Skip to main content

IRO-01: Incident Response Operations

IRO 9 — Critical Govern

Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.

Control Question: Does the organization implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents?

General (53)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) A1.2-POF5 CC2.2-POF10 CC2.2-POF3 CC7.3 CC7.3-POF1 CC7.4 CC7.4-POF1 CC7.4-POF10 CC7.4-POF11 CC7.4-POF12 CC7.4-POF13 CC7.4-POF2 CC7.4-POF3 CC7.4-POF4 CC7.4-POF5 CC7.4-POF6 CC7.4-POF7 CC7.4-POF8 CC7.4-POF9
CIS CSC 8.1 17 17.5
CIS CSC 8.1 IG2 17.5
CIS CSC 8.1 IG3 17.5
COBIT 2019 DSS02.01 DSS02.02 DSS02.03 DSS02.04 DSS02.05 DSS02.06 DSS02.07
CSA CCM 4 LOG-05 SEF-01 SEF-02
CSA IoT SCF 2 IMT-01
ENISA 2.0 SO16 SO18
Generally Accepted Privacy Principles (GAPP) 1.2.7
GovRAMP Low IR-01
GovRAMP Low+ IR-01
GovRAMP Moderate IR-01
GovRAMP High IR-01
IEC 62443-4-2 2019 FR 6 (10.1)
IMO Maritime Cyber Risk Management 3.5.4
ISO/SAE 21434 2021 RC-05-15 RQ-08-03 RQ-08-04
ISO 27002 2022 5.24
ISO 27017 2015 16.1.1
MPA Content Security Program 5.1 OR-4.0 TS-1.4
NAIC Insurance Data Security Model Law (MDL-668) 4.C(4)(c)
NIST AI 100-1 (AI RMF) 1.0 GOVERN 6.2 MANAGE 2.3 MANAGE 2.4
NIST 800-53 R4 IR-1
NIST 800-53 R4 (low) IR-1
NIST 800-53 R4 (moderate) IR-1
NIST 800-53 R4 (high) IR-1
NIST 800-53 R5 (source) IR-1
NIST 800-53B R5 (privacy) (source) IR-1
NIST 800-53B R5 (low) (source) IR-1
NIST 800-53B R5 (moderate) (source) IR-1
NIST 800-53B R5 (high) (source) IR-1
NIST 800-82 R3 LOW OT Overlay IR-1
NIST 800-82 R3 MODERATE OT Overlay IR-1
NIST 800-82 R3 HIGH OT Overlay IR-1
NIST 800-161 R1 IR-1
NIST 800-161 R1 C-SCRM Baseline IR-1
NIST 800-161 R1 Flow Down IR-1
NIST 800-161 R1 Level 1 IR-1
NIST 800-161 R1 Level 2 IR-1
NIST 800-161 R1 Level 3 IR-1
NIST 800-171 R2 (source) NFO-IR-1
NIST 800-171A (source) 3.6.1[a] 3.6.1[b] 3.6.1[c] 3.6.1[d] 3.6.1[e] 3.6.1[f]
NIST 800-171 R3 (source) 03.06.01
NIST 800-171A R3 (source) A.03.06.01[01]
NIST CSF 2.0 (source) DE.AE GV.SC-08 RS RS.MI
PCI DSS 4.0.1 (source) 10.7 10.7.1 10.7.2 10.7.3 12.10
PCI DSS 4.0.1 SAQ D Merchant (source) 10.7.2 10.7.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 10.7.1 10.7.2 10.7.3
Shared Assessments SIG 2025 J.4
SWIFT CSF 2023 6.1 6.2 6.3 7.1
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IRO-01
SCF CORE ESP Level 1 Foundational IRO-01
SCF CORE ESP Level 2 Critical Infrastructure IRO-01
SCF CORE ESP Level 3 Advanced Threats IRO-01
US (39)
Framework Mapping Values
US C2M2 2.1 SITUATION-3.G.MIL3 RESPONSE-1.A.MIL1 RESPONSE-1.B.MIL2 RESPONSE-1.C.MIL2 RESPONSE-2.A.MIL1 RESPONSE-2.B.MIL1 RESPONSE-2.C.MIL2 RESPONSE-2.D.MIL2 RESPONSE-2.E.MIL2 RESPONSE-2.F.MIL2 RESPONSE-2.G.MIL2 RESPONSE-2.H.MIL3 RESPONSE-2.I.MIL3 RESPONSE-3.A.MIL1 RESPONSE-3.B.MIL1 RESPONSE-3.C.MIL1 RESPONSE-3.D.MIL2 RESPONSE-3.E.MIL2 RESPONSE-3.F.MIL2
US CISA CPG 2022 2.S 5.A
US CJIS Security Policy 5.9.3 (source) IR-1 5.13.5
US CMS MARS-E 2.0 IR-1
US DHS CISA SSDAF 1.f
US DHS CISA TIC 3.0 3.UNI.IRPIH
