Timely Reporting of Cyber Incidents Involving Customer Data
Notify customers and the public promptly about cybersecurity incidents involving their data.
Plain language
If your business suffers from a cyber attack where customer data is exposed or stolen, this rule means you need to let your customers and the public know about it quickly. This is important because delaying such information can lead to worse outcomes, like financial harm or loss of trust, for both your customers and your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
Cyber security incidents that involve customer data are reported to customers and the public in a timely manner after they occur or are discovered.
Why it matters
Delayed notification of incidents involving customer data can breach expectations, erode public trust, and increase customer fraud and privacy harm.
Operational notes
Define notification triggers and timeframes for incidents involving customer data; maintain customer/public comms templates and up-to-date contact channels to notify promptly.
Implementation tips
- Business owners should establish a response plan: Decide in advance who in your team will handle communications if there's a cyber incident. This includes identifying spokespeople and setting up a contact list of customers to notify.
- The IT team should set up monitoring systems: Continuously check for breaches or unusual activities that might indicate a cyber incident. You can use basic logging tools to detect these and must ensure they are active and reviewed regularly.
- The communications manager should prepare draft messages: Write template notices that can be quickly customised and sent out to customers in case of a breach. Make sure these messages are clear, concise, and explain what happened and what steps customers can take next.
- Managers should conduct regular training: Ensure all staff understand their role in the event of a cyber incident. Host yearly or bi-annual sessions to go over the incident response plan and ensure everyone knows who to report issues to.
- Assign a legal advisor to review obligations: Your legal team should keep you informed about the legal requirements for reporting data breaches, especially any changes. They can ensure your notification process complies with regulations like the Australian Privacy Act.
Audit / evidence tips
-
Askthe incident response plan: Request documentation that outlines steps to take during a cyber incident
Goodplan lists roles, procedures, and communication channels
-
Aska list of recent incident reports: Request to see logs or reports of any recent cyber incidents
Goodreport will have a timeline and details of the notification sent
-
Asktraining records: Request documents showing any recent staff training on cyber incident response
Goodrecord shows regular training sessions with high participation rates
-
Askcopies of customer notification templates: Request examples of pre-written communication templates
Goodtemplate is ready to be customised with specifics and checked for legal compliance
-
Asklogs or tools used for monitoring incidents: Request to view logs or demonstrations of monitoring tools in use for detecting breaches
Goodsetup shows regular checks and alerts being actioned promptly
Cross-framework mappings
How ISM-1880 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.34 | Annex A 5.34 requires the organisation to identify and meet applicable legal, regulatory, and contractual requirements for privacy and pr... | |
| Annex A 6.8 | Annex A 6.8 requires mechanisms for prompt reporting of security events and suspected weaknesses through defined channels | |
| handshake Supports (2) expand_less | ||
| Annex A 5.26 | ISM-1880 requires that incidents involving customer data are communicated externally to customers and the public in a timely manner | |
| Annex A 5.31 | ISM-1880 requires timely reporting to customers and the public for cyber incidents involving customer data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.