Skip to main content

Free audit program · v1.0.0

Crisis Resilience Assessment

How prepared is your organisation for a cyber crisis?

  • Crisis Resilience Assessment target area
  • framework
  • 24 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

A crisis is the moment your normal processes break. This 25-question check covers the decisions, comms and capabilities that determine whether you handle that moment well or badly. After each answer, expand the “Auditor’s view” for how to test the control, what evidence to collect, and the ideal response.

Controls (24)

  1. When a major incident is declared, is there a single named decision-maker (often called Incident Commander) with authority to take the network offline, engage IR, and make ransom decisions?

    Medium

    When a major incident is declared, is there a single named decision-maker (often called Incident Commander) with authority to take the network offline, engage IR, and make ransom decisions?

    How to test + evidence

    Risk: Without a single decision-maker, decisions are slow + contested under pressure. Tested = the IC has actually exercised the role.

    Testing procedure: Inspect IR plan for named Incident Commander + deputy. Verify written authority levels (isolation, payment, comms approval). Confirm tabletop exercise within last 12 months exercised the role.

    Evidence to collect: IR plan section naming IC + deputy Authority matrix document Tabletop after-action report Out-of-band contact details for IC + deputy

  2. Are the criteria for declaring a major incident written down (so the call is consistent across responders and shifts)?

    Medium

    Are the criteria for declaring a major incident written down (so the call is consistent across responders and shifts)?

    How to test + evidence

    Risk: Inconsistent severity calls cause delayed response. Documented criteria let any responder make the call objectively.

    Testing procedure: Inspect the severity matrix. Sample 5 historical incidents and verify severity classification was consistent with the matrix.

    Evidence to collect: Severity matrix in IR plan Sample incident records with assigned severity Cross-shift consistency (handover docs)

  3. Who has authority to authorise a ransom payment (or refuse one)? Has that decision been pre-discussed?

    Medium

    Who has authority to authorise a ransom payment (or refuse one)? Has that decision been pre-discussed?

    How to test + evidence

    Risk: Ransom decisions made under pressure are bad. Pre-discussed positions with counsel + insurer give the IC a clear framework.

    Testing procedure: Inspect board minutes referencing ransom decision pre-authorisation. Verify counsel + insurer briefed on the position.

    Evidence to collect: Board minutes documenting ransom position Letter from counsel on legal considerations Insurer engagement on coverage / requirements Tabletop transcript exercising the decision

  4. Has the board / leadership team sat through a tabletop exercise involving a realistic crisis scenario in the last 12 months?

    Medium

    Has the board / leadership team sat through a tabletop exercise involving a realistic crisis scenario in the last 12 months?

    How to test + evidence

    Risk: Tabletops surface decision-making gaps no document review can. The exec team needs to make the hard calls before the live event.

    Testing procedure: Inspect tabletop after-action report. Verify board/exec attendance + that decisions were actually exercised (not theoretical).

    Evidence to collect: Tabletop attendance list Scenario brief used Post-exercise survey results Action tracker with closure status

  5. Are out-of-band communications pre-arranged for use when email and chat are unavailable (Signal/WhatsApp groups, separate phones, alt mail)?

    Medium

    Are out-of-band communications pre-arranged for use when email and chat are unavailable (Signal/WhatsApp groups, separate phones, alt mail)?

    How to test + evidence

    Risk: Email is encrypted in many ransomware events. Pre-arranged OOB is the difference between coordinated response and chaos.

    Testing procedure: Inspect OOB channel (Signal group, alt phone numbers). Verify membership current + tested in tabletop.

    Evidence to collect: OOB channel screenshot or roster Alt-phone contact list Tabletop record showing OOB used

  6. Is there a written internal communications plan (who tells employees what, when, via which channels)?

    Medium

    Is there a written internal communications plan (who tells employees what, when, via which channels)?

    How to test + evidence

    Risk: Employees fill the silence with rumour. Pre-drafted internal comms in non-affected channels keep everyone aligned.

    Testing procedure: Inspect internal comms templates. Verify they cover scenarios (suspended access, work-from-home, what to say to customers) + are stored OOB.

    Evidence to collect: Internal comms templates Decision tree for what to communicate when Channel inventory (intranet, mail, alt-mail, SMS)

  7. Is there a written external communications plan covering customers, partners, regulators and (if relevant) press?

    Medium

    Is there a written external communications plan covering customers, partners, regulators and (if relevant) press?

    How to test + evidence

    Risk: External comms drive press perception + legal exposure. Drafting on the fly under press pressure produces the wrong words.

    Testing procedure: Inspect external comms templates + approval workflow. Verify regulator notification windows are documented.

