Incident response roles and contacts are designated and current

Implementation steps

1. 1

   Document IR roles with named individuals and backup contacts

   For each role in the incident response plan (incident commander, technical lead, communications lead, legal liaison, executive sponsor), assign a primary and backup person by name. Include multiple contact methods: work phone, personal cell, and a personal email not hosted on company infrastructure. Confirm with each person that they understand their role and have reviewed the plan.

   pagerduty opsgenie confluence notion google-sheets
2. 2

   Configure on-call rotation and alerting for security incidents

   Set up an on-call schedule for security alerts so there is always a designated responder. Configure your monitoring and SIEM tools to page the on-call person for high-severity alerts. Test the paging chain to confirm alerts actually reach the right person. For smaller organizations without a dedicated security team, define who is on-call and ensure they have the tools and access needed to respond.

   pagerduty opsgenie victorops aws-chatbot slack
3. 3

   Review and update contacts quarterly

   Set a calendar reminder to review IR contacts every quarter. When someone leaves the team or changes roles, update the plan immediately rather than waiting for the quarterly review. Store a printed or offline copy of critical contacts in case your primary systems are unavailable during an incident. Confirm that each person in the contact list is still reachable at the listed numbers.

   pagerduty confluence google-sheets drata vanta

Evidence required