17.5
IG2 IG3

Assign Key Roles and Responsibilities

Control Group: 17. Incident Response Management
Asset Type: N/A
Security Function: Respond

Description

Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Safeguard.

Implementation Checklist

1
Define response procedures and playbooks
2
Assign response roles and responsibilities
3
Establish response timeframes and SLAs
4
Test response procedures through tabletop or simulation
5
Document lessons learned and update procedures
6
Develop incident response plan and playbooks
7
Define roles, escalation paths, and communication channels
8
Conduct tabletop exercise to validate plan
9
Establish post-incident review process

Tool Recommendations

Palo Alto Cortex XSOAR Gartner MQ Leader, SOAR 2024; Forrester Wave Leader 2024

Security orchestration, automation, and response platform with playbook automation and case management

Palo Alto Networks · Enterprise subscription
Splunk SOAR Gartner MQ Leader, SIEM 2024 (integrated SOAR)

Security orchestration and automated response platform with playbooks, case management, and 350+ integrations

Cisco (Splunk) · Event-based subscription
ServiceNow Security Operations Gartner MQ Leader, ITSM 2024; Forrester Wave Leader, Security Operations 2023

Security incident response and vulnerability response with orchestration, workflow automation, and CMDB integration

ServiceNow · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Critical Response Function Unfilled During Incident

Integrity

During a breach, no one is assigned to handle legal obligations such as breach notification or evidence preservation, resulting in regulatory violations and potential spoliation of evidence.

Conflicting Decisions from Multiple Uncoordinated Teams

Availability

IT, security, legal, and public relations teams make contradictory decisions during an incident because no predefined role assignments clarify who is responsible for which response functions.

Vulnerabilities (When Safeguard Absent)

No Predefined Role Assignments for Incident Response

Without assigned roles spanning legal, IT, security, facilities, PR, and HR, critical response functions are either duplicated or completely unaddressed during incidents.

Cross-Functional Coordination Gaps

Absence of defined roles means non-technical functions like legal, HR, and public relations are not integrated into the incident response, causing delays in notifications, employee actions, and public communications.

Evidence Requirements

Type Evidence Item Collection Frequency
Document Response procedure/playbook documentation Reviewed bi-annually
Record Response action logs showing procedure execution Per incident
Document Incident response plan and playbooks Reviewed bi-annually
Record Incident reports and post-incident review documentation Per incident
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Incident Response Policy
Control 17

Related Safeguards in Control 17

17.1 Designate Personnel to Manage Incident Handling
17.2 Establish and Maintain Contact Information for Reporting Security Incidents
17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
17.4 Establish and Maintain an Incident Response Process
17.6 Define Mechanisms for Communicating During Incident Response
17.7 Conduct Routine Incident Response Exercises
17.8 Conduct Post>Incident Reviews
17.9 Establish and Maintain Security Incident Thresholds
17.4 17.6