Coordinate Intrusion Remediation on Separate Systems
Intrusion response activities should be managed from a different system than the one that has been breached.
Plain language
When responding to a cyberattack, it's crucial to plan and coordinate your actions from a system that hasn't been compromised. This prevents hackers from intercepting your communications or sabotaging your response efforts, helping ensure your plans stay secure and effective.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
Planning and coordination of intrusion remediation activities are conducted on a separate system to that which has been compromised.
Why it matters
If remediation isn't coordinated from a separate system, attackers could obstruct response efforts, leading to prolonged breaches and greater damage.
Operational notes
Use a dedicated, isolated host for remediation coordination; harden, monitor and keep it ready for use during any incident.
Implementation tips
- IT Managers should create a separate, secure communication channel for handling cyber incidents. This can be a dedicated computer or a secure messaging app set up specifically for coordination, keeping discussions away from potentially compromised systems.
- System Owners need to identify and document the critical systems that require separate handling. Write a list of these systems and include procedures for guiding staff on how to respond if these systems are targeted.
- The IT Support Team should routinely test their cyber incident response plan using a secure and separate platform. Conduct drills where the team can practice managing a breach without touching the compromised system, ensuring everyone knows how to use the alternate platform effectively.
- Procurement Officers should ensure contracts for any new technologies include requirements for secure, separate systems for managing cyber incidents. This will help guarantee that future systems have built-in capabilities for responding to intrusions securely.
- Management should allocate resources for training staff on using secure systems for breach management. Organise workshops or online training sessions that focus on recognising when systems are compromised and using alternative secure systems for coordination.
Audit / evidence tips
- AskIncident response plans: Request documents showing how the organisation handles breaches from a secure system GoodIs a detailed plan outlining steps and involved parties
- AskCommunication logs during recent incidents: Request records of how communication was handled during past cyber incidents GoodIs evidence of using a secure platform distinct from the breached system
- AskTraining records: Request documentation of staff training on breach management GoodIs evidence of regular and comprehensive training sessions
- AskProcurement documents: Request evidence that new systems have provisions for secure breach management coordination GoodIncludes documented procurement criteria ensuring separate management capabilities
- AskSystem documentation: Request records showing which systems are designated for breach management GoodShows a clear distinction and regular checks or updates
Cross-framework mappings
How ISM-1731 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.24 | ISM-1731 requires organisations to coordinate intrusion remediation from a separate system than the one compromised, addressing integrity... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | ISM-1731 requires remediation coordination to be performed on a separate system to reduce the risk that an attacker can observe, alter, o... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML2.4 | ISM-1731 requires that intrusion remediation planning and coordination occur on a system separate to the compromised one to avoid attacke... | |
| E8-RA-ML3.2 | ISM-1731 requires planning and coordination of intrusion remediation to be conducted on a separate system from the compromised environment | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.