Mean-Time-To-Respond tracked
Demonstrate that the organization systematically tracks, measures, and analyzes mean-time-to-respond for security incidents, maintains historical trend data, and uses this metric to drive continuous improvement of incident response processes.
Description
What this control does
Mean-Time-To-Respond (MTTR) is a key performance indicator that measures the elapsed time from when a security incident is detected to when containment, eradication, or recovery actions are completed. Organizations establish baseline MTTR targets for different incident severity levels, continuously track actual response times through ticketing or SIEM systems, and use this data to identify bottlenecks, optimize runbooks, and demonstrate security operations maturity. This control ensures that incident response effectiveness is measurable, trending data informs process improvements, and the organization can substantiate response capability claims to auditors, regulators, and clients.
Control objective
What auditing this proves
Demonstrate that the organization systematically tracks, measures, and analyzes mean-time-to-respond for security incidents, maintains historical trend data, and uses this metric to drive continuous improvement of incident response processes.
Associated risks
Risks this control addresses
- Undetected degradation in incident response performance allows attackers extended dwell time to exfiltrate data or establish persistence
- Lack of objective metrics prevents identification of process bottlenecks, leaving inefficient handoffs or escalation delays unaddressed
- Absence of MTTR tracking prevents the organization from meeting contractual SLAs or regulatory response-time obligations
- Inability to measure response effectiveness undermines justification for security staffing, tooling investments, or process changes
- Inconsistent incident handling without time-based accountability increases the likelihood of incomplete containment or incomplete evidence preservation
- Lack of trending data prevents security leadership from recognizing seasonal patterns, resource gaps, or training deficiencies
- Untracked response times obscure the impact of ransomware or destructive attacks that exploit delays between detection and containment
Testing procedure
How an auditor verifies this control
- Obtain the organization's defined MTTR policy or standard, including target response times for each incident severity tier and the calculation methodology (e.g., time-to-containment, time-to-resolution).
- Identify the systems or tools used to track incident timestamps (e.g., SIEM, ticketing platform, incident response platform) and request access credentials or data exports.
- Request a report or dashboard showing MTTR calculations for the trailing 12 months, segmented by incident severity, type, or business unit.
- Select a judgmental sample of 10-15 closed incidents spanning multiple severity levels and verify that detection, response initiation, containment, and closure timestamps are accurately recorded.
- Recalculate MTTR for the sample using original incident records to confirm the organization's calculation methodology is applied consistently and correctly.
- Review evidence that MTTR data is regularly reported to security leadership or governance bodies, such as monthly SOC reports, quarterly briefings, or annual metrics reviews.
- Examine documented examples where MTTR analysis led to process improvements, such as playbook revisions, automation deployments, or staffing adjustments.
- Verify that MTTR targets are periodically reviewed and adjusted based on threat landscape changes, business criticality, or regulatory requirements.
Where this control is tested