IR-1 / IR-3 / A.5.24 / A.5.25 / A.5.26 NIST SP 800-61 Rev 2 / ISO/IEC 27001:2022 Annex A NIS2

Do you have a documented incident response plan tested at least annually (Art 21.2.b)?

Demonstrate that the organization maintains a current, comprehensive incident response plan that is formally tested at least annually with documented results and remediation of identified deficiencies.

Description

What this control does

This control mandates the organization maintain a formally documented incident response plan that addresses cybersecurity events and crises, aligned with NIS2 Article 21.2.b requirements. The plan must define roles, communication protocols, containment procedures, recovery steps, and escalation criteria. Annual testing through tabletop exercises, simulations, or live drills ensures the plan remains effective, personnel are trained, and gaps are identified and remediated before a real incident occurs.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Uncoordinated response during active cybersecurity incidents leading to extended dwell time and increased impact
Failure to meet regulatory notification timelines (24-hour initial report, 72-hour detailed report under NIS2) due to unclear escalation procedures
Ineffective containment allowing lateral movement of attackers across network segments during breach events
Loss of critical evidence needed for forensic investigation due to undefined preservation procedures
Inability to restore essential services within recovery time objectives due to untested procedures
Personnel confusion and role ambiguity during high-stress incident scenarios causing response delays
Non-compliance with NIS2 cybersecurity risk-management measures resulting in regulatory penalties up to €10 million or 2% of global turnover

Testing procedure

How an auditor verifies this control

Request the current version of the documented incident response plan including version history, approval signatures, and last review date
Review the plan structure to verify it covers identification, containment, eradication, recovery, post-incident analysis, and notification procedures
Examine role assignments within the plan to confirm designated incident response team members, escalation contacts, and external notification authorities (CSIRT, regulators, affected parties)
Obtain records of all incident response tests conducted in the past 12 months including exercise type (tabletop, simulation, live drill), date, participants, and scope
Analyze test documentation to verify scenarios included technical incident response activities not merely business continuity or disaster recovery scenarios
Review after-action reports from each test to identify findings, gaps, improvement recommendations, and assigned remediation owners with deadlines
Trace at least two findings from test reports to evidence of corrective action implementation such as plan updates, procedure changes, or training completion
Interview at least three designated incident response team members to assess their familiarity with their assigned roles, access to the plan, and participation in recent testing

Evidence required Collect the complete incident response plan document with metadata showing version control and annual review cycles. Obtain all testing records from the past 12 months including invitations, attendance lists, scenario descriptions, exercise injects, participant observations, and after-action reports with remediation tracking. Capture correspondence or meeting minutes showing management approval of the plan and acknowledgment of test results.

Pass criteria A formally documented incident response plan exists, has been reviewed within the past 12 months, and was tested through at least one exercise in the past 12 months with documented results and evidence that identified gaps were remediated.