INC-004 Incident Containment and Eradication
Description
Documented containment procedures exist for common incident types (e.g., account compromise, malware, data exfiltration, DDoS). Containment actions are taken within defined timeframes based on severity classification. Eradication steps — including root cause removal — are completed before recovery begins. Actions taken are logged.
Rationale
Speed and discipline in containment determines how far a breach spreads. Documented procedures prevent ad-hoc decisions that may spread the incident or destroy evidence.
Framework Mappings (5)
| SEF-07 | Incident Management and Response | full |
| 5.26 | Response to information security incidents | full |
| IR-4 | Incident Handling | full |
| CC7.4 | Responds to Identified Security Incidents | full |
| CC7.5 | Identifies, Develops, and Implements Activities to Recover from Identified Security Incidents | full |
Evidence (2)
Incident containment and eradication procedures documenting response steps for common incident types, containment timeframes, and eradication criteria.
Example: Incident Response Runbooks or IRP appendices for at least three common incident types (e.g., account compromise, ransomware/malware, data exfiltration) — version-controlled, reviewed within the last 12 months
Test: Request containment and eradication runbooks for at least three incident types. Verify: (1) procedures are defined for each covered incident type; (2) containment steps are specific and actionable (not generic); (3) eradication criteria are defined (what constitutes root cause removal); (4) recovery may not begin until eradication is confirmed; (5) all actions are required to be logged.
Incident action log or containment timeline records showing documented actions taken during containment and eradication for actual incidents.
Example: Incident ticket or war-room log from the last significant incident, showing timestamped containment actions, responsible analyst, and confirmation of eradication steps completed before recovery began
Test: Request the incident action logs for the last two significant incidents. Verify: (1) containment actions are timestamped and attributed to a named analyst; (2) containment was initiated within the SLA defined for the incident's severity; (3) eradication steps are logged as complete before recovery actions were started; (4) logs are stored in the incident management system and are not modifiable by the responder.
Questions (2)
Do documented containment procedures exist for common incident types, with containment actions taken within defined timeframes by severity, and eradication steps logged before recovery begins?
Containment procedures should be specific and actionable — not generic guidance. At minimum, runbooks should exist for account compromise, malware, and data exfiltration incident types.
Which incident types have documented containment and eradication runbooks?
Account compromise, malware, and data exfiltration are the minimum required runbooks. AI-specific incident types are expected for organisations deploying AI systems in production.