Coordinated Intrusion Remediation During Planned Outages
Ensure all activities to fix intrusions happen together during scheduled downtime.
Plain language
This control ensures that any efforts to fix a security breach are planned and executed together during a scheduled network downtime. This is important because if fixes are done in bits and pieces, it could lead to gaps that attackers might exploit, potentially leading to data loss or system damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
To the extent possible, all intrusion remediation activities are conducted in a coordinated manner during the same planned outage.
Why it matters
Uncoordinated intrusion remediation across multiple outages can leave systems in an inconsistent state, extending attacker opportunity and increasing disruption risk.
Operational notes
Bundle all intrusion remediation tasks into a single planned outage where possible; align teams, sequencing, testing and rollback so fixes complete together and gaps are minimised.
Implementation tips
- IT Team should create a coordination checklist: List all the specific steps and tasks that must be completed to fix known security issues, ensuring nothing is missed. This checklist should be clear and accessible, shared with everyone involved well ahead of the planned outage.
- System Administrator should schedule a downtime: Work with stakeholders to find a time that impacts business operations minimally. Announce this downtime in advance, allowing everyone to plan for any necessary service interruptions.
- IT Security Officer should organise a briefing: Before the scheduled downtime, hold a meeting with all relevant staff to review the checklist and assign roles. Ensure everyone understands their tasks and the timeline to make the process smooth.
- Manager should confirm resource availability: Ensure that the IT team has all the necessary tools, access permissions, and support they need before the outage begins. This avoids delays and ensures the fix can be carried out as planned.
- Communications Officer should inform staff and stakeholders: Send out notices detailing what to expect during the downtime, what services will be unavailable, and what security improvements are being made. This helps manage expectations and reassure everyone that issues are being handled professionally.
Audit / evidence tips
-
Askthe coordination checklist: Request the document that outlines all planned remediation actions during the scheduled outage
Goodincludes a detailed, current checklist signed off by the IT lead
-
Askoutage schedules: Request the documented schedule of past outages planned for remediation
Goodincludes a schedule showing outages with full remediation logs
-
Askbriefing notes from pre-outage meetings: Request notes or minutes from the coordination briefings before planned outages
Goodincludes comprehensive notes showing all tasks were allocated and acknowledged
-
Askresource allocation records: Confirm that necessary tools and access were arranged ahead of time
Goodshows pre-assigned tools and permissions with no unaddressed resource gaps
-
Askpost-outage reports: Request reports made after downtime concludes
Goodincludes comprehensive reports showing all tasks were completed with identified improvements for next time
Cross-framework mappings
How ISM-1732 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 5.30 | Annex A 5.30 requires ICT readiness to be maintained and tested so ICT can continue to support business objectives during disruptions | |
| Annex A 8.32 | ISM-1732 requires that intrusion remediation is coordinated and carried out during the same planned outage where possible to minimise dis... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.