Is there a process for keeping a contemporaneous decision log during an incident (who decided what, when, why)?
Demonstrate that the organization maintains a structured, real-time decision log during security incidents that accurately captures decision-makers, timing, rationale, and contextual factors for all critical response actions.
Description
What this control does
This control requires the organization to maintain a timestamped, attributable log of all significant decisions made during security incident response, including who authorized each decision, the rationale, alternatives considered, and the context at the time. The log must be contemporaneous—recorded during the incident rather than reconstructed afterward—to preserve accuracy and support post-incident review, legal defensibility, and regulatory compliance. Decision logs typically capture actions such as containment strategy selection, communication approvals, system shutdown authorizations, evidence preservation choices, and escalation decisions.
Control objective
What auditing this proves
Demonstrate that the organization maintains a structured, real-time decision log during security incidents that accurately captures decision-makers, timing, rationale, and contextual factors for all critical response actions.
Associated risks
Risks this control addresses
- Inability to reconstruct incident response timeline during legal proceedings or regulatory investigations due to missing or inconsistent decision records
- Unauthorized or poorly-justified actions taken during high-pressure incidents that cannot be traced to accountable individuals
- Post-incident lessons-learned analysis is incomplete or inaccurate because decision rationale was not documented contemporaneously
- Regulatory non-compliance with breach notification or incident reporting requirements that mandate detailed decision documentation
- Legal liability exposure when decisions to delay notification, preserve evidence, or shut down systems cannot be justified with documented reasoning
- Repeated tactical errors across incidents because decision patterns and outcomes are not captured for organizational learning
- Erosion of stakeholder trust when the organization cannot transparently explain incident response decisions to executives, customers, or regulators
Testing procedure
How an auditor verifies this control
- Request the incident response plan, playbooks, and procedures to identify documented requirements for decision logging during incidents
- Interview the incident response manager to understand the decision logging process, tools used, required fields, and training provided to responders
- Select a sample of three to five closed incidents from the past 12 months representing different severity levels and incident types
- For each sampled incident, obtain the decision log and verify it contains timestamped entries with decision-maker identity, action taken, rationale, and alternatives considered
- Cross-reference decision log entries against incident timeline artifacts such as ticketing systems, chat logs, email records, and system logs to confirm contemporaneous documentation
- Review at least one decision log entry for a critical decision (such as containment action, system shutdown, or external notification) and verify the rationale documents risk assessment and authorization chain
- Assess whether decision logs are stored in tamper-evident or immutable storage with access controls preventing post-incident alteration
- Examine evidence that decision logs were reviewed during post-incident retrospectives and that findings informed process improvements or training updates