Aligning cybersecurity incident response with the Australian Government Investigation Standards (AGIS) helps support prosecutions. This blog post outlines how organisations can integrate AGIS into their incident response capabilities to support lawful investigations, regulatory scrutiny, and internal accountability.
Understanding AGIS and its relevance to cybersecurity
The AGIS provides a framework for managing official investigations across government entities. While traditionally applied to criminal or administrative matters, its principles apply to cybersecurity when incidents involve potential criminal conduct, insider threats, data breaches, or integrity matters.
Key AGIS principles relevant to cyber incident response include:
- Chain of custody: Digital evidence must be collected, handled, and stored in a way that preserves its admissibility.
- Documentation and reporting: Investigations must be recorded comprehensively, supporting later review, escalation, or legal processes.
- Investigator competence: Personnel must have appropriate qualifications and understanding of digital forensics and incident management.
- Legal and ethical obligations: Investigations must comply with relevant laws, including the Privacy Act 1988 and the Surveillance Devices Act 2004.
AGIS is considered a baseline for legally defensible investigations. Cybersecurity teams operating within or on behalf of government agencies are expected to align practices with AGIS during serious incidents.
Embedding AGIS in cybersecurity incident response processes
Incorporating AGIS into cybersecurity investigations requires structured alignment across people, processes, and tools. Recommended strategies include:
- Update incident response plans/playbooks
- Define triggers for AGIS-aligned response (e.g. criminal activity, internal fraud, national security threats).
- Specify escalation pathways to legal, HR, and law enforcement as required.
- Enhance evidence handling procedures
- Train responders in digital evidence preservation, including hash validation, chain of custody logs, and write-blocking.
- Ensure incident response teams have appropriate qualifications to support investigations, e.g. Diploma of Investigations.
- Integrate forensic readiness practices into the incident lifecycle.
- Establish multidisciplinary teams
- Include legal counsel, governance leads, and certified investigators in serious incident response efforts.
- Define roles and responsibilities using AGIS-aligned templates.
- Audit and assurance integration
- Use AGIS criteria to assess incident response maturity and procedural adequacy.
- Implement regular post-incident reviews referencing AGIS compliance indicators.
Linking incident response with broader governance frameworks
There are additional benefits for government departments that align with AGIS including:
- Enhancing regulatory compliance under the PGPA Act and Protective Security Policy Framework.
- Enabling defensible decision-making under Freedom of Information and legal review.
- Supporting cross-agency investigations with consistent protocols.
Where relevant, agencies should align AGIS practices with their Information Security Manual (ISM) and incident classification policies.
Integrating AGIS into cybersecurity investigation practices strengthens legal defensibility, supports inter-agency cooperation, and uplifts governance maturity. Agencies and service providers should prioritise training, documentation, and procedural alignment to meet AGIS standards during serious incidents.