SecurityPolicy.com.au
Home/ Australia/ Implement and Maintain/ Incident Response Policy
Australia Implement and Maintain Policy template Reviewed 2026-07-12

Incident Response Policy: A Plain-English Guide for Australian Businesses

20
Australian primary and forum sources cited
3
federal reporting regimes mapped
Why this guide exists

The strongest recurring demand is practical: what to do immediately, who to tell, and whether a legal clock has started. A high-demand question missing from the fixed 10 is how to communicate consistently with staff, customers, suppliers and media while facts are still changing.

What is an incident response policy, and does my business actually need one?

An incident response policy is the rulebook that says what counts as an incident, who must report it, who has authority to act, and which plan or playbook is activated. The policy is governance; the incident response plan and playbooks are the step-by-step operating instructions. There is no single Australian statute that requires every business of every size to use a document with this exact title, but ASD guidance says all organisations should have a cyber security incident response plan and regularly test and review it. Even where the Privacy Act does not apply, a practical response policy can still be needed for contracts, insurance, customer commitments, regulated activities and business continuity.

How this differs by situation
  • annual turnover A$3m or less — Most small businesses in this band are not covered by the Privacy Act, but important exceptions apply and ASD guidance still recommends an incident response plan.
  • Privacy Act-covered entity — The policy should connect directly to the Notifiable Data Breaches assessment and notification process.
  • customer, insurer or certification obligations — Contractual notification deadlines and evidence requirements may be stricter than the general legal baseline.
PUT THIS IN YOUR POLICY, EXACTLY

Purpose and scope. This policy establishes how [Business Name] identifies, reports, assesses, contains, investigates, communicates about, recovers from and learns from cyber security and data incidents. It applies to all workers, systems, information, locations and third parties handling our information. Anyone who suspects an incident must report it immediately through [primary channel] or [24/7 backup channel]. The Incident Lead may activate the Incident Response Plan and must preserve a record of decisions and actions.

What must it contain — the non-negotiable sections?

A usable policy should define scope, incident categories, reporting channels, activation authority, roles, severity levels, decision rights and links to the detailed response plan. It should also point to containment, evidence handling, recovery, legal and contractual notification, communications, third-party coordination, recordkeeping, training, exercises and review. Keep the policy stable and concise, then place technical detail in maintainable playbooks for events such as phishing, ransomware, data loss and compromised accounts. The non-negotiable test is whether a person can find the right contact, authority and next action when normal systems may be unavailable.

How this differs by situation
  • micro or owner-operated business — Roles may be combined, but primary and backup contacts, decision authority and external support details must still be explicit.
  • larger or multi-site business — Separate operational response, executive crisis management, communications, legal, privacy, HR and business recovery roles.
  • outsourced IT or managed service provider — The policy should distinguish the provider's technical tasks from the business's legal, customer, financial and risk decisions.
PUT THIS IN YOUR POLICY, EXACTLY

Minimum content. Our incident response arrangements must document: purpose and scope; definitions and severity criteria; immediate reporting channels; activation and stand-down authority; named primary and backup roles; 24/7 contact methods; containment, investigation, evidence, remediation and recovery pathways; legal, regulatory, contractual, insurer and customer notification assessment; internal and external communications; third-party coordination; incident records; post-incident review; training, exercising, approval and document control.

What does the law require — and how fast?

There is no universal Australian 72-hour rule for every incident. Under the Notifiable Data Breaches scheme, a covered entity must assess a suspected eligible data breach expeditiously and take all reasonable steps to complete the assessment within 30 days; once it has reasonable grounds to believe an eligible breach occurred, notification steps must be taken as soon as practicable. Separate regimes use different clocks, including 72 hours for a covered ransomware or cyber-extortion payment report and 12 or 72 hours for specified critical-infrastructure incidents. The Home Affairs ransomware factsheet uses conflicting wording at the A$3m turnover boundary, so an entity exactly at that threshold should check the underlying Rules rather than relying on a summary sentence.

