

Topic

Event Log Monitoring

Official control statement

Cyber security events are analysed in a timely manner to identify cyber security incidents.

policy ASD Information Security Manual (ISM) ISM-1228

priority_high

Why it matters

Delayed event analysis can let genuine incidents go unnoticed, increasing dwell time and the likelihood of data compromise, loss and reputational harm.

settings

Operational notes

Review key security logs daily (or continuously), tune alert rules, and use SIEM automation to triage events quickly and escalate suspected incidents within defined SLAs.

02 - Implement

build

Implementation tips

IT staff should set up automatic alerts for unusual activities: Use software to monitor systems for anything odd, like too many login attempts or unexpected data transfers. The software should notify the IT team right away so they can check if it’s something suspicious.
Managers should ensure the IT team has the resources they need: Make sure they have the right tools and enough staff time to monitor alerts. Consider budgeting for training and software that helps in detecting issues quickly.
System owners should have clear procedures in place: Develop a step-by-step guide on what to do when a suspicious event is detected. This should cover who to inform, what information to gather, and how to assess the seriousness of the threat.
The IT team should conduct regular training sessions: Train staff on what unusual activity looks like and how to report it. Use real-world examples to make the training more effective and relatable.
Assign a point of contact for security incidents: Designate a person or team who is responsible for handling incidents when detected. Ensure this information is communicated so everyone knows who to contact when something unusual is found.

03 - Audit

fact_check

Audit / evidence tips

AskThe logs of security alerts: Request records showing the alerts generated and how they were followed up GoodAlerts are reviewed promptly and documented follow-ups show the outcome
AskThe incident response plan: Request the document outlining how the organisation handles detected incidents GoodThe document is comprehensive, up-to-date, and practised regularly
AskTraining records for IT staff: Request evidence of regular training sessions pertaining to identifying and responding to cyber events GoodTraining is relevant, regular, and includes all necessary personnel
AskSoftware tool reports: Request reports from tools that monitor for unusual activity GoodReports show active monitoring, regular updates, and correct configurations
AskTo see results of recent incident testing exercises: Request documentation of any simulations or tests performed to assess the response to cyber events GoodSimulations are conducted effectively, with actionable insights and noted improvements

04 - Mappings

link

Cross-framework mappings

How ISM-1228 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
extension Depends on (1) expand_less
Annex A 8.15	ISM-1228 requires organisations to analyse cyber security events promptly to identify incidents
link Related (1) expand_less
Annex A 5.25	ISM-1228 requires cyber security events to be analysed in a timely manner to identify cyber security incidents

E8

Control	Notes	Details
layers Partially meets (9) expand_less

E8-AC-ML3.4	E8-AC-ML3.4 requires timely analysis of non-internet-facing server event logs to detect cyber security events
E8-AC-ML3.5	E8-AC-ML3.5 requires organisations to promptly analyse workstation event logs to detect cyber security events

E8-AH-ML2.14	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
E8-AH-ML3.4	E8-AH-ML3.4 requires timely analysis of event logs specifically from non-internet-facing servers to detect cyber security events
E8-AH-ML3.5	E8-AH-ML3.5 requires analysing workstation event logs in a timely manner to detect cyber security events

E8-MF-ML2.8	E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events
E8-MF-ML3.4	E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events

E8-RA-ML2.9	E8-RA-ML2.9 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events
E8-RA-ML3.9	E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events
handshake Supports (2) expand_less

E8-AH-ML2.12	E8-AH-ML2.12 requires centralised logging of command line process creation events so that execution activity is available for monitoring

E8-MF-ML3.5	E8-MF-ML3.5 requires workstation event logs to be analysed in a timely manner to detect cyber security events
extension Depends on (1) expand_less

E8-MF-ML2.11	E8-MF-ML2.11 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered
link Related (4) expand_less

E8-AC-ML2.8	ISM-1228 requires cyber security events to be analysed promptly so that incidents are identified

E8-AH-ML2.15	E8-AH-ML2.15 requires cyber security events to be analysed in a timely manner to identify cyber security incidents

E8-MF-ML2.9	E8-MF-ML2.9 requires cyber security events to be analysed in a timely manner to identify incidents quickly

E8-RA-ML2.10	ISM-1228 requires timely analysis of cyber security events to determine whether they constitute incidents

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.