Do you have an IR retainer or breach coach pre-agreed?
Demonstrate that the organization has executed, funded, and operationalized retainer agreements or on-call arrangements with external incident response professionals that can be activated immediately during a cybersecurity incident.
Description
What this control does
An incident response (IR) retainer or breach coach agreement is a pre-negotiated contract with external legal counsel, forensic investigators, or specialized IR firms that establishes scope, rates, response timelines, and communication protocols before an incident occurs. These agreements enable immediate engagement of expert resources during a breach without procurement delays, providing legal privilege protection and experienced guidance during high-stress events. Organizations activate retainers through predefined escalation procedures, ensuring external experts can begin work within hours rather than days or weeks.
Control objective
What auditing this proves
Demonstrate that the organization has executed, funded, and operationalized retainer agreements or on-call arrangements with external incident response professionals that can be activated immediately during a cybersecurity incident.
Associated risks
Risks this control addresses
- Delayed response to active breaches while legal or procurement departments negotiate vendor contracts, allowing attackers additional dwell time to exfiltrate data or destroy evidence
- Inability to secure qualified IR firms during widespread incidents (e.g., ransomware outbreaks) when all available vendors are already engaged with other victims
- Loss of attorney-client privilege protection when engaging technical responders without proper legal counsel involvement, exposing investigation findings to discovery in litigation
- Inadequate technical expertise applied to sophisticated attacks due to hurried selection of unfamiliar or unvetted response vendors during crisis conditions
- Unbudgeted emergency costs during incidents when rate negotiations occur under duress, leading to unfavorable financial terms or budget exhaustion
- Miscommunication of evidence preservation requirements to response teams unfamiliar with organizational systems, resulting in forensic contamination or regulatory non-compliance
- Regulatory reporting deadline failures when response coordination delays incident scoping and notification determinations
Testing procedure
How an auditor verifies this control
- Request and review all current incident response retainer agreements, breach coach engagement letters, and on-call service contracts
- Verify that each retainer agreement includes defined response time SLAs, escalation contact information, activation procedures, and rate schedules locked for the contract term
- Confirm that retainer agreements cover required capabilities including forensic analysis, malware reverse engineering, legal counsel with cybersecurity expertise, and regulatory notification support
- Interview the IR program manager to understand the activation process, including who has authority to engage retainer services and how contact information is maintained
- Examine evidence of retainer testing or activation within the past 12 months, such as tabletop exercise participation, test calls, or actual incident engagement
- Review financial records confirming retainer fees have been paid current and budget allocations exist for incident-related expenses under the agreement terms
- Validate that retainer contact information is included in incident response playbooks, on-call documentation, and emergency contact lists accessible to IR team members
- Test retrieval of retainer agreements and contact details by requesting IR team members locate and produce activation instructions without advance notice