About this program
Is your IR plan more than a PDF? Test for tabletop exercises, RACI, comms templates, escalation paths and lessons-learned.
Risks addressed
- Critical Slow, ad-hoc IR extends breach impact
- High Wrong people contacted (or none) during a real incident
- High Regulators / customers notified late or inconsistently
- High Logs purged before forensics can run
Controls (7)
-
Documented IR plan
HighDocumented IR plan
How to test + evidence
Testing procedure: Confirm an IR plan exists, dated within 12 months, owned + approved.
Evidence to collect: IR plan PDF.
-
Roles + RACI defined
HighRoles + RACI defined
How to test + evidence
Testing procedure: Plan names IR Lead, Comms, Legal, Tech, with contact details.
Evidence to collect: RACI table in plan.
-
Tabletop exercise within last 12 months
HighTabletop exercise within last 12 months
How to test + evidence
Testing procedure: Last tabletop date + attendees + scenario; lessons-learned actioned.
Evidence to collect: Tabletop after-action report.
-
Escalation paths to legal + insurer
MediumEscalation paths to legal + insurer
How to test + evidence
Testing procedure: Plan documents when/how to engage legal counsel and cyber insurance.
Evidence to collect: Plan extract.
-
Comms templates ready
MediumComms templates ready
How to test + evidence
Testing procedure: Pre-approved templates for staff, customers, regulators, media.
Evidence to collect: Template library.
-
Forensic readiness — logs + tools
HighForensic readiness — logs + tools
How to test + evidence
Testing procedure: Log sources retained >=90 days; forensic tooling on standby (in-house or retainer).
Evidence to collect: SIEM retention + retainer contract.
-
Lessons-learned loop
MediumLessons-learned loop
How to test + evidence
Testing procedure: Closed incidents trigger a post-mortem; actions tracked to completion.
Evidence to collect: Post-mortem register.