Documented IR plan
Demonstrate that the organization maintains a current, comprehensive, formally approved incident response plan that defines detection, analysis, containment, eradication, recovery, and post-incident activities with clear roles, procedures, and communication protocols.
Description
What this control does
An incident response (IR) plan is a documented, formally adopted procedure that defines roles, responsibilities, communication protocols, escalation paths, and technical steps to detect, contain, eradicate, recover from, and learn from cybersecurity incidents. The plan typically includes contact lists, decision trees, evidence preservation procedures, legal and regulatory notification requirements, and integration points with business continuity and disaster recovery processes. A well-maintained IR plan reduces mean time to detect and respond, limits blast radius, ensures compliance with breach notification laws, and provides a shared operational playbook that prevents ad-hoc decision-making during high-pressure events.
Control objective
What auditing this proves
Demonstrate that the organization maintains a current, comprehensive, formally approved incident response plan that defines detection, analysis, containment, eradication, recovery, and post-incident activities with clear roles, procedures, and communication protocols.
Associated risks
Risks this control addresses
- Delayed detection and containment of breaches due to lack of predefined detection criteria and escalation thresholds
- Inconsistent or chaotic response activities resulting in evidence spoliation, regulatory non-compliance, or expanded attacker dwell time
- Failure to notify affected parties, regulators, or law enforcement within legally mandated timeframes
- Inability to coordinate across technical, legal, communications, and executive teams during a crisis, leading to conflicting actions
- Prolonged service disruption because recovery procedures and system restoration priorities are not documented or rehearsed
- Loss of forensic evidence through improper handling, chain-of-custody failures, or destructive remediation actions
- Repeated incidents exploiting the same attack vector because lessons learned are not captured or applied systematically
Testing procedure
How an auditor verifies this control
- Request the current incident response plan document, including version number, approval signatures, and last revision date.
- Verify the plan defines incident classification criteria, severity levels, and escalation thresholds with specific technical indicators or business impact metrics.
- Confirm the plan identifies the incident response team structure, including role names, current personnel assignments, primary and backup contact details, and decision-making authority.
- Review documented procedures for each IR phase: detection and analysis, containment strategy, eradication steps, recovery validation, and post-incident review.
- Examine communication protocols, including internal notification trees, external stakeholder contact procedures, legal counsel engagement triggers, and regulatory reporting timelines aligned with applicable breach notification laws.
- Validate integration points with related plans, such as business continuity, disaster recovery, crisis management, and legal hold procedures, including cross-references or joint exercises.
- Interview a sample of incident response team members to assess familiarity with plan contents, their assigned roles, and access to the plan during an actual incident.
- Trace evidence of plan review and update cycles, including change logs, post-incident review findings incorporated into the plan, and annual or event-driven revision records.
Where this control is tested