An incident response plan is documented and maintained

Implementation steps

1. 1

   Write an incident response plan covering key phases

   Document the plan using a recognized framework such as NIST SP 800-61. Cover all phases: preparation, detection and analysis, containment, eradication and recovery, and post-incident review. Include: severity classification criteria, escalation contacts for each severity level, containment decision trees for common incident types (ransomware, account compromise, data breach), and communication templates for internal and external notifications.

   confluence notion google-docs pagerduty opsgenie
2. 2

   Assign roles and ensure coverage

   The plan must name specific roles: incident commander, communications lead, technical lead, and legal liaison. Each role needs a primary and backup. Store contact information in a location accessible outside your primary systems, because in a major incident your email or Slack may be unavailable or untrusted. Review role assignments every six months and update when people leave.

   pagerduty opsgenie google-drive lastpass 1password
3. 3

   Review and update the plan at least annually

   Schedule an annual review of the IR plan to incorporate lessons learned from incidents and exercises, changes in the technology environment, and updates to legal notification requirements. After any significant incident, conduct a post-incident review and update the plan based on what worked and what did not. Version-control the plan and record when it was last reviewed and by whom.

   confluence github google-docs drata vanta

Evidence required