If your IT systems are completely encrypted/inaccessible, can your responders still access the playbook (printed binder, separate cloud account, etc.)?
Demonstrate that incident response playbooks and critical documentation are accessible through alternative means that remain functional when primary IT systems are encrypted, compromised, or inaccessible.
Description
What this control does
This control ensures that incident response playbooks and procedures remain accessible to responders even when primary IT systems are compromised, encrypted by ransomware, or otherwise unavailable. Organizations maintain offline or out-of-band copies of critical response documentation—such as printed binders, USB drives stored securely, playbooks hosted in separate cloud tenants with distinct credentials, or network-isolated repositories. This prevents scenarios where responders are locked out of the very instructions needed to recover from an attack that encrypts or disables core infrastructure.
Control objective
What auditing this proves
Demonstrate that incident response playbooks and critical documentation are accessible through alternative means that remain functional when primary IT systems are encrypted, compromised, or inaccessible.
Associated risks
Risks this control addresses
- Ransomware encrypts file shares and document repositories containing incident response playbooks, leaving responders without guidance during active encryption events
- Attackers compromise domain credentials and disable access to cloud-hosted playbooks stored in the same tenant as production systems
- Responders cannot retrieve contact lists, escalation procedures, or forensic collection steps because all documentation is stored on encrypted file servers
- Delayed incident response due to inability to access recovery procedures, extending attacker dwell time and increasing business impact
- Incomplete or incorrect response actions taken from memory when documented procedures are unavailable, leading to evidence destruction or regulatory non-compliance
- Dependency on compromised communication channels or authentication systems prevents coordination among distributed response teams during widespread outages
Testing procedure
How an auditor verifies this control
- Request the organization's list of all locations where incident response playbooks and critical IR documentation are stored, including both primary and alternative access methods
- Verify that at least one alternative storage method exists that does not depend on Active Directory authentication, corporate network access, or primary cloud tenant availability
- Inspect physical printed binders or offline media to confirm they contain current versions of IR playbooks, including page dates, version numbers, and revision history matching the latest digital versions
- Examine access controls for alternative storage locations (e.g., separate cloud accounts, offline repositories) to confirm credentials are managed independently from production systems and stored securely
- Review the document update procedure to verify that alternative copies are synchronized with primary playbooks when changes occur, including evidence of recent synchronization activities
- Conduct a tabletop exercise or simulated scenario where primary systems are assumed encrypted, and observe whether responders can successfully retrieve and reference playbooks from alternative sources
- Validate that alternative playbooks include critical information such as executive contact lists, vendor escalation numbers, communication templates, and technical recovery procedures—not just high-level process flows
- Confirm that the existence and location of alternative playbook copies is documented in the IR plan and communicated to all designated responders through training or onboarding materials