INC-001 Incident Response Plan
Description
A documented Incident Response Plan (IRP) defines the organisation's approach to detecting, containing, eradicating, and recovering from security incidents. The plan covers roles and responsibilities, communication channels, escalation paths, and coordination with legal, regulatory, and PR functions. It is reviewed at least annually and after significant incidents.
Rationale
Without a documented plan, incident response is improvised, slow, and legally exposed. A current, tested IRP is the structural foundation of the entire incident response capability.
Framework Mappings (5)
| SEF-01 | Security Incident Management Policy and Procedures | full |
| SEF-03 | Incident Response Plans | full |
| 5.24 | Information security incident management planning and preparation | full |
| IR-1 | Policy and Procedures | full |
| IR-8 | Incident Response Plan | full |
Evidence (2)
Documented Incident Response Plan covering roles, responsibilities, communication channels, escalation paths, and coordination with legal, regulatory, and PR functions.
Example: Incident Response Plan document (version-controlled, approved by CISO or equivalent senior owner, dated within the last 12 months) including RACI chart, communication tree, escalation criteria, and regulatory notification procedures
Test: Request the current IRP. Verify: (1) the plan defines roles and responsibilities with named owners or titles; (2) escalation paths cover at minimum: technical response, legal, PR/communications, and regulatory notification; (3) communication channels and contact lists are included; (4) the document was reviewed and approved within the last 12 months; (5) confirm the plan was updated following the most recent significant incident.
IRP review record confirming the plan was formally reviewed and approved within the last 12 months or following a significant incident.
Example: Document version history or review sign-off record for the IRP, showing last review date, reviewer, change summary, and approver sign-off
Test: Request the IRP version history and most recent review sign-off. Verify: (1) a formal review was conducted within the last 12 months; (2) a named approver with appropriate authority signed off the current version; (3) if a significant incident occurred in the review period, confirm the IRP was updated afterward.
Questions (2)
Does your organisation have a documented Incident Response Plan (IRP) covering roles and responsibilities, communication channels, escalation paths, and coordination with legal, regulatory, and PR functions, reviewed at least annually?
The IRP should be approved by the CISO or equivalent senior owner, version-controlled, and updated following significant incidents. A plan that has not been reviewed in over 12 months is considered stale.
Which functions are explicitly covered in your Incident Response Plan?
All six are expected in a mature IRP. Missing legal or regulatory escalation paths are a common gap that creates exposure during actual incidents.