IR plan + tabletop within last 12 months
Demonstrate that the organization maintains a current incident response plan and conducts annual tabletop exercises to validate preparedness and improve response capability.
Description
What this control does
This control requires an organization to maintain a documented incident response (IR) plan and conduct at least one tabletop exercise within the preceding 12 months. The IR plan defines roles, responsibilities, communication protocols, escalation paths, and technical procedures for detecting, analyzing, containing, eradicating, and recovering from security incidents. Tabletop exercises simulate realistic incident scenarios to validate plan effectiveness, train response personnel, identify procedural gaps, and refine coordination among stakeholders without disrupting production systems.
Control objective
What auditing this proves
Demonstrate that the organization maintains a current incident response plan and conducts annual tabletop exercises to validate preparedness and improve response capability.
Associated risks
Risks this control addresses
- Incident response team members execute conflicting or outdated procedures during an active breach, extending attacker dwell time and increasing data loss
- Critical stakeholders (legal, PR, executive leadership) are not engaged during a breach because notification procedures were never tested, resulting in regulatory penalties and reputational damage
- Response personnel lack familiarity with tools, escalation paths, or evidence-preservation techniques, causing destruction of forensic artifacts and loss of prosecution opportunity
- Dependencies on unavailable third-party services or personnel are discovered only during an active incident, delaying containment by hours or days
- Ambiguous authority or role definitions cause coordination failures and decision paralysis during time-sensitive containment actions
- Outdated contact information or communication channels prevent timely notification of affected customers, partners, or regulators, triggering breach notification penalties
- Lack of practice reveals that backup restoration procedures are incomplete or untested, preventing recovery and extending business disruption
Testing procedure
How an auditor verifies this control
- Request the current incident response plan document and verify it includes defined roles, responsibilities, communication procedures, escalation criteria, and technical response workflows.
- Review the IR plan version history or approval metadata to confirm the document has been reviewed or updated within the last 12 months.
- Request documentation of all tabletop exercises conducted in the prior 12 months, including invitations, agendas, scenario descriptions, participant lists, and facilitator guides.
- Examine tabletop exercise attendance records to verify participation by key stakeholders including IT, security, legal, communications, and executive leadership.
- Review tabletop exercise after-action reports or debrief summaries to identify documented findings, gaps, and improvement recommendations.
- Trace at least two findings from the tabletop exercise to subsequent updates in the IR plan or related procedures, confirming the exercise informed plan improvements.
- Interview three incident response team members to assess their familiarity with IR procedures, roles, escalation paths, and tools covered in the tabletop exercise.
- Validate that the tabletop scenario included realistic elements such as ransomware, data exfiltration, supply chain compromise, or insider threat aligned with the organization's threat profile.
Where this control is tested