Skip to main content
← All controls
IR-8 / A.5.24 / CIS-17.5 NIST SP 800-61 Rev 2

Do you have a written ransomware-specific incident response plan?

Demonstrate that the organization has documented, approved, and operationally viable procedures specifically designed to detect, contain, eradicate, and recover from ransomware incidents with clearly defined roles, technical response steps, and decision-making authorities.

Description

What this control does

This control requires the organization to maintain a documented incident response plan specifically tailored to ransomware attacks, separate from or as a detailed appendix to the general incident response plan. The ransomware-specific plan must address unique characteristics of ransomware incidents including encryption spread prevention, backup validation and restoration procedures, ransom payment decision frameworks, law enforcement coordination, and communication protocols for extortion scenarios. This specialization matters because ransomware incidents follow distinct attack patterns requiring rapid containment, have unique legal and financial considerations, and demand pre-established relationships with forensic vendors, negotiators, and regulatory bodies that generic incident response plans do not adequately cover.

Control objective

What auditing this proves

Demonstrate that the organization has documented, approved, and operationally viable procedures specifically designed to detect, contain, eradicate, and recover from ransomware incidents with clearly defined roles, technical response steps, and decision-making authorities.

Associated risks

Risks this control addresses

  • Delayed containment allowing lateral movement and encryption of additional systems due to lack of pre-defined network segmentation procedures
  • Loss of critical business data through attempted recovery without validated backup integrity verification steps
  • Regulatory violations or litigation exposure from improper evidence handling, notification delays, or undocumented ransom payment decisions
  • Extended downtime due to lack of pre-identified critical system recovery priorities and restoration sequencing
  • Ineffective ransom negotiation or payment resulting from absence of pre-established cryptocurrency acquisition procedures and approved negotiator contacts
  • Reinfection through incomplete eradication caused by lack of documented persistence mechanism identification and removal procedures
  • Communication breakdowns during crisis when media, customers, and regulators demand updates without pre-approved messaging templates and spokesperson designation

Testing procedure

How an auditor verifies this control

  1. Request the current ransomware-specific incident response plan document and verify it has been formally approved with signatures, dates, and version control information.
  2. Review the plan structure to confirm it includes dedicated sections for ransomware detection indicators, containment procedures, eradication steps, recovery sequencing, and post-incident activities specific to encryption and extortion scenarios.
  3. Examine the plan for evidence of ransomware-specific technical procedures including network isolation protocols, Domain Controller protection steps, backup validation methods, and safe restoration processes from potentially compromised backups.
  4. Verify the plan identifies pre-designated roles with 24/7 contact information for ransomware response including incident commander, legal counsel, forensics vendor, ransomware negotiator, and law enforcement liaison.
  5. Assess whether the plan contains decision-making frameworks with authority levels for ransom payment consideration, regulatory notification triggers, and business continuity activation thresholds.
  6. Interview three incident response team members to confirm they can locate the plan, describe their specific ransomware response responsibilities, and explain at least two procedures unique to ransomware versus other incidents.
  7. Review evidence of plan testing through tabletop exercises or simulations conducted within the past 12 months specifically using ransomware attack scenarios, including documentation of lessons learned and subsequent plan updates.
  8. Cross-reference the ransomware plan against actual backup and recovery procedures to validate that documented restore processes align with technical capabilities and tested recovery time objectives.
Evidence required The auditor collects the complete ransomware incident response plan document with approval signatures and metadata, contact rosters showing designated ransomware response roles with current phone numbers and escalation paths, tabletop exercise reports or simulation results from the past 12 months demonstrating plan validation, photographs or screenshots of the plan's accessibility to response team members, and change logs showing plan updates following tests or actual incidents. Additionally, collect interview notes documenting team member awareness and procedural knowledge, plus technical procedure documentation referenced by the plan such as network isolation runbooks and backup restoration guides.
Pass criteria The control passes if a formally approved, ransomware-specific incident response plan exists with documented procedures addressing detection, containment, eradication, recovery, and decision-making unique to ransomware scenarios, the plan has been tested within the past 12 months with documented results, and sampled incident response personnel demonstrate working knowledge of their ransomware-specific roles and can access the plan during an incident.