How this differs by situation
  • Privacy Act-covered entity — Apply the NDB assessment and notification tests; the clock is not a blanket 72 hours.
  • around A$3m annual turnover — Privacy Act small-business coverage and ransomware-payment reporting use different tests; exceptions and boundary wording need separate checking.
  • responsible entity for critical infrastructure — SOCI incident reporting can require a report within 12 hours for significant impact or 72 hours for relevant impact.
  • regulated or contract-bound business — Sector regulators, licences, customer contracts and cyber-insurance policies may add shorter or parallel deadlines.
PUT THIS IN YOUR POLICY, EXACTLY

Notification clocks. The Legal/Regulatory Lead must start a notification assessment immediately and maintain a clock register for every potentially applicable law, regulation, contract, insurer condition and customer commitment. The register must record the trigger, clock start, deadline, decision, decision-maker, advice received and proof of submission. The business must not assume a universal 72-hour rule and must apply the shortest applicable deadline.

Who owns it, and who has to sign it off?

The business should own the policy; it should not be delegated wholly to an MSP, software vendor or insurer. A senior executive or owner should be accountable for the policy, an operational incident lead should command the response, and named specialists should own privacy, legal, communications, technology, people and recovery decisions. In a small company one person may hold several roles, but primary and backup authority must still be explicit. There is no blanket rule that every Australian business must obtain board sign-off, although boards, directors, licensees and regulated entities may have governance duties that make executive or board approval appropriate.

How this differs by situation
  • owner-operated business — The owner or managing director normally approves the policy and names a technical adviser plus an alternate decision-maker.
  • company with executives or a board — A senior risk owner should be accountable, with approval set by the organisation's governance and regulatory obligations.
  • outsourced technology — The provider may lead technical containment, but the business retains authority over legal reporting, ransom decisions, customer communications and risk acceptance.
PUT THIS IN YOUR POLICY, EXACTLY

Ownership and authority. The Policy Owner is [role]. The Incident Commander is [role], with [alternate role] as backup, and may activate the plan, direct urgent containment, engage approved external advisers and escalate to the Executive Response Team. [CEO/Managing Director/Board or delegated committee] approves this policy. Technology providers advise and perform authorised technical work; they do not replace the business's legal, regulatory, customer, financial or risk decision-makers.

How does it actually get used by the team?

The team uses the policy through a simple reporting rule, a reachable 24/7 escalation path and short playbooks rather than by reading a long document during a crisis. Staff should know how to recognise and report a suspected incident without first proving what happened. Named responders need role cards, clean backup communications, access to offline copies and practice through realistic exercises. A no-blame reporting culture matters because delay at the front line can consume the time needed for containment and legal assessment.

How this differs by situation
  • all workers — Teach one immediate reporting action and make clear that suspicion is enough to report.
  • incident responders — Provide role cards, contact trees, playbooks, decision logs and exercised backup communications.
  • suppliers and contractors — Contracts and onboarding should state who reports, through which channel, and within what contractual timeframe.
PUT THIS IN YOUR POLICY, EXACTLY

Report first. Any worker who notices or suspects an incident must immediately contact [channel] or [backup number]. The worker is not required to investigate, prove fault or obtain manager approval before reporting. No person will be penalised for a good-faith report. Only authorised responders may investigate, contain, communicate externally or alter affected systems.

What evidence proves it's real to an auditor or insurer?

A polished policy alone proves very little. Strong evidence includes approval and version history, role assignments, training records, exercise scenarios and results, incident tickets, a time-stamped decision log, preserved technical evidence, notification records, recovery validation and closure of corrective actions. The evidence should show both design and operation: the process exists, people know it, it has been tested, and weaknesses were fixed. Keep records securely and apply legal hold or preservation instructions before routine deletion, reimaging or log rotation destroys relevant material.

