Is there a documented incident response process exercised at least annually?
Demonstrate that the organization maintains a documented incident response process and conducts formal exercises at least annually to validate procedural effectiveness and personnel readiness.
Description
What this control does
This control requires the organization to maintain a documented incident response process that includes defined roles, communication procedures, detection and analysis workflows, containment strategies, eradication steps, recovery procedures, and post-incident review activities. The process must be formally exercised through tabletop exercises, simulations, or actual incident handling at least once per year to validate its effectiveness and ensure personnel familiarity. Annual exercise demonstrates operational readiness and identifies gaps in procedures, tools, or personnel preparedness before a real incident occurs.
Control objective
What auditing this proves
Demonstrate that the organization maintains a documented incident response process and conducts formal exercises at least annually to validate procedural effectiveness and personnel readiness.
Associated risks
Risks this control addresses
- Delayed incident detection and response due to unfamiliar or untested procedures resulting in extended attacker dwell time
- Ineffective containment actions during active security incidents causing unnecessary data exfiltration or system compromise
- Breakdown in communication and coordination among incident response team members leading to duplicated effort or conflicting remediation actions
- Failure to preserve forensic evidence properly, preventing root cause analysis and potential legal or regulatory requirements
- Inadequate stakeholder notification processes resulting in breach notification deadline violations and regulatory penalties
- Personnel turnover rendering incident response plan ineffective when responders are unfamiliar with current procedures and toolsets
- Undiscovered procedural gaps or resource deficiencies that only surface during actual high-pressure incident scenarios
Testing procedure
How an auditor verifies this control
- Obtain the current incident response plan or procedure document and verify it includes defined phases (preparation, detection/analysis, containment, eradication, recovery, post-incident activities), assigned roles, communication workflows, and escalation paths
- Review the document version history and approval records to confirm it has been formally approved by management and is maintained as a current operational procedure
- Request evidence of incident response exercises conducted within the past 12 months, including exercise invitations, agendas, scenario descriptions, and participant lists
- Examine exercise documentation such as tabletop exercise notes, simulation reports, or post-exercise meeting minutes to verify the exercise covered key incident response phases and involved appropriate personnel
- Review any action items, lessons learned, or improvement recommendations documented from the exercise and verify follow-up activities were assigned and tracked
- Interview a sample of incident response team members to assess their familiarity with the documented procedures and their roles during an incident
- Verify that exercise scenarios reflect realistic threats relevant to the organization's environment and technology stack
- Confirm that updates to the incident response plan resulting from exercise findings have been incorporated into the current version of the documentation