US DHS ZTCF SEC-02
US EO 14028 4e(i)(F)
US FCA CRM 609.930(c)(3)
US FedRAMP R4 IR-1
US FedRAMP R4 (low) IR-1
US FedRAMP R4 (moderate) IR-1
US FedRAMP R4 (high) IR-1
US FedRAMP R4 (LI-SaaS) IR-1
US FedRAMP R5 (source) IR-1
US FedRAMP R5 (low) (source) IR-1
US FedRAMP R5 (moderate) (source) IR-1
US FedRAMP R5 (high) (source) IR-1
US FedRAMP R5 (LI-SaaS) (source) IR-1
US FFIEC D5.IR.Pl.B.1
US GLBA CFR 314 2023 (source) 314.4(h) 314.4(h)(1) 314.4(h)(2) 314.4(h)(3) 314.4(h)(4) 314.4(h)(5) 314.4(h)(6) 314.4(h)(7)
US HIPAA Administrative Simplification 2013 (source) 164.308(a)(1)(i) 164.308(a)(6)(i) 164.308(a)(7)(i)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.308(a)(1)(i) 164.308(a)(6)(i) 164.308(a)(7)(i)
US HIPAA HICP Small Practice 8.S.A 10.S.A
US HIPAA HICP Medium Practice 8.M.A 8.M.B
US HIPAA HICP Large Practice 8.M.A 8.M.B 8.L.C 9.L.B
US IRS 1075 1.8.4 IR-1
US NERC CIP 2024 (source) CIP-003-8 1.1.5 CIP-003-8 1.2.4 CIP-008-6 1.1 CIP-008-6 3.2
US NISPOM 2020 8-101 8-103
US NNPI (unclass) 8.1 8.2 8.3 8.4
US SEC Cybersecurity Rule Form 8-K Item 1.05(a)
US SSA EIESR 8.0 5.6 5.9
US TSA / DHS 1580/82-2022-01 III.D.2.d
US - CA CCPA 2025 7123(c)(17) 7123(c)(17)(B)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.16(a) 500.2(b)(4) 500.3(n)
US - TX DIR Control Standards 2.0 IR-1
US - TX TX-RAMP Level 1 IR-1
US - TX TX-RAMP Level 2 IR-1
US - VT Act 171 of 2018 2447(b)(10) 2447(b)(10)(A)
EMEA (20)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.5.1(59) 3.5.1(60) 3.5.1(60)(a) 3.5.1(60)(b) 3.5.1(60)(c) 3.5.1(60)(d) 3.5.1(60)(d)(i) 3.5.1(60)(d)(ii) 3.5.1(60)(e) 3.5.1(60)(f) 3.5.1(60)(f)(i) 3.5.1(60)(f)(ii)
EMEA EU DORA 14.1 14.2 14.3 17.1 17.2 17.3 17.3(a) 17.3(b) 17.3(c) 17.3(d) 17.3(e) 17.3(f) 9.4(b)
EMEA EU NIS2 21.2(b) 23.1
EMEA EU NIS2 Annex 3.1.1 3.2.1 3.5.1 4.3.1
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 4.7
EMEA Germany C5 2020 SIM-01
EMEA Israel CDMO 1.0 24.1
EMEA Saudi Arabia ECC-1 2018 2-13-1 2-13-2 2-13-3 2-13-3-2 2-13-4
EMEA Saudi Arabia OTCC-1 2022 2-12 2-12-1 2-12-2
EMEA Saudi Arabia SACS-002 TPC-23 TPC-88 TPC-89
EMEA Saudi Arabia SAMA CSF 1.0 3.3.15
EMEA South Africa 19.1 19.3 22
EMEA Spain BOE-A-2022-7191 25.1
EMEA Spain 311/2022 25.1
EMEA Spain CCN-STIC 825 7.3.7 [OP.EXP.7]
EMEA UAE NIAF 3.3 3.3.2
EMEA UK CAF 4.0 D1
EMEA UK DEFSTAN 05-138 3105 4104
APAC (7)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0137 ISM-0576 ISM-1609 ISM-1618
APAC Australia Prudential Standard CPS230 32
APAC Australia Prudential Standard CPS234 23 24
APAC India SEBI CSCRF RS.MA.S1
APAC Japan ISMAP 16.1.1
APAC New Zealand NZISM 3.6 7.1.7.C.01 7.1.7.C.02 7.1.7.C.03 7.2.18.C.01
APAC Singapore MAS TRM 2021 7.7.1 7.7.2 7.7.3(a) 7.7.3(b) 7.7.3(c) 7.7.4 7.7.5 7.7.6 7.7.7
Americas (4)
Framework Mapping Values
Americas Bermuda BMACCC 6.1 6.3 6.4
Americas Canada CSAG 1.3 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8
Americas Canada OSFI B-13 2.7 2.7.2 3.3 3.4.1
Americas Canada ITSP-10-171 03.06.01

