AuditRubric
rs-ma-1 critical Respond / Incident Management

Execute the incident response plan in coordination with relevant third parties

When an incident is declared, the response plan must be activated immediately and in sync with any external partners, such as MSSPs, legal counsel, insurers, or cloud providers. Coordination failures are one of the most common reasons incidents escalate unnecessarily. Having pre-established contacts and runbooks means the right people take the right actions without wasting time on ad hoc decision-making. This control ensures the plan is not just a document but an actively executed process.

Estimated effort: 8h
incident-responseir-plancoordinationplaybook
Complete first: id-im-4 , de-ae-8

Implementation steps

  1. 1

    Activate the incident response plan and notify the IR team

    When a declared incident threshold is met, the on-call IR lead activates the documented response plan. This includes notifying internal team members via the designated war-room channel and confirming roles and responsibilities from the RACI matrix.

    pagerdutyslackopsgenie
  2. 2

    Engage relevant third parties per the contact matrix

    Use the pre-built third-party contact list to loop in external stakeholders: MSSP, legal counsel, cyber insurer, and any impacted vendors or cloud providers. Confirm each party's expected role and communication cadence during the incident.

    slackzoomemail
  3. 3

    Open a dedicated incident tracking record and begin the timeline log

    Create a formal incident ticket to track all actions, decisions, and communications in one place. Assign an incident commander. Record the declaration time, initial scope, and which response playbook is being followed.

    jiraservicenowconfluence

Evidence required

Incident declaration record

A timestamped record showing when the incident was declared and which response plan was activated.

  • · Jira or ServiceNow ticket with declaration timestamp and playbook reference
  • · PagerDuty incident log showing on-call notifications
  • · Slack war-room channel creation time and initial message

Third-party coordination log

Evidence that external parties were notified and engaged per the contact matrix.

  • · Email thread with legal counsel timestamped within SLA
  • · MSSP escalation ticket or call log
  • · Cyber insurer notification record with case number

Related controls

id-im-4 critical

Incident response plans and cybersecurity plans are established, maintained, and improved

Improvement
gv-sc-8 medium

Relevant suppliers are included in incident planning, response, and recovery activities

Cybersecurity Supply Chain Risk Management
rs-ma-2 critical

Triage and validate incident reports

Incident Management
rs-ma-3 high

Categorize and prioritize incidents

Incident Management