Information security incident management planning and preparation
Ensure your organisation is ready to manage security incidents with clear processes and responsible roles.
Plain language
This control is about getting ready to handle information security incidents. It's like having a fire drill plan, but instead of fire, it's for data breaches or hacking attempts. If you don't prepare, small problems can quickly become big disasters, potentially harming your reputation and finances.
Framework
ISO/IEC 27001:2022
Control effect
Proactive
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.
Why it matters
Without incident management planning, unclear roles and processes delay detection and containment, increasing impact, costs, reputational harm and compliance breaches.
Operational notes
Maintain incident playbooks, roles, escalation paths and contact lists; run regular tabletop drills and post-incident reviews to keep procedures current.
Implementation tips
- The IT manager should develop a clear incident response plan. They can do this by outlining the steps to take during an incident, including who should be contacted first, what actions to initiate, and how to document the incident. This should follow guidelines from ISO 27002:2022 and consider any specific Australian laws like the Privacy Act 1988.
- HR should identify and train appropriate team members for incident responses. This involves selecting staff who are capable and trustworthy, providing them with the right training and certification programs, and ensuring ongoing skill development to keep pace with current threats.
- The board should approve and support the incident management policy. Board members need to understand the policy implications and ensure there are enough resources, including budget and time, allocated for effective incident management within the organisation.
- The office manager can establish a simple reporting process for employees to follow. This could be as straightforward as creating an internal email address for reporting suspected security incidents or using an online form, ensuring alignment with ISO 27002:2022 standards.
- The IT team should implement systems to monitor and detect security incidents. They can use tools that alert them to suspicious activities. This involves setting up automated alerts and regularly reviewing logs to catch potential threats early.
Audit / evidence tips
-
Askthe incident response plan document
-
Askto see incident reports from past security events. Review how the incidents were handled from start to finish, including communication and conclusion. Good reports are thorough, consistent, and demonstrate clear follow-up actions
-
Askdocuments outlining the reporting procedures for security incidents. Examine the clarity and accessibility of these procedures to staff. Good procedures are easy to understand and consistently prompt timely reporting and actions
Cross-framework mappings
How Annex A 5.24 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| extension Depends on (4) expand_less | ||
| link Related (3) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (5) expand_less | ||
| ISM-0123 | ISM-0123 requires cyber security incidents to be reported to the CISO (or delegate) as soon as possible after they occur or are discovered | |
| ISM-0125 | ISM-0125 requires an organisation to develop, implement and maintain a cyber security incident register to record incidents | |
| ISM-1019 | ISM-1019 requires a maintained DoS response plan for specific services to handle availability disruptions | |
| ISM-1088 | ISM-1088 requires personnel to report potential compromises of mobile devices, removable media or credentials quickly, especially when ov... | |
| ISM-1731 | ISM-1731 requires organisations to coordinate intrusion remediation from a separate system than the one compromised, addressing integrity... | |
| sync_alt Partially overlaps (11) expand_less | ||
| ISM-0039 | ISM-0039 requires a cyber security strategy that is developed, implemented and maintained, which should include how the organisation prep... | |
| ISM-0043 | ISM-0043 requires systems to have a cyber security incident response plan covering definitions, incident types and responses, reporting (... | |
| ISM-0714 | Annex A 5.24 requires planning and preparation for incident management, including defining roles and responsibilities | |
| ISM-0733 | Annex A 5.24 requires the organisation to define and communicate incident management processes and roles to be prepared to manage incidents | |
| ISM-1576 | ISM-1576 requires that an organisation be immediately notified when a service provider performs unauthorised access or administration of ... | |
| ISM-1618 | ISM-1618 requires that the CISO oversees the organisation’s response to cyber security incidents | |
| ISM-1625 | ISM-1625 requires the organisation to develop, implement and maintain an insider threat mitigation program to address threats from within... | |
| ISM-1756 | ISM-1756 requires organisations to develop, implement and maintain vulnerability disclosure processes and procedures for reporting softwa... | |
| ISM-1784 | Annex A 5.24 requires organisations to plan and prepare for managing information security incidents through defined, established, and com... | |
| ISM-1997 | ISM-1997 requires the board or executive committee to define clear cyber security roles and responsibilities across the organisation | |
| ISM-2006 | ISM-2006 requires the board/executive committee to plan and practise for major cyber security incidents (e.g | |
| handshake Supports (6) expand_less | ||
| ISM-0137 | ISM-0137 requires legal advice to be sought before choosing to let intrusion activity continue to collect further data or evidence | |
| ISM-0726 | Annex A 5.24 requires defined and communicated incident management processes and responsibilities to ensure organisational readiness | |
| ISM-1478 | ISM-1478 requires the CISO to oversee the organisation’s cyber security program and ensure compliance with relevant policies and standards | |
| ISM-1556 | ISM-1556 mandates credential resets and monitoring after high-risk travel | |
| ISM-1717 | ISM-1717 requires an organisation to publish a `security.txt` file on each internet-facing website domain to facilitate responsible vulne... | |
| ISM-1908 | ISM-1908 requires responsible, timely public disclosure of software vulnerabilities and inclusion of vulnerability classification informa... | |
| extension Depends on (1) expand_less | ||
| ISM-1881 | ISM-1881 requires timely reporting to customers and the public about cyber incidents that do not involve customer data | |
| link Related (1) expand_less | ||
| ISM-1819 | Annex A 5.24 requires the organisation to plan and prepare for information security incidents by establishing and communicating incident ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.