Is there a current responder roster (names, roles, phone numbers, after-hours contacts) maintained outside your primary IT systems?
Demonstrate that a current incident response roster containing names, roles, contact details, and after-hours availability is maintained in a location accessible when primary IT systems are unavailable or compromised.
Description
What this control does
This control requires the organization to maintain an up-to-date incident response contact roster that is stored and accessible independently of the primary IT infrastructure. The roster must include responder names, assigned roles, primary phone numbers, and after-hours emergency contact methods. This out-of-band accessibility ensures that if the primary IT systems are compromised, unavailable, or destroyed during a cyber incident or disaster, incident response personnel can still coordinate and communicate effectively without relying on potentially inaccessible internal systems.
Control objective
What auditing this proves
Demonstrate that a current incident response roster containing names, roles, contact details, and after-hours availability is maintained in a location accessible when primary IT systems are unavailable or compromised.
Associated risks
Risks this control addresses
- During a ransomware attack or infrastructure outage, incident responders cannot locate contact information for critical team members, delaying containment and recovery activities
- Primary IT systems storing contact lists become inaccessible due to disaster, denial-of-service, or infrastructure failure, preventing coordination of response activities
- Outdated roster information leads responders to contact separated employees or incorrect phone numbers, wasting critical time during active incidents
- Attackers who have compromised internal systems delete or modify the contact roster to impede response coordination and prolong their access
- Legal or regulatory reporting deadlines are missed because communications personnel cannot be reached through compromised or unavailable internal systems
- Third-party incident response vendors or external stakeholders cannot reach internal responders when primary email and directory services are offline
- Management and board members cannot obtain incident status updates when all internal communication channels are compromised or unavailable
Testing procedure
How an auditor verifies this control
- Request a copy of the incident response contact roster from the information security or incident response manager.
- Verify the roster includes full names, assigned incident response roles, primary phone numbers, and documented after-hours or emergency contact methods for each responder.
- Confirm the roster storage location is external to primary IT systems by examining where the document is maintained (printed binder, personal devices, cloud service separate from corporate tenant, or third-party service).
- Review evidence of roster update procedures, including the documented update frequency requirement and the role assigned responsibility for maintaining current information.
- Examine change logs, version history, or dated signatures to confirm the roster has been reviewed or updated within the past 90 days.
- Select three individuals from the roster and cross-reference their listed contact information against human resources records or self-attestation to verify accuracy.
- Confirm the roster is accessible to authorized personnel by requesting demonstration of physical access (locked cabinet key holders) or electronic access (credentials to out-of-band storage).
- Interview the incident response manager to confirm awareness of roster location and verify the roster would remain accessible if primary domain controllers, file servers, and collaboration platforms were unavailable.