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.

Level 1 — Performed Informally

Incident Response (IRO) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
  • Incident response operations are decentralized.
Level 2 — Planned & Tracked

Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.

  • Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
  • Incident responders are proficient on their specific IRP role(s) and responsibilities through recurring training events (e.g., annual rock drill).
  • IT personnel support incident response operations by provisioning and deprovisioning incident responders with temporary emergency accounts.
  • IT/cybersecurity personnel update the IRP, based on lessons learned from incidents / exercises.
Level 3 — Well Defined

Incident Response (IRO) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data protection and business function representatives that can perform coordinated incident response. o Develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data protection response operations.

  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for Incident Response (IR) practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise with regards to incident response.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data for incident response.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data protection program, including IR.
  • An Integrated Security Incident Response Team (ISIRT), or similar function:
  • A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
  • Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.

Assessment Objectives

  1. IRO-01_A01 the rigor of incident handling activities is comparable and predictable across the organization.
  2. IRO-01_A02 the intensity of incident handling activities is comparable and predictable across the organization.
  3. IRO-01_A03 the scope of incident handling activities is comparable and predictable across the organization.
  4. IRO-01_A04 the results of incident handling activities are comparable and predictable across the organization.
  5. IRO-01_A05 incident handling activities are coordinated with contingency planning activities.
  6. IRO-01_A06 an operational incident-handling capability is established.
  7. IRO-01_A07 the operational incident-handling capability includes preparation.
  8. IRO-01_A08 the operational incident-handling capability includes detection and analysis.
  9. IRO-01_A09 the operational incident-handling capability includes containment.
  10. IRO-01_A10 the operational incident-handling capability includes eradication.
  11. IRO-01_A11 the operational incident-handling capability includes recovery.
  12. IRO-01_A12 lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing.
  13. IRO-01_A13 the changes resulting from the incorporated lessons learned are implemented accordingly.
  14. IRO-01_A14 an incident-handling capability that is consistent with the incident response plan is implemented.
  15. IRO-01_A15 incident response management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
  16. IRO-01_A16 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support incident response management operations.
  17. IRO-01_A17 responsibility and authority for the performance of incident response management-related activities are assigned to designated personnel.
  18. IRO-01_A18 personnel performing incident response management-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-IRO-01 Incident Response Program (IRP)

Documented evidence of a Incident Response Plan (IRP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.

Incident Response

Technology Recommendations

Micro/Small

  • Incident Response Plan (IRP)

Small

  • Incident Response Plan (IRP)

Medium

  • Integrated Incident Response Program (IIRP)

Large

  • Integrated Incident Response Program (IIRP)

Enterprise

  • Integrated Incident Response Program (IIRP)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free