Runbooks for top 10 alert types
Demonstrate that the organization maintains current, actionable runbooks for its most common alert types and that SOC personnel follow these procedures during incident response activities.
Description
What this control does
This control requires the Security Operations Center (SOC) to maintain documented runbooks for the ten most frequently triggered alert types in the organization's security monitoring infrastructure. Each runbook must include triage procedures, investigation steps, escalation criteria, containment actions, and resolution workflows. These playbooks standardize incident response, reduce mean time to respond (MTTR), and ensure consistent handling of common security events regardless of analyst experience level.
Control objective
What auditing this proves
Demonstrate that the organization maintains current, actionable runbooks for its most common alert types and that SOC personnel follow these procedures during incident response activities.
Associated risks
Risks this control addresses
- Inconsistent incident response leading to undetected lateral movement or privilege escalation during active intrusions
- Delayed containment of critical security events due to analysts lacking clear procedural guidance
- Escalation failures where junior analysts fail to recognize indicators requiring immediate senior involvement
- Alert fatigue causing analysts to dismiss legitimate threats when handling repetitive alerts without structured workflows
- Loss of institutional knowledge when experienced analysts depart without documented investigation procedures
- Incomplete evidence collection during incident response compromising forensic analysis and root cause determination
- Regulatory compliance failures when incident handling procedures are undocumented or inconsistently applied
Testing procedure
How an auditor verifies this control
- Obtain the organization's SIEM or security monitoring platform alert volume report for the trailing 90 days and identify the ten alert types with the highest trigger frequency.
- Request the current runbook repository and verify that documented runbooks exist for each of the top ten identified alert types.
- Select three runbooks for detailed review and verify each contains clearly defined sections for detection criteria, triage steps, investigation procedures, escalation thresholds, containment actions, and closure criteria.
- Review change control records for the selected runbooks to verify they have been reviewed and updated within the past 12 months.
- Interview three SOC analysts of varying experience levels and confirm they can locate and navigate the runbook repository without assistance.
- Select five closed incident tickets corresponding to alerts covered by the reviewed runbooks and trace analyst actions against the documented procedures to verify adherence.
- Identify any deviations between documented runbook steps and actual analyst actions in the sampled tickets and determine whether exceptions were appropriately documented and justified.
- Verify that runbook effectiveness metrics exist, such as MTTR per alert type or runbook utilization rates, and confirm management reviews these metrics quarterly.
Where this control is tested