    Evidence to collect: External comms templates per audience Approval workflow (legal + comms + exec) Regulator notification timeline (e.g. NIS2 24h, GDPR 72h) PR firm / counsel engagement

  8. Do you have a status page or public communication channel that operates independently of your primary infrastructure?

    Medium

    Do you have a status page or public communication channel that operates independently of your primary infrastructure?

    How to test + evidence

    Risk: Customers want answers; a status page is the cheapest, fastest channel. Co-located with affected systems = useless during an outage.

    Testing procedure: Inspect status page hosting. Verify it can be updated when primary infrastructure is offline.

    Evidence to collect: Status page URL + hosting account separation Authentication path independent of primary IDP Test update from OOB device

  9. Is there a current responder roster (names, roles, phone numbers, after-hours contacts) maintained outside your primary IT systems?

    Medium

    Is there a current responder roster (names, roles, phone numbers, after-hours contacts) maintained outside your primary IT systems?

    How to test + evidence

    Risk: Rosters in your primary wiki are inaccessible during the incident. Print + alt-cloud + tested = the only safe approach.

    Testing procedure: Inspect the responder roster. Verify it is accessible OOB + reviewed within 90 days.

    Evidence to collect: Printed roster + cloud copy on alt provider Last review date + reviewer After-hours contact details

  10. For each critical role (Incident Commander, lead investigator, comms lead) is there a designated deputy if the primary is unavailable?

    Medium

    For each critical role (Incident Commander, lead investigator, comms lead) is there a designated deputy if the primary is unavailable?

    How to test + evidence

    Risk: Major incidents often happen when key people are on holiday. Deputies + cross-training make the plan resilient to absence.

    Testing procedure: Inspect IR plan. Verify deputies are named for each critical role + have participated in tabletops.

    Evidence to collect: IR plan with primary + deputy per role Cross-training records Tabletop with deputies playing the role

  11. Do you have an external IR / forensics firm pre-engaged on retainer with a tested escalation path?

    Medium

    Do you have an external IR / forensics firm pre-engaged on retainer with a tested escalation path?

    How to test + evidence

    Risk: IR firms saturate in major events. A retainer guarantees response; cold-calling at 2am does not.

    Testing procedure: Inspect retainer contract. Verify 24/7 contact + last test call. Check insurance-mandated IR firm if applicable.

    Evidence to collect: IR retainer contract Test call log Engagement runbook Insurance-linked IR confirmation if applicable

  12. Have you pre-engaged legal counsel familiar with breach notification, regulatory engagement, and ransomware demand handling?

    Medium

    Have you pre-engaged legal counsel familiar with breach notification, regulatory engagement, and ransomware demand handling?

    How to test + evidence

    Risk: Specialist breach counsel knows the privileged-comms playbook + regulatory pacing. General counsel learns on your incident.

    Testing procedure: Inspect engagement letter with breach counsel. Verify scope covers breach notification, regulatory, ransom demand handling.

    Evidence to collect: Breach counsel engagement letter Scope coverage matrix Tabletop with counsel engaged

  13. Do you have written, scenario-specific playbooks (ransomware, data exfil, BEC, DDoS, supply-chain) — not just a generic IR plan?

    Medium

    Do you have written, scenario-specific playbooks (ransomware, data exfil, BEC, DDoS, supply-chain) — not just a generic IR plan?

    How to test + evidence

    Risk: A generic plan rarely survives contact with a specific scenario. Scenario-specific playbooks make pre-decisions.

    Testing procedure: Inspect playbook library. Verify coverage of top 5 scenarios + recent test of at least one.

    Evidence to collect: Playbook library (ransomware, data exfil, BEC, DDoS, supply chain) Last review + reviewer per playbook Tabletop after-action report

  14. If your IT systems are completely encrypted/inaccessible, can your responders still access the playbook (printed binder, separate cloud account, etc.)?

    Medium

    If your IT systems are completely encrypted/inaccessible, can your responders still access the playbook (printed binder, separate cloud account, etc.)?

    How to test + evidence

    Risk: Wiki-only playbooks are inaccessible during the very event they're needed. Print + alt-cloud is the only safe pattern.

    Testing procedure: Verify playbook accessibility OOB. Test by attempting to retrieve a playbook with primary IDP unavailable.

    Evidence to collect: Printed playbook binder location Separate cloud account / personal Drive copy Test retrieval log

  15. Is there a process for keeping a contemporaneous decision log during an incident (who decided what, when, why)?

    Medium

    Is there a process for keeping a contemporaneous decision log during an incident (who decided what, when, why)?

    How to test + evidence

    Risk: Decision logs are critical for legal defence + post-incident learning. Without them, what happened becomes contested narrative.

    Testing procedure: Inspect decision log template. Sample real incident logs from the period — verify timestamps + decision rationales.

    Evidence to collect: Decision log template Sample completed logs Scribe role assignment in IR plan

  16. Are evidence preservation procedures documented (snapshots, log exports, custody chain) so forensics is possible afterwards?