How this differs by situation
  • audit or certification — Show controlled documents, training, exercise results, incident registers, corrective-action tracking and management endorsement.
  • cyber insurance — Keep evidence of declared controls, notification to the insurer, approved advisers, decision records and compliance with policy conditions.
  • small business — A simple ticket register, annual exercise record, contact test and signed action list can demonstrate operation without an enterprise platform.
PUT THIS IN YOUR POLICY, EXACTLY

Records and evidence. Every incident and exercise must have a unique case identifier and a time-stamped record of reports, decisions, approvals, actions, evidence collected, people consulted, notifications, recovery checks, lessons and corrective actions. Records must be protected from unauthorised alteration or deletion. Where litigation, regulation, insurance or investigation is reasonably anticipated, the Incident Lead must seek advice on preservation and legal hold before data, devices, accounts or logs are deleted, reset or rebuilt.

How often must it be reviewed — and what triggers an off-cycle review?

There is no single statutory review interval that applies to every Australian business, but annual review and annual exercising are a defensible minimum baseline. Review and exercise are different: review checks whether the document, contacts and obligations are current, while an exercise tests whether people and systems can use them. An off-cycle review should follow a real incident, a significant exercise finding, major organisational or technology change, a changed supplier, a new threat, or a change to law, regulation, policy or jurisdiction. Record what changed, why, who approved it and when the next review is due.

How this differs by situation
  • ASD ISM-aligned — Exercise the policy and plan at least annually.
  • rapidly changing or high-risk business — Review contacts, suppliers, critical assets and notification obligations more frequently than annually.
  • after legal or regulatory change — Run an immediate targeted review of thresholds, clocks, regulator contacts and approval paths.
PUT THIS IN YOUR POLICY, EXACTLY

Review and exercise. This policy and the linked Incident Response Plan must be reviewed at least annually and exercised at least annually. An off-cycle review is required after any material incident, material exercise finding, significant change to systems, services, structure, personnel, suppliers or critical information, and any relevant change to law, regulation, contract, insurance or government guidance. Each review must record changes, owner, approver, approval date and next review date.

The common gaps and red flags?

Common red flags are a generic template with no named authority, stale contact details, no 24/7 backup path, no offline copy, and dependence on the same email or identity system that may be compromised. Other gaps include unclear supplier responsibilities, untested recovery, no evidence-preservation rule, no legal-clock register, inconsistent customer communications and a plan that has never been exercised. Technical weaknesses such as unnecessary exposed services, poor patching and weak logging can turn a manageable event into a prolonged incident. A policy is not credible if it assumes the MSP will make every decision or that staff will improvise under pressure.

How this differs by situation
  • small business — Watch for single-person dependency, router or remote-access exposure, missing logs, untested backups and no alternate communications.
  • cloud and SaaS-heavy business — Confirm who can suspend accounts, export logs, preserve data and contact the provider when the primary identity platform is unavailable.
  • managed service provider — Define notification, evidence, access, cooperation, subcontractor and decision-right obligations in the contract and plan.
PUT THIS IN YOUR POLICY, EXACTLY

Resilience requirements. The response process must not rely solely on corporate email, a single person, a single device or a single supplier contact. Primary and backup contacts, out-of-band communications, offline plan access, current system and supplier inventories, tested backups, sufficient logging, evidence-preservation steps and pre-approved escalation paths must be maintained and tested. Any material gap identified in an incident or exercise must be assigned an owner and due date and tracked to closure.

The first hour: what happens when it's invoked?

The first hour is about control, not certainty: acknowledge the report, appoint the incident lead, open a time-stamped log, classify the event and protect people and essential operations. Contain proportionately without destroying evidence, move responders to a clean communication channel if needed, and identify affected systems, information, suppliers and customers. Start the legal, regulatory, contractual and insurer clock assessment immediately, then contact the right technical, legal, privacy, executive and government support based on severity. Do not wipe devices, reimage systems, pay a demand or make confident public claims before authorised decision-makers have assessed the evidence and consequences.

How this differs by situation
  • low-severity or contained event — Log, validate, contain, preserve evidence and confirm whether escalation or notification assessment is required.
  • high-severity or uncertain event — Activate executive response, clean communications, external technical support, legal and privacy assessment, insurer contact and business continuity.
  • possible reportable incident — Record the earliest possible trigger time and assess every applicable reporting clock immediately.
PUT THIS IN YOUR POLICY, EXACTLY

First 60 minutes. On activation, the Incident Lead must: acknowledge the report; open the incident record and decision log; assign severity and roles; protect life, safety and critical operations; authorise proportionate containment; preserve relevant evidence and logs; establish a trusted backup communication channel where required; identify affected systems, information and third parties; begin legal, regulatory, contractual and insurer notification assessments; and brief the accountable executive. Destructive remediation, ransom payment and external statements require the approvals defined in the Incident Response Plan.

What's my next step?

Common misconceptions

  • Only businesses with turnover above A$3m need an incident response plan. INFERRED
  • Every Australian cyber incident must be reported to the OAIC within 72 hours. INFERRED
  • A written policy is sufficient even if the team has never exercised it. VERIFIED
  • The MSP owns the incident and can make all legal, customer, payment and risk decisions for the business. INFERRED
  • A ransomware demand by itself triggers the federal ransomware-payment reporting obligation even when no payment is made. VERIFIED
  • The safest first move is always to wipe or rebuild affected devices immediately. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Notifiable Data Breaches scheme Office of the Australian Information Commissioner A Privacy Act-covered entity has reasonable grounds to believe an eligible data breach occurred: unauthorised access to or disclosure of personal information, or loss likely to lead to unauthorised access or disclosure, where serious harm is likely and remedial action has not prevented that likely harm. Take all reasonable steps to complete a suspected-breach assessment within 30 days; once there are reasonable grounds to believe an eligible breach occurred, prepare the statement and notify the OAIC and affected individuals as soon as practicable. No automatic fixed fine for every breach. For serious or repeated interference with privacy, the maximum for a body corporate is the greatest of A$50m, three times the benefit obtained, or 30% of adjusted turnover during the breach turnover period where the benefit cannot be determined; the maximum for a person other than a body corporate is A$2.5m.
Ransomware and cyber-extortion payment reporting Department of Home Affairs A reporting business entity makes, or becomes aware that it has made, a ransomware or cyber-extortion payment, including a monetary or non-monetary benefit. A demand without payment is not reportable under this scheme. The Home Affairs factsheet uses both 'A$3m or more' and 'exceeds A$3m' for the turnover boundary, so the underlying Rules should be checked at exactly A$3m. Within 72 hours after making the payment or becoming aware the payment was made; scheme active from 2025-05-30.
Security of Critical Infrastructure cyber incident reporting Cyber and Infrastructure Security Centre A responsible entity for a critical infrastructure asset becomes aware of a specified cyber security incident that has a significant or relevant impact on the asset. Within 12 hours for a significant impact; within 72 hours for a relevant impact.

Sources

  1. Cybersecurity incident response planning — Practitioner guidance primary
  2. Guidelines for cyber security incidents primary
  3. Part 3: Responding to data breaches — four key steps primary
  4. Part 4: Notifiable Data Breach scheme primary
  5. What is a notifiable data breach? primary
  6. Small business and the Privacy Act primary
  7. Guide to privacy regulatory action — civil penalties primary
  8. Ransomware payment reporting factsheet primary
  9. Cyber Security Act primary
  10. Cyber and Infrastructure Security Centre regulatory obligations primary
  11. Market Integrity Update issue 163 — cyber risk and resilience primary
  12. ASIC cyber resilience resources primary
  13. Where to get help primary
  14. Supporting Australian organisations through a cyber security incident primary
  15. Important information sent to wrong email address forum
  16. Accidentally shared sensitive info and this triggered an IT alert forum
  17. Why isn't data privacy taken seriously? forum
  18. Australian companies predict AI will cut one in five entry-level roles forum
  19. Russian hacker opens bidding on Australian bank account and rental-application data forum
  20. Superloop small-business breach discussion forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.