Control: ism-0141; Revision: 7; Updated: Dec-22; Applicability: ALL; Essential Eight: N/A ​

The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are discovered is documented in contractual arrangements with service providers.