Document and Report Cyber Security Incidents
Keep a record of cyber incidents including dates, actions, and reporting details.
Plain language
This control is about making sure any issues with your organisation's cyber security are recorded properly. It's like keeping a diary of any break-ins or attempted break-ins online. If you don't do this, you might not fully recognise the problems you're facing, which can make it harder to fix them and prevent them in the future.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
A cyber security incident register contains the following for each cyber security incident: - the date the cyber security incident occurred - the date the cyber security incident was discovered - a description of the cyber security incident - any actions taken in response to the cyber security incident - to whom the cyber security incident was reported.
Why it matters
If incidents aren’t recorded and reported, response actions and lessons learned are lost, leading to repeated incidents and delayed containment.
Operational notes
For every incident, record occurrence and discovery dates, description, actions taken, and exactly who it was reported to to maintain full traceability.
Implementation tips
- Appoint a responsible manager to maintain a cyber incident register. They should ensure all cyber security incidents are recorded on this register as soon as they are discovered. This can be done using a simple spreadsheet or an online form where they document what happened, when it happened, and what was done about it.
- The IT team should document discovery dates for any incidents. They can do this by checking alerts or logs regularly and promptly updating the register whenever a new incident is found. Use a shared file that allows multiple team members to update as needed.
- After an incident, the responsible manager should describe what happened. This involves writing a brief summary of the incident, including details like how it was discovered and what area of the organisation was affected. The aim is to make sure everyone understands the incident in simple terms.
- Actions taken in response to an incident should be logged by the IT team. They need to detail exactly what steps were taken to resolve or mitigate the incident, making notes of any immediate changes or fixes applied.
- Document to whom each incident is reported. The responsible manager should keep a list of people, such as executive members or relevant authorities, who were informed about each incident, noting dates and methods of communication like email or phone calls.
Audit / evidence tips
-
Askthe cyber security incident register
Goodincludes accurate and complete dates for each incident
-
Goodmeans the incident is clearly described, including what triggered it and its impact
-
Askto see records of actions taken for a specific incident
Goodincludes detailed actions that align with and appropriately address the incident described
-
Goodhas evidence of timely communication to appropriate parties, such as internal memos or email threads
-
Askincident follow-up documentation
Goodshows documented reviews or meetings that aim to prevent similar future incidents
Cross-framework mappings
How ISM-1803 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.26 | ISM-1803 requires documentation of incident response actions per incident in a register | |
| Annex A 6.8 | Annex A 6.8 requires defined channels to report security events and suspected weaknesses promptly | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| E8-AC-ML2.9 | E8-AC-ML2.9 requires cyber security incidents to be reported promptly to the CISO (or delegate) | |
| E8-MF-ML2.10 | ISM-1803 calls for an incident register capturing key incident details | |
| E8-RA-ML2.11 | ISM-1803 requires an organisation to maintain a cyber security incident register with specific fields, including occurrence and discovery... | |
| E8-AH-ML2.16 | ISM-1803 mandates the documentation of cyber security incidents in a register, including timing, details, actions, and reporting pathways | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.