Conduct Routine Incident Response Exercises
Description
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision making, and workflows. Conduct testing on an annual basis, at a minimum.
Implementation Checklist
Tool Recommendations
Security orchestration, automation, and response platform with playbook automation and case management
Palo Alto Networks · Enterprise subscription
Security orchestration and automated response platform with playbooks, case management, and 350+ integrations
Cisco (Splunk) · Event-based subscription
Security incident response and vulnerability response with orchestration, workflow automation, and CMDB integration
ServiceNow · Enterprise subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Ineffective Response to Real Incident Due to Untested Processes
AvailabilityDuring an actual ransomware attack, the incident response team fails to execute the documented plan effectively because they have never practiced it, resulting in missed steps and delayed containment.
Decision-Making Paralysis During First Real Incident
AvailabilityKey personnel freeze during a real security incident because they have never rehearsed decision-making under pressure, causing critical delays in containment and eradication.
Communication Breakdown During Incident Due to Untested Workflows
AvailabilityIncident response communication channels and escalation workflows fail during a real event because they were never tested through exercises, leaving responders unable to coordinate effectively.
Vulnerabilities (When Safeguard Absent)
No Incident Response Exercises Conducted
Without routine exercises such as tabletop scenarios, the incident response team has no practical experience executing the plan, identifying gaps in procedures, or testing communication channels under simulated pressure.
Untested Decision-Making and Escalation Workflows
Absence of exercises means decision-making processes, escalation paths, and inter-team coordination have never been validated, creating unknown failure points that surface during real incidents.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Recovery plan documentation | Reviewed annually |
| Record | Recovery test results and lessons learned | Tested quarterly |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |