Do you have a retainer or pre-agreed contract with an incident response firm?
Demonstrate that the organization has secured contractual access to external incident response expertise through a current retainer or pre-negotiated agreement that can be activated without procurement delays during a security incident.
Description
What this control does
This control requires the organization to establish and maintain a formal legal and commercial arrangement with a third-party incident response firm prior to experiencing a security incident. The retainer or pre-agreed contract ensures immediate access to specialized expertise, predefined scope of services, agreed-upon response timeframes, and established pricing during crisis situations. This proactive arrangement eliminates procurement delays, legal negotiation friction, and resource uncertainty that would otherwise impede effective incident containment and recovery when every minute counts.
Control objective
What auditing this proves
Demonstrate that the organization has secured contractual access to external incident response expertise through a current retainer or pre-negotiated agreement that can be activated without procurement delays during a security incident.
Associated risks
Risks this control addresses
- Delayed incident containment due to procurement processes requiring days or weeks to engage external expertise during active breaches
- Unavailability of qualified incident response firms when multiple organizations compete for limited resources during widespread attacks or zero-day exploitations
- Excessive costs from emergency engagement rates that can be 2-3x higher than pre-negotiated retainer pricing during crisis situations
- Legal and contractual disputes over scope, liability, and data access during active incidents when immediate forensic access is critical
- Inadequate vetting of incident response providers during emergency selection leading to engagement of firms lacking necessary certifications or clearances
- Breach notification deadline failures due to time spent identifying and onboarding external responders rather than executing response activities
- Loss of forensic evidence integrity when inexperienced internal teams attempt containment while waiting for external assistance
Testing procedure
How an auditor verifies this control
- Request and obtain copies of all current incident response retainer agreements or pre-negotiated contracts with external firms
- Verify the contract effective dates, renewal terms, and confirm the agreement is currently active and not expired or in grace period
- Review the scope of services defined in the contract including forensics, malware analysis, threat hunting, legal support, and crisis communications
- Examine response time commitments and escalation procedures specified in the agreement, including initial response SLAs and on-site arrival timeframes
- Confirm the contract includes predefined fee structures, hourly rates, and any retainer credits or prepaid hours available for immediate activation
- Validate that the contracted firm maintains relevant certifications such as GIAC forensics credentials, CREST accreditation, or industry-specific clearances required for your environment
- Interview the incident response team lead to confirm awareness of the retainer terms, activation procedures, and recent coordination activities with the contracted firm
- Review evidence of periodic engagement with the retained firm such as tabletop exercises, contact list updates, or annual relationship reviews conducted within the past 12 months