    Medium

    Are evidence preservation procedures documented (snapshots, log exports, custody chain) so forensics is possible afterwards?

    How to test + evidence

    Risk: Mishandled evidence loses court value + regulatory defensibility. Documented chain-of-custody is the bar.

    Testing procedure: Inspect evidence preservation runbook. Verify chain-of-custody template + tested snapshot/export procedures.

    Evidence to collect: Evidence preservation runbook Chain-of-custody template Sample preserved evidence with metadata

  17. Do you know which regulators require notification, the timelines (e.g. 72 hours), and have a written escalation for that?

    Medium

    Do you know which regulators require notification, the timelines (e.g. 72 hours), and have a written escalation for that?

    How to test + evidence

    Risk: Regulatory clocks start at incident detection, not at convenience. Pre-briefed counsel + runbook hits the deadline reliably.

    Testing procedure: Inspect regulator register + notification runbook. Verify timeline awareness (NIS2 24h, GDPR 72h, sector-specific).

    Evidence to collect: Regulator register with applicable laws Notification runbook with timelines Pre-briefed counsel Tabletop exercising the notification path

  18. Can you rapidly isolate a compromised network segment without taking down the entire business?

    Medium

    Can you rapidly isolate a compromised network segment without taking down the entire business?

    How to test + evidence

    Risk: Whole-network shutdown causes business damage equal to the attack. Surgical isolation contains while business runs.

    Testing procedure: Inspect network architecture + isolation runbook. Test isolation in a controlled exercise.

    Evidence to collect: Network segmentation diagram Isolation runbook with timing Test record showing isolation worked + business continued elsewhere

  19. During an active incident, do you have logging + EDR data centralised somewhere accessible (separate from the affected systems)?

    Medium

    During an active incident, do you have logging + EDR data centralised somewhere accessible (separate from the affected systems)?

    How to test + evidence

    Risk: On-prem SIEM is encrypted along with everything else in a ransomware event. Cloud-hosted is independent and accessible.

    Testing procedure: Verify SIEM + EDR are on separate infrastructure from affected systems. Test access with primary IDP offline.

    Evidence to collect: SIEM + EDR architecture diagram Authentication path independent of primary Retention period covering audit window

  20. Do you have break-glass admin credentials accessible during an incident (sealed in a vault, separate from the affected identity provider)?

    Medium

    Do you have break-glass admin credentials accessible during an incident (sealed in a vault, separate from the affected identity provider)?

    How to test + evidence

    Risk: When the IDP is compromised, you need authenticated access from outside. Break-glass + sealed creds is the only path.

    Testing procedure: Inspect break-glass procedure. Verify credentials are sealed, separate from primary IDP, and access is alerted.

    Evidence to collect: Break-glass procedure document Sealed credential storage location Alert log on break-glass usage Test record

  21. Are your backups isolated from production credentials (separate cloud account, immutable, air-gapped)?

    Medium

    Are your backups isolated from production credentials (separate cloud account, immutable, air-gapped)?

    How to test + evidence

    Risk: Compromised production credentials should not be able to destroy backups. Cross-account + immutability ensures this.

    Testing procedure: Verify backups isolated from production credentials. Test deletion attempt from production-owned account.

    Evidence to collect: Backup architecture Cross-account / immutability config Failed deletion test record

  22. Do you have validated recovery time objectives (RTO) for your top critical systems?

    Medium

    Do you have validated recovery time objectives (RTO) for your top critical systems?

    How to test + evidence

    Risk: Untested RTO is wishful thinking. Drill-validated RTO is what you can actually commit to.

    Testing procedure: Inspect BIA + restore drill report. Verify actual time-to-restore vs documented RTO.

    Evidence to collect: BIA with RTO per critical system Restore drill report Plans updated where RTO missed

  23. Have you identified the top 5 systems that must come back first (and the dependencies between them)?

    Medium

    Have you identified the top 5 systems that must come back first (and the dependencies between them)?

    How to test + evidence

    Risk: Without priorities, recovery effort fragments. Documented sequence + dependencies turns chaos into orchestrated restoration.

    Testing procedure: Inspect priority list + dependency map. Verify business owners signed off + dependencies mapped (not just "everything is critical").

    Evidence to collect: Priority list with business owner sign-off Dependency map for top-10 systems Restoration sequence document

  24. After previous incidents (or near-misses), are lessons documented and acted on?

    Medium

    After previous incidents (or near-misses), are lessons documented and acted on?

    How to test + evidence

    Risk: Lessons closed and reflected in updated playbooks turn each incident into an improvement. Without action closure you fix the same issue six times.

    Testing procedure: Inspect post-mortem template + completed examples. Verify actions are tracked to closure.

    Evidence to collect: Post-mortem template Sample completed post-mortems Action tracker with closure status Plan updates reflecting learnings