Consult System Owners Before Continuing Intrusions
System owners must be asked before allowing intrusions to persist for collecting evidence.
Plain language
Before continuing to monitor an ongoing cyber intrusion in your systems, you need to talk with the person who owns the system to get their permission. This is important because if you don't, you could risk further damage or misuse of sensitive information without the system owner’s understanding or consent.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
System owners are consulted before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence.
Why it matters
If system owners aren’t consulted before allowing intrusion activity to continue, evidence-gathering may breach authority, increase damage, and erode trust.
Operational notes
During an intrusion, promptly brief the system owner and obtain explicit approval before continuing activity for evidence collection; record decisions and timeframes.
Implementation tips
- The system owner should organise a meeting with the IT team immediately when an intrusion is detected. Discuss the extent of the breach and whether continuing to monitor it without immediate action could help gather more evidence or if it poses a risk.
- The IT team should prepare a brief report explaining the potential benefits and risks of continuing to monitor the intrusion. Include examples of data that might be collected and how it could help identify the attacker.
- The system owner should consult any relevant privacy officers or legal advisors to ensure that continuing to monitor the intrusion complies with privacy laws and company policies.
- System owners should be clear about who has the authority to make decisions about ongoing monitoring. Document this decision-making process so that everyone involved is aware of the roles and responsibilities.
- Once a decision is made, the system owner should ensure that it is documented, including who was consulted, the reasons for the decision, and any conditions or timeframes set for the continued monitoring.
Audit / evidence tips
- AskThe documented meeting notes where the system owner consulted with relevant parties GoodWould include a decision to either monitor or not, along with reasons why
- AskCommunication records with privacy offices or legal advisors. Ensure these include responses that confirm compliance with legal and policy requirements, indicating consent from decision-makers
- AskThe final document that records the decision to continue monitoring
Cross-framework mappings
How ISM-1609 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.26 | ISM-1609 requires consulting system owners before permitting continued intrusion for evidence gathering | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.28 | ISM-1609 requires consulting system owners before allowing an intrusion to continue for evidence collection, while Annex A 5.28 focuses o... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.