Do you have written, scenario-specific playbooks (ransomware, data exfil, BEC, DDoS, supply-chain) — not just a generic IR plan?
Demonstrate that the organization maintains documented, scenario-specific incident response playbooks covering ransomware, data exfiltration, BEC, DDoS, and supply-chain attacks, distinct from the generic incident response plan.
Description
What this control does
This control requires the organization to maintain dedicated, scenario-specific incident response playbooks for high-impact threat patterns including ransomware, data exfiltration, business email compromise (BEC), distributed denial-of-service (DDoS), and supply-chain attacks. Unlike a generic IR plan that outlines broad phases and responsibilities, these playbooks provide step-by-step tactical guidance, decision trees, communication templates, and technical containment procedures tailored to the unique indicators, attacker tactics, and business impacts of each scenario. Scenario-specific playbooks reduce mean time to respond (MTTR), minimize human error during high-stress incidents, and ensure consistent execution of containment and recovery actions.
Control objective
What auditing this proves
Demonstrate that the organization maintains documented, scenario-specific incident response playbooks covering ransomware, data exfiltration, BEC, DDoS, and supply-chain attacks, distinct from the generic incident response plan.
Associated risks
Risks this control addresses
- Delayed containment of ransomware due to responders unsure whether to isolate systems, pay ransom, or activate backups without clear decision criteria
- Failure to identify data exfiltration indicators because playbook does not specify which logs to query or which egress anomalies signal active theft
- Ineffective response to BEC attacks when finance teams lack predefined validation workflows for wire transfer requests flagged as suspicious
- Uncoordinated DDoS mitigation resulting in prolonged outages when network and security teams lack agreed-upon traffic filtering and ISP coordination procedures
- Inability to detect or contain supply-chain compromise when playbook does not define artifact integrity checks or vendor communication protocols
- Inconsistent evidence preservation across incidents leading to forensic gaps and regulatory non-compliance
- Escalation confusion during active incidents when generic IR plan does not specify scenario-dependent notification thresholds or stakeholder lists
Testing procedure
How an auditor verifies this control
- Request all current incident response playbooks and the organization's generic incident response plan for comparison
- Verify that separate, named playbooks exist for at least ransomware, data exfiltration, BEC, DDoS, and supply-chain attack scenarios
- Review each playbook to confirm it includes scenario-specific indicators of compromise, attacker TTPs, and detection data sources (not just generic IR phases)
- Examine decision trees or response flowcharts within each playbook to validate they provide tactical guidance (e.g., when to isolate network segments, which backups to restore, how to validate executive requests)
- Check that each playbook defines scenario-appropriate containment actions distinct from generic procedures (e.g., ransomware playbook specifies disabling domain admin accounts and segmenting backups)
- Confirm playbooks include scenario-specific communication templates and stakeholder lists (e.g., BEC playbook lists CFO and banking contacts; supply-chain playbook lists vendor security contacts)
- Interview two IR team members to verify they can locate and differentiate between playbooks and describe when each would be invoked
- Review playbook metadata or change logs to confirm each has been reviewed or updated within the past 12 months