Enact Cyber Security Incident Response Plans
When a cyber incident is identified, the organisation activates its response plan.
Plain language
Having a cyber security incident response plan in place and ready to go is like having a fire drill plan for emergencies. If a cyber attack happens and there’s no plan, the organisation could suffer extensive damage, financial losses, and harm to its reputation due to a delayed or ineffective response.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for cyber security incidentsOfficial control statement
Following the identification of a cyber security incident, the cyber security incident response plan is enacted.
Why it matters
Delayed incident response can lead to prolonged breaches, escalating costs, data loss, and significant reputational harm.
Operational notes
Run incident response exercises and confirm triggers, roles and contacts so the plan is enacted immediately after incident identification.
Implementation tips
- The IT manager should create a detailed incident response plan. This plan should outline the steps the team will take when a cyber attack occurs, including identifying the roles and responsibilities of each team member.
- Business leaders should ensure all staff are trained on the incident response plan. This involves organising regular training sessions and simulations, so everyone knows what to do and where to find the plan during an actual event.
- The HR team should maintain an up-to-date contact list of all key personnel involved in the incident response. This list should be distributed to all relevant team members to ensure quick communications during an incident.
- The IT team should establish a clear communication plan. This involves specifying who will communicate with law enforcement, stakeholders, and potentially impacted customers during a cyber incident.
- The risk management team should routinely review and test the incident response plan. Use scenarios to test the plan, update it based on test outcomes, and ensure it aligns with the guidelines provided by the Australian Cyber Security Centre (ACSC).
Audit / evidence tips
-
Askthe documented incident response plan: Check that the plan includes specific roles, actions, and communication strategies for different types of incidents
Goodincludes a detailed, written plan that specifies responsibilities and is easily accessible to everyone who needs it
-
Askrecords of incident response training sessions
Goodoutcome is recent dated records showing that all staff have attended training within the last year
-
Askto see the up-to-date contact list for response team members: Verify that this list includes names, roles, and multiple contact methods. Good documentation will show it is easily accessible and periodically reviewed to ensure accuracy
Cross-framework mappings
How ISM-1819 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.24 | ISM-1819 requires that the incident response plan is enacted after a cyber security incident is identified | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | ISM-1819 requires the organisation to enact its cyber security incident response plan following identification of an incident | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| link Related (4) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.