Annual Testing of Cyber Incident Response Plan
The organisation tests its cyber incident response plan every year to ensure it's effective.
Plain language
This control means your organisation needs to test its plan for handling cyber incidents every year. It's important because if you don't check your response plan, you might be unprepared when a data breach or cyber attack happens, which could result in lost data, downtime for your business, and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
The cyber security incident management policy, including the associated cyber security incident response plan, is exercised at least annually.
Why it matters
An untested incident response plan may lead to prolonged downtime and chaos during real cyber attacks, increasing recovery costs and reputational damage.
Operational notes
Exercise the incident response plan at least annually; capture lessons learned, update playbooks and contacts, and confirm each role is understood.
Implementation tips
- The IT team should schedule an annual test of the incident response plan. This involves running a simulation of a cyber attack to check if everyone knows their role and if the plan works smoothly. Collect feedback afterward to update and improve the plan.
- Ensure the management team reviews the updated incident response plan after every test. This involves looking at what went well and what didn't during the simulation, and then making decisions on any necessary changes. Document these reviews to track improvements over time.
- Assign a project manager to coordinate with all departments involved in the incident response. They should ensure everyone participates in the testing and understands their responsibilities. Use team meetings and follow-up emails to confirm everyone's clear on their tasks.
- Have the HR team include cyber incident response training in the annual staff training schedule. Educate employees on recognising cyber threats and understanding the response process. Use simple examples and interactive sessions to reinforce learning.
- The finance department should assess the costs associated with testing and improving the cyber incident response plan. This includes estimating resources, training, and updates required after the annual test. Regular budgeting meetings can help allocate the right funds.
Audit / evidence tips
- AskThe test schedule and log: Request documentation showing the annual testing schedule for the response plans GoodIs a yearly record with clear dates, participants, and outcomes
- AskTo see the current version of the incident response plan post-testing GoodIs a recent update with clear revisions reflecting test findings
- GoodWould show that all relevant personnel received up-to-date training, supported by attendance logs
- AskBudget documentation linked to testing and updating the incident response plan GoodIncludes detailed financial records showing planned and actual spending on these processes
Cross-framework mappings
How ISM-1784 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.24 | ISM-1784 requires the organisation's cyber security incident management policy and associated incident response plan to be exercised at l... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.25 | ISM-1784 requires the organisation to exercise its incident management policy and incident response plan annually | |
| Annex A 5.26 | Annex A 5.26 requires responding to information security incidents in accordance with documented procedures | |
| Annex A 5.28 | ISM-1784 requires annual exercising of the cyber security incident response plan | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-MF-ML2.12 | E8-MF-ML2.12 requires the organisation to enact its incident response plan once an incident is identified | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.