Establish and Maintain an Incident Response Process
Description
Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Implementation Checklist
Tool Recommendations
Security orchestration, automation, and response platform with playbook automation and case management
Palo Alto Networks · Enterprise subscription
Security orchestration and automated response platform with playbooks, case management, and 350+ integrations
Cisco (Splunk) · Event-based subscription
Security incident response and vulnerability response with orchestration, workflow automation, and CMDB integration
ServiceNow · Enterprise subscription
AI-enhanced security automation platform with low-code playbooks, case management, and threat intelligence orchestration
Swimlane · Enterprise subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Chaotic Response to Major Security Incident
ConfidentialityDuring a significant breach, response efforts are uncoordinated because no documented process defines roles, responsibilities, escalation paths, or communication plans, leading to evidence destruction and extended attacker access.
Compliance Violation from Improper Incident Handling
IntegrityThe organization violates regulatory requirements during incident response because no documented process addresses compliance obligations for evidence preservation, notification timelines, or reporting requirements.
Public Relations Crisis from Poor Incident Communication
IntegrityInconsistent and contradictory public statements during a breach erode customer trust because no communication plan was established as part of the incident response process.
Vulnerabilities (When Safeguard Absent)
No Documented Incident Response Process
Without a documented incident response process, the organization has no predefined playbook for roles, responsibilities, compliance requirements, or communication during security incidents.
No Incident Communication Plan
Absence of a communication plan within the incident response process means internal and external communications during incidents are ad hoc, inconsistent, and potentially damaging.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |