IR-4 / A.16.1.5 / CIS-17.9 NIST SP 800-61 Rev 2

Auto-isolation playbook in place

Demonstrate that the organization maintains and operationalizes an auto-isolation playbook capable of rapidly containing compromised assets in response to security incidents.

Description

What this control does

An auto-isolation playbook defines the automated or semi-automated procedures for disconnecting compromised systems, user accounts, or network segments from production environments upon detection of specific threat indicators. This playbook integrates with SOAR platforms, EDR tools, or SIEM systems to trigger containment actions based on predefined thresholds or analyst decisions. The control prevents lateral movement, data exfiltration, and further compromise by rapidly segmenting affected resources while maintaining forensic integrity and enabling recovery workflows.

Control objective

What auditing this proves

Demonstrate that the organization maintains and operationalizes an auto-isolation playbook capable of rapidly containing compromised assets in response to security incidents.

Associated risks

Risks this control addresses

Lateral movement by attackers across network segments due to delayed containment actions
Continued data exfiltration from compromised endpoints or accounts during prolonged incident response cycles
Escalation of ransomware propagation when infected hosts remain connected to file shares and domain controllers
Loss of forensic evidence when manual isolation procedures corrupt memory or alter system state
Excessive business disruption from ad-hoc isolation decisions lacking rollback or validation procedures
Insider threats maintaining persistent access when compromised accounts are not automatically disabled
Regulatory non-compliance for failure to contain data breaches within mandated timeframes

Testing procedure

How an auditor verifies this control

Obtain the current version of the auto-isolation playbook including approval history and revision dates.
Review playbook procedures to verify coverage of endpoint isolation, account suspension, network segmentation, and cloud resource quarantine scenarios.
Examine integration documentation showing connections between detection tools (SIEM, EDR) and orchestration platforms that execute isolation actions.
Select a sample of three security incidents from the past 12 months and trace the execution of auto-isolation procedures through ticketing system records and workflow logs.
Review automation rule configurations in SOAR or EDR platforms to confirm trigger conditions, authorization thresholds, and fallback procedures match documented playbook steps.
Interview security operations personnel to verify understanding of manual override procedures, false-positive handling, and escalation criteria.
Examine evidence of tabletop exercises or simulated incident tests validating the playbook's effectiveness within the past six months.
Verify playbook includes rollback procedures, business continuity coordination steps, and post-isolation validation checkpoints.

Evidence required Auditor collects the signed auto-isolation playbook document, SOAR/EDR automation rule exports showing configured triggers and actions, incident response tickets demonstrating playbook execution with timestamps and approvals, and tabletop exercise reports or simulation test results with participant attestations. Configuration screenshots showing network segmentation policies, firewall automation rules, and EDR quarantine settings provide technical validation of implemented capabilities.

Pass criteria The organization maintains a documented, approved auto-isolation playbook with evidence of successful execution during actual incidents or validated tests within the past six months, supported by operational integrations between detection and containment platforms.

Where this control is tested

Audit programs including this control

EDR Coverage Check

Are all endpoints actually covered by EDR, and is response automated? Quick coverage + tuning check.