17.3
IG1 IG2 IG3

Establish and Maintain an Enterprise Process for Reporting Incidents

Control Group: 17. Incident Response Management
Asset Type: N/A
Security Function: Respond

Description

Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard.

Implementation Checklist

1
Define response procedures and playbooks
2
Assign response roles and responsibilities
3
Establish response timeframes and SLAs
4
Test response procedures through tabletop or simulation
5
Document lessons learned and update procedures
6
Develop incident response plan and playbooks
7
Define roles, escalation paths, and communication channels
8
Conduct tabletop exercise to validate plan
9
Establish post-incident review process
10
Draft policy/procedure document
11
Obtain stakeholder review and approval
12
Communicate to affected personnel
13
Schedule periodic review and updates

Tool Recommendations

Palo Alto Cortex XSOAR Gartner MQ Leader, SOAR 2024; Forrester Wave Leader 2024

Security orchestration, automation, and response platform with playbook automation and case management

Palo Alto Networks · Enterprise subscription
Splunk SOAR Gartner MQ Leader, SIEM 2024 (integrated SOAR)

Security orchestration and automated response platform with playbooks, case management, and 350+ integrations

Cisco (Splunk) · Event-based subscription
ServiceNow Security Operations Gartner MQ Leader, ITSM 2024; Forrester Wave Leader, Security Operations 2023

Security incident response and vulnerability response with orchestration, workflow automation, and CMDB integration

ServiceNow · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Security Incident Unreported by Employee Who Witnessed It

Confidentiality

An employee observes indicators of compromise but does not report them because no enterprise reporting process defines how, when, or to whom incidents should be reported.

Delayed Incident Response Due to Informal Reporting Chain

Confidentiality

An employee reports a suspected breach to their direct manager instead of the security team, and the information takes days to reach the right people because no formal reporting process exists.

Vulnerabilities (When Safeguard Absent)

No Standardized Incident Reporting Process for Workforce

Without a defined reporting process, employees lack clear guidance on reporting timeframes, who to contact, how to report, and what minimum information to include, resulting in unreported or poorly reported incidents.

Reporting Process Not Publicly Available to All Staff

Even if a reporting process exists, it is ineffective if not readily accessible to all workforce members, resulting in employees being unable to find reporting instructions during a suspected incident.

Evidence Requirements

Type Evidence Item Collection Frequency
Document Response procedure/playbook documentation Reviewed bi-annually
Record Response action logs showing procedure execution Per incident
Document Incident response plan and playbooks Reviewed bi-annually
Record Incident reports and post-incident review documentation Per incident
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Incident Response Policy
Control 17

Related Safeguards in Control 17

17.1 Designate Personnel to Manage Incident Handling
17.2 Establish and Maintain Contact Information for Reporting Security Incidents
17.4 Establish and Maintain an Incident Response Process
17.5 Assign Key Roles and Responsibilities
17.6 Define Mechanisms for Communicating During Incident Response
17.7 Conduct Routine Incident Response Exercises
17.8 Conduct Post>Incident Reviews
17.9 Establish and Maintain Security Incident Thresholds
17.2 17.4