Skip to main content
← All controls
IR-8 / A.16.1.1 / CIS-17.1 NIST SP 800-61 Rev 2 NIST CSF

Do you have a written incident response plan with playbooks for common scenarios?

Demonstrate that the organization maintains a current, comprehensive incident response plan with scenario-specific playbooks that are formally approved, accessible to response personnel, and aligned with operational capabilities.

Description

What this control does

An incident response plan is a documented, formally approved process that defines roles, responsibilities, communication protocols, and technical procedures for detecting, analyzing, containing, eradicating, and recovering from cybersecurity incidents. Playbooks are scenario-specific sub-procedures that provide step-by-step instructions for common incident types such as ransomware, phishing, data breach, denial-of-service, or insider threats. The plan ensures consistent, timely, and effective incident handling while minimizing business impact, supporting forensic integrity, meeting regulatory notification requirements, and enabling continuous improvement through post-incident reviews.

Control objective

What auditing this proves

Demonstrate that the organization maintains a current, comprehensive incident response plan with scenario-specific playbooks that are formally approved, accessible to response personnel, and aligned with operational capabilities.

Associated risks

Risks this control addresses

  • Delayed incident detection and response due to unclear escalation paths and undefined triage procedures, allowing attackers additional dwell time to exfiltrate data or establish persistence
  • Inconsistent or improvised response actions that destroy forensic evidence, fail to contain lateral movement, or inadvertently alert attackers to detection
  • Failure to meet regulatory breach notification timelines (GDPR 72 hours, state laws) resulting in statutory penalties and increased legal liability
  • Inadequate coordination between IT, legal, communications, and executive leadership causing contradictory public statements or premature disclosure
  • Inability to restore operations efficiently due to missing recovery procedures, unclear asset prioritization, or outdated contact information for vendors and service providers
  • Repeated exploitation of the same vulnerability class across incidents when lessons learned are not captured or incorporated into preventive controls
  • Ransomware impact amplified by unclear decision frameworks regarding ransom payment, negotiation authority, and backup restoration sequencing

Testing procedure

How an auditor verifies this control

  1. Request and obtain the current version of the formal incident response plan and all associated playbooks, noting version numbers, approval dates, and authorized approvers
  2. Review the plan for completeness by verifying it includes incident classification schema, escalation criteria, role definitions with contact information, communication templates, evidence preservation procedures, and post-incident review requirements
  3. Identify the list of documented playbooks and confirm coverage of at least ransomware, phishing/business email compromise, data breach/exfiltration, denial-of-service, and insider threat scenarios
  4. Select two playbooks and analyze each for step-by-step procedures including detection indicators, containment actions, eradication steps, communication triggers, evidence collection checklists, and recovery validation criteria
  5. Interview three members of the incident response team across different roles (e.g., SOC analyst, IT operations, legal/compliance) to verify awareness of the plan location, familiarity with their assigned responsibilities, and ability to locate relevant playbooks
  6. Examine evidence of plan distribution by reviewing access logs to the repository where the plan is stored or distribution records if hard copies are maintained, confirming appropriate personnel have access
  7. Request records of the most recent tabletop exercise or incident simulation and verify it tested at least one documented playbook, produced after-action findings, and resulted in plan or playbook updates
  8. Trace one actual incident from the past 12 months and compare response actions taken against the procedures defined in the applicable playbook, identifying deviations and confirming documented justification for any variance
Evidence required Collect the complete incident response plan document with approval signatures and revision history, all scenario-specific playbooks with version dates, distribution logs or access control lists showing which personnel can retrieve the plan, tabletop exercise after-action reports with attendee lists and improvement actions, and a sample incident ticket or case file demonstrating application of playbook procedures including timestamps, actions taken, and post-incident review documentation.
Pass criteria The control passes if a formally approved incident response plan exists with documented playbooks for at least five common incident scenarios, the plan has been reviewed or updated within the past 12 months, response personnel demonstrate awareness and access, and evidence shows the plan has been tested and applied to actual or simulated incidents.