When a major incident is declared, is there a single named decision-maker (often called Incident Commander) with authority to take the network offline, engage IR, and make ransom decisions?
Demonstrate that the organization has formally designated an Incident Commander with documented authority to make critical operational and financial decisions during major cybersecurity incidents.
Description
What this control does
This control requires designation of a single, named individual (Incident Commander or equivalent) who is empowered to make critical decisions during a declared major incident, including taking networks offline, authorizing incident response activities, and determining ransom payment positions. The Incident Commander role must be formally documented with clear delegation of authority, escalation paths, and decision-making boundaries to prevent paralysis during time-critical events. This control ensures accountability and rapid response when operational continuity, data integrity, or ransom demands are at stake.
Control objective
What auditing this proves
Demonstrate that the organization has formally designated an Incident Commander with documented authority to make critical operational and financial decisions during major cybersecurity incidents.
Associated risks
Risks this control addresses
- Delayed containment actions during active breaches due to unclear decision-making authority, allowing lateral movement and data exfiltration to continue
- Inconsistent or contradictory directives issued by multiple stakeholders during high-pressure incidents, leading to ineffective response
- Inability to execute network isolation or system shutdowns quickly due to lack of pre-authorized decision-maker, extending attacker dwell time
- Unauthorized or poorly-considered ransom payments made without defined authority framework, resulting in regulatory violations or wasted expenditure
- Legal and regulatory non-compliance when incident response actions are taken without proper authorization or documentation of decision chain
- Post-incident blame diffusion and lack of accountability when no single individual owns critical response decisions
- Operational paralysis during ransomware attacks when executives are unreachable and no delegated authority exists for emergency actions
Testing procedure
How an auditor verifies this control
- Obtain the current incident response plan, major incident playbooks, and organizational crisis management procedures.
- Review documentation to identify the formally designated Incident Commander role, including name, title, contact information, and backup designees.
- Verify the documented scope of authority explicitly includes network isolation/shutdown, incident response engagement, and ransom decision-making powers.
- Examine delegation of authority documents, board resolutions, or executive memos that formally grant decision-making powers to the Incident Commander role.
- Interview the designated Incident Commander to confirm understanding of role, authority boundaries, escalation criteria, and decision-making protocols.
- Review records from past major incidents or tabletop exercises to verify the Incident Commander role was activated and exercised decision-making authority.
- Validate that communication protocols exist for rapidly notifying and activating the Incident Commander when a major incident is declared.
- Confirm that financial thresholds, legal consultation requirements, and board notification triggers are documented for ransom payment scenarios.