INC-009 Incident Response Training and Testing
Description
Personnel with incident response roles receive training at onboarding and at a defined periodic frequency. The Incident Response Plan is tested through tabletop exercises or simulations at least annually. Test results are reviewed and used to update procedures. Metrics on incident response performance are tracked.
Rationale
Plans and training that are never exercised degrade in quality and fail at the worst moment. Periodic testing validates that procedures, tools, and team capabilities are current and effective.
Framework Mappings (4)
| SEF-04 | Incident Response Testing | full |
| SEF-05 | Incident Response Metrics | full |
| IR-2 | Incident Response Training | full |
| IR-3 | Incident Response Testing | full |
Evidence (2)
Training completion records showing personnel with incident response roles completed required IR training at onboarding and at the defined periodic frequency.
Example: LMS (e.g., KnowBe4, Workday Learning, or equivalent) training completion report filtered to incident response roles, showing completion status, completion date, and training module name for the last training cycle
Test: Request the IR training completion report. Verify: (1) all personnel listed in the IRP with response roles appear in the training records; (2) training was completed within the required period (at onboarding and periodically); (3) any overdue completions have a documented remediation plan; (4) training content covers current procedures and tools.
IR tabletop exercise or simulation record showing the IRP was tested within the last 12 months and results were used to update procedures.
Example: IR tabletop exercise agenda and after-action report (dated within the last 12 months) showing scenario used, participant list, issues identified, IR performance metrics measured, and plan updates triggered by the exercise
Test: Request the most recent IR exercise report. Verify: (1) the exercise was conducted within the last 12 months; (2) participants included personnel holding defined IR roles; (3) performance metrics (e.g., detection time, containment time, escalation accuracy) were measured; (4) findings resulted in documented updates to the IRP or runbooks; (5) corrective actions were tracked to completion.
Questions (2)
Do personnel with incident response roles receive training at onboarding and at a defined periodic frequency, and is the Incident Response Plan tested through tabletop exercises or simulations at least annually?
Training completion should be tracked in an LMS or equivalent system. Exercise results should be used to update IRP procedures — a plan that generates no updates after an exercise likely was not tested meaningfully.
How frequently is incident response training conducted for personnel with defined IR roles?
At onboarding plus annual refresher training is the minimum expectation. Six-monthly training is considered a strong practice for teams with active response responsibilities.