Timely Reporting of Cyber Incidents Without Data Breach
Inform customers about cyber incidents quickly if no customer data is involved.
Plain language
This control is about making sure you tell your customers quickly if something goes wrong with your computer systems, even if their data isn’t at risk. This is important because being transparent can maintain trust and prevent any misunderstandings or rumours about your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
Cyber security incidents that do not involve customer data are reported to customers and the public in a timely manner after they occur or are discovered.
Why it matters
Delays in reporting cyber incidents (without customer data involved) can fuel rumours, harm public trust and drive customer attrition.
Operational notes
Define triggers and timeframes to notify customers and the public of non-data cyber incidents; maintain comms templates, contacts and an approval workflow.
Implementation tips
- The IT manager should ensure that there is a clear process in place for identifying cyber incidents that do not involve customer data. This can be done by creating a checklist for the IT team to follow whenever they suspect an incident has occurred.
- Communication managers should prepare a template for notifying customers about non-data-breaching incidents. This template should be straightforward and focus on what happened, how it’s being fixed, and reassure them about their data.
- The IT team should conduct regular training for all staff on recognising potential cyber incidents. They can hold monthly workshops to ensure everyone knows what to look for and how to report it.
- The office manager should establish a protocol for the timeline of communicating with customers. This could involve setting a maximum of 48 hours from discovering an incident to notifying clients.
- The system owner should designate a specific point of contact within the organisation for cyber incident reporting. This person should be clearly identified so customers know who to speak with if they have concerns or questions.
Audit / evidence tips
-
Askincident communication policies: Request the documents that detail how and when to notify customers of incidents
Goodincludes clear procedures and specific timeframes for reporting
-
Askrecent incident reports where no customer data was involved
Goodwill show prompt communication, ideally within 48 hours
-
Askstaff training records
Goodincludes frequent, well-documented training sessions
-
Askto see the incident notification templates: Verify the templates for clarity and completeness
Goodwill include easy-to-understand language, with sections for the incident summary, response actions, and customer reassurance
-
Askto speak with the designated incident contact person: Check they are aware of their responsibilities and are knowledgeable about the communication process
Goodincludes confidence in their role and understanding of protocol
Cross-framework mappings
How ISM-1881 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.8 | Annex A 6.8 requires the organisation to provide defined channels for prompt reporting of security events and suspected weaknesses | |
| extension Depends on (1) expand_less | ||
| Annex A 5.24 | ISM-1881 requires timely reporting to customers and the public about cyber incidents that do not involve customer data | |
E8
| Control | Notes | Details |
|---|---|---|
| extension Depends on (1) expand_less | ||
| E8-AH-ML2.16 | ISM-1881 requires timely reporting of cyber incidents (without customer data involvement) to customers and the public | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.