Response to Information Security Incidents
Ensure security incidents are handled quickly and effectively following set procedures.
Plain language
This control is about being prepared to handle any security incidents, like a data breach, quickly and effectively. If these incidents aren't managed properly, they can lead to sensitive information being leaked, which can damage the organisation's reputation and result in legal penalties.
Framework
ISO/IEC 27001:2022
Control effect
Responsive
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Information security incidents shall be responded to in accordance with the documented procedures.
Why it matters
If incident response procedures are not followed, containment and recovery are delayed, increasing data loss, downtime, recovery costs, and stakeholder distrust.
Operational notes
Maintain documented incident response procedures (triage, containment, escalation, communications). Review after incidents and test via tabletop exercises; refresh staff training quarterly.
Implementation tips
- The IT manager should create a clear procedure for responding to security incidents. This includes defining who is responsible for what actions and ensuring these steps are documented and easily accessible. Use the guidance in ISO 27002:2022 to make sure you're covering everything necessary, like containing the incident and collecting evidence.
- Senior management must ensure that everyone in the organisation knows who to contact and what to do if they notice a security incident. Organise regular training sessions so that all team members understand the procedures and why they are important, in line with Australian Privacy Principles (APP).
- Appoint a designated incident response team that is competent and trained to handle security incidents effectively. This team should regularly practice incident response scenarios to build efficiency and confidence in real-world situations, following the guidance from ISO 27002:2022.
- Communicate with all relevant stakeholders during and after an incident. The IT manager should ensure that clear communication lines are established and that the business continuity plans are ready to be implemented when needed, as outlined under CPS 234.
- Regularly review and update your incident response procedures based on lessons learned from past incidents and changes in the technology landscape. This ensures the organisation remains compliant with any new guidance from ISO standards or changes in Australian legislation, such as updates from the OAIC.
Audit / evidence tips
-
AskRequest the documented information security incident response procedures.
GoodProcedures should be comprehensive, regularly updated, and should clearly lay out all steps involved in responding to incidents.
-
AskAsk for records of recent training sessions related to incident response.
GoodTraining records should show that all staff members were trained on incident response procedures within the past year.
-
AskObtain evidence of a designated incident response team and their training records.
GoodThe team should be made up of skilled individuals who have undergone specialised training within the last 12 months.
-
AskRequest communications or reports from past security incidents.
GoodIncidents should have clear, timely communication logs detailing the issue and resolution actions taken.
-
AskRequest post-incident analysis reports from recent incidents.
GoodReports should detail a thorough analysis of each incident with actionable insights to improve future response efforts.
Cross-framework mappings
How Annex A 5.26 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (5) expand_less | ||
| sync_alt Partially overlaps (2) expand_less | ||
| handshake Supports (2) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| ISM-0917 | ISM-0917 defines a specific set of documented response steps for malicious code infections, including isolation, scanning media, removal,... | |
| ISM-1300 | ISM-1300 requires a mandatory post-overseas-travel remediation sequence: sanitise and reset mobile devices (including removable media), d... | |
| ISM-1609 | ISM-1609 requires consulting system owners before permitting continued intrusion for evidence gathering | |
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1803 | ISM-1803 requires documentation of incident response actions per incident in a register | |
| ISM-1956 | ISM-1956 necessitates rotating AD FS token-signing and encryption certificates twice in quick succession when compromise is suspected or ... | |
| handshake Supports (12) expand_less | ||
| ISM-0043 | Annex A 5.26 requires information security incidents to be responded to in accordance with documented procedures | |
| ISM-0123 | Annex A 5.26 requires incident response to follow documented procedures, which include internal notification and escalation steps | |
| ISM-0137 | ISM-0137 requires organisations to seek legal advice before allowing an intrusion to continue for evidence collection purposes | |
| ISM-0138 | ISM-0138 ensures evidence integrity through documented actions and chain of custody in line with law enforcement directions | |
| ISM-0576 | Annex A 5.26 requires incidents to be responded to in line with documented procedures | |
| ISM-1213 | ISM-1213 describes a specific post-remediation activity involving seven days of network traffic capture for threat eradication validation | |
| ISM-1591 | Annex A 5.26 mandates incident responses adhere to documented procedures | |
| ISM-1618 | Annex A 5.26 requires that incident response is executed in line with documented procedures | |
| ISM-1784 | Annex A 5.26 requires responding to information security incidents in accordance with documented procedures | |
| ISM-1880 | ISM-1880 requires that incidents involving customer data are communicated externally to customers and the public in a timely manner | |
| ISM-1955 | ISM-1955 requires organisations to promptly change computer account credentials when compromise is suspected/confirmed, as well as on a 3... | |
| ISM-2006 | ISM-2006 requires executives to plan for major cyber incidents and practise their response so they understand their duties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.