IR-4 / IR-6 / IR-8 / A.5.24 / A.5.26 / CIS-17.1 NIST SP 800-53 Rev 5

If you got hacked tomorrow, do you have a basic plan: who calls who, what’s your IT/IR contact, who tells customers?

Demonstrate that the organization has documented, assigned, and tested incident response procedures including internal escalation contacts, external incident response resources, and customer notification protocols.

Description

What this control does

This control ensures the organization maintains a documented incident response plan that defines roles, responsibilities, and communication protocols for cybersecurity incidents. The plan must specify who initiates the response, escalation paths to IT and incident response teams, and procedures for notifying affected customers, regulators, and other stakeholders. A functional incident response plan reduces response time, limits damage, ensures legal compliance with breach notification laws, and maintains stakeholder trust during security events.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Delayed incident detection and containment due to unclear escalation procedures, allowing attackers prolonged access to systems and data
Failure to notify customers within legally mandated timeframes (e.g., GDPR 72-hour requirement), resulting in regulatory fines and legal liability
Inconsistent or unauthorized public communications during a breach, causing reputational damage and loss of customer confidence
Critical response personnel unavailable or unreachable due to outdated contact information, extending incident duration
Evidence spoliation or improper forensic handling due to untrained staff taking ad-hoc response actions without guidance
Ransomware spread across the environment while teams debate who has authority to isolate systems or engage external IR firms
Regulatory non-compliance with sector-specific requirements (HIPAA, PCI-DSS, state breach laws) due to missing notification procedures

Testing procedure

How an auditor verifies this control

Request and review the current incident response plan document, noting version date, approval signatures, and distribution list
Verify the plan explicitly identifies incident response team members by name, role, and current contact information (phone, email, alternate channels)
Confirm the plan includes documented escalation paths from initial detection through executive leadership and specifies decision-making authority for containment actions
Identify and verify documented contact information for external incident response retainers, forensics firms, legal counsel, and cyber insurance carriers
Review customer notification procedures for completeness, including trigger criteria, approval workflows, communication templates, and timeline requirements aligned with applicable breach notification laws
Interview at least two personnel named in the plan to confirm they are aware of their roles and can locate the plan documentation when needed
Examine records of incident response plan testing or tabletop exercises conducted within the past 12 months, including participant lists and lessons learned
Validate the plan addresses after-hours and weekend incident scenarios with clearly defined on-call responsibilities or third-party monitoring arrangements

Evidence required Collect the current incident response plan document with version control metadata and approval records. Obtain contact rosters showing IR team members, external vendors, and escalation chains with last-updated timestamps. Gather tabletop exercise reports, simulation records, or post-incident review documentation demonstrating plan activation within the past year.

Pass criteria The control passes if a current incident response plan exists with named personnel and current contact information, includes external IR contacts, defines customer notification procedures aligned with legal requirements, and evidence shows the plan has been tested or activated within the past 12 months.