Cyber Incident Response Plan – Guidance and Template by Australian Cyber Security Centre

About this document – Context
The Australian Government defines cyber security as measures used to protect the confidentiality, integrity and availability of systems and information. A cyber incident is an unwanted or unexpected cyber security event, or a series of such events, that have a significant probability of compromising business operations.1 Australian organisations are targeted by malicious cyber adversaries. The Australian Cyber Security Centre’s (ACSC) assessment is malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale, and sophistication. As adversaries become more adept, the likelihood and severity of cyber attacks is also increasing due to the interconnectivity and availability of information technology platforms, devices and systems exposed to the internet.
To illustrate the volume of cyber incidents occurring in Australia, the ACSC responded to over 1500 cyber security incidents between 1 July 2020 and 30 June 2021.
2 While many of the incidents reported to the ACSC could have been avoided or mitigated by good cyber security practices, such as implementation of ASD’s Essential Eight security controls, risks will still remain when organisations operate online.
Managing responses to cyber incidents is the responsibility of each affected organisation. All organisations should have a cyber incident response plan to ensure an effective response and prompt recovery in the event security controls don’t prevent an incident occurring. This plan should be tested and regularly reviewed.
To be effective, a cyber incident response plan should align with the organisation’s incident, emergency, crisis and business continuity arrangements, as well as jurisdictional and national cyber and emergency arrangements. It should support personnel to fulfil their roles by outlining their responsibilities and all legal and regulatory obligations.
While organisations are responsible for managing incidents affecting their business, Australia’s Cyber Incident Management Arrangements (CIMA) outline the inter-jurisdictional coordination arrangements and principles for Australian governments’ cooperation in response to national cyber incidents.


The Cyber Incident Response Plan (CIRP) Template and the Cyber Incident Response Readiness Checklist (Appendix B) are intended to be used as a starting point for organisations to develop their own plan and readiness checklist.
Each organisation’s CIRP and checklist need to be tailored according to their unique operating environment, priorities, resources and obligations.
In addition to a CIRP, organisations can develop more detailed, day-to-day procedures to supplement the cyber incident response plan. This could include more detailed playbooks to aide response to common incident types, such as ransomware or data breaches, and standard operating procedures (SOPs) to respond to incidents affecting specific assets.

Leave a Reply

Your email address will not be published.