24x7 coverage (in-house or MSSP)
Demonstrate that the organization maintains continuous security monitoring and incident response capability 24 hours per day, 7 days per week, through documented staffing arrangements, contractual agreements, or managed services with verifiable response times and escalation procedures.
Description
What this control does
This control establishes continuous monitoring and incident response capabilities through dedicated personnel or a Managed Security Service Provider (MSSP) available around the clock, every day of the year. Coverage includes real-time security event triage, alert investigation, escalation of confirmed incidents, and coordination of initial containment actions outside normal business hours. Organizations implement this through staffed Security Operations Centers (SOC), follow-the-sun support models, or contracted MSSP services with defined service level agreements specifying response times and communication protocols.
Control objective
What auditing this proves
Demonstrate that the organization maintains continuous security monitoring and incident response capability 24 hours per day, 7 days per week, through documented staffing arrangements, contractual agreements, or managed services with verifiable response times and escalation procedures.
Associated risks
Risks this control addresses
- Delayed detection of active intrusions during nights, weekends, or holidays allowing adversaries extended dwell time to establish persistence and exfiltrate data
- Ransomware or wiper malware spreading unchecked across the enterprise during off-hours when no security staff are available to isolate affected systems
- Critical security alerts from SIEM, EDR, or IDS/IPS systems remaining unreviewed for 12+ hours, rendering time-sensitive threat intelligence actionable too late
- Inability to coordinate emergency response activities with law enforcement, forensics providers, or business continuity teams during weekend or holiday incidents
- Service outages or degraded operations remaining unaddressed when attacks target systems outside primary time zones or business hours
- Compliance violations for regulated industries requiring continuous monitoring (financial services, healthcare, critical infrastructure) resulting in fines or sanctions
- Loss of critical forensic evidence due to delayed preservation actions when log rotation or retention policies overwrite data before incident responders engage
Testing procedure
How an auditor verifies this control
- Request and review the organization's SOC staffing model documentation or MSSP contract specifying coverage hours, response times, and scope of monitored systems.
- Obtain and examine duty rosters, on-call schedules, or MSSP service delivery reports for the past 90 days to verify continuous coverage without gaps.
- Select a random sample of 10-15 security alerts generated during off-hours (nights, weekends, holidays) from SIEM or ticketing system logs.
- For each sampled alert, verify timestamps showing initial detection, analyst acknowledgment, investigation activities, and escalation or closure actions.
- Calculate the time elapsed between alert generation and first human response for each sample, comparing against documented SLA targets.
- Interview SOC manager or MSSP account representative to understand escalation paths, backup coverage procedures, and how staffing continuity is maintained during vacations or illness.
- Review incident response playbooks and verify they include procedures for engaging 24x7 monitoring staff and documented contact methods.
- Test the escalation chain by requesting evidence of after-hours incidents from the past six months, confirming appropriate personnel were notified and responded within defined timeframes.
Where this control is tested