IRO-02: Incident Handling
Mechanisms exist to cover: (1) Preparation; (2) Automated event detection or manual incident report intake; (3) Analysis; (4) Containment; (5) Eradication; and (6) Recovery.
Control Question: Does the organization cover: (1) Preparation; (2) Automated event detection or manual incident report intake; (3) Analysis; (4) Containment; (5) Eradication; and (6) Recovery?
General (52)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | A1.2-POF5 CC2.2-POF10 CC2.2-POF3 CC2.2-POF6 CC2.3-POF8 CC7.3 CC7.3-POF1 CC7.3-POF3 CC7.3-POF4 CC7.3-POF5 CC7.3-POF6 CC7.3-POF7 CC7.4 CC7.4-POF1 CC7.4-POF10 CC7.4-POF11 CC7.4-POF12 CC7.4-POF13 CC7.4-POF2 CC7.4-POF3 CC7.4-POF4 CC7.4-POF5 CC7.4-POF6 CC7.4-POF7 CC7.4-POF8 CC7.4-POF9 |
| CIS CSC 8.1 | 2.3 17 17.1 17.3 17.4 17.5 17.6 17.9 |
| CIS CSC 8.1 IG1 | 2.3 17.1 17.3 |
| CIS CSC 8.1 IG2 | 2.3 17.1 17.3 17.4 17.5 17.6 17.7 |
| CIS CSC 8.1 IG3 | 2.3 17.1 17.3 17.4 17.5 17.6 17.7 17.9 |
| COBIT 2019 | DSS02.01 DSS02.02 DSS02.03 DSS02.04 DSS02.05 DSS02.06 DSS02.07 |
| CSA CCM 4 | LOG-05 SEF-03 SEF-06 |
| CSA IoT SCF 2 | IAM-08 IAM-09 IAM-11 IMT-01 MON-02 |
| Generally Accepted Privacy Principles (GAPP) | 1.2.7 |
| GovRAMP Core | IR-04 |
| GovRAMP Low | IR-04 |
| GovRAMP Low+ | IR-04 |
| GovRAMP Moderate | IR-04 |
| GovRAMP High | IR-04 |
| IEC 62443-4-2 2019 | FR 6 (10.1) |
| IMO Maritime Cyber Risk Management | 3.5.4 |
| ISO/SAE 21434 2021 | RC-05-15 RQ-08-03 RQ-08-04 RQ-08-08 RQ-13-01.a RQ-13-01.b RQ-13-01.c RQ-13-01.d RQ-13-01.e RQ-13-01.f RQ-13-01.g RQ-13-02 |
| ISO 27002 2022 | 5.24 5.25 5.26 6.8 |
| ISO 27017 2015 | 16.1.3 16.1.4 16.1.5 |
| ISO 42001 2023 | A.3.3 |
| MPA Content Security Program 5.1 | OR-4.0 TS-1.4 |
| NAIC Insurance Data Security Model Law (MDL-668) | 5.A 5.B(1) 5.B(2) 5.B(3) 5.B(4) 5.C 5.D 6.D(1) 6.D(2) |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 6.2 MANAGE 2.3 MANAGE 2.4 |
| NIST Privacy Framework 1.0 | GV.MT-P4 GV.MT-P5 |
| NIST 800-53 R4 | IR-4 |
| NIST 800-53 R4 (low) | IR-4 |
| NIST 800-53 R4 (moderate) | IR-4 |
| NIST 800-53 R4 (high) | IR-4 |
| NIST 800-53 R5 (source) | IR-4 |
| NIST 800-53B R5 (privacy) (source) | IR-4 |
| NIST 800-53B R5 (low) (source) | IR-4 |
| NIST 800-53B R5 (moderate) (source) | IR-4 |
| NIST 800-53B R5 (high) (source) | IR-4 |
| NIST 800-82 R3 LOW OT Overlay | IR-4 |
| NIST 800-82 R3 MODERATE OT Overlay | IR-4 |
| NIST 800-82 R3 HIGH OT Overlay | IR-4 |
| NIST 800-161 R1 | IR-4 |
| NIST 800-171 R2 (source) | 3.6.1 3.6.2 |
| NIST 800-171A (source) | 3.6.1[a] 3.6.1[b] 3.6.1[c] 3.6.1[d] 3.6.1[e] 3.6.1[f] 3.6.1[g] 3.6.2[a] 3.6.2[b] 3.6.2[c] 3.6.2[d] 3.6.2[e] 3.6.2[f] |
| NIST 800-171 R3 (source) | 03.03.04.b 03.06.01 03.06.02.a 03.06.02.b 03.06.02.c 03.06.02.d |
| NIST 800-171A R3 (source) | A.03.06.01[02] A.03.06.01[03] A.03.06.01[04] A.03.06.01[05] A.03.06.01[06] A.03.06.02.b |
| NIST CSF 2.0 (source) | DE.AE DE.AE-02 DE.AE-03 DE.AE-04 DE.AE-06 DE.AE-08 GV.SC-08 RC.RP-06 RS RS.AN RS.AN-06 RS.CO RS.CO-02 RS.CO-03 RS.MA RS.MA-01 RS.MA-02 RS.MA-04 RS.MI RS.MI-01 RS.MI-02 |
| PCI DSS 4.0.1 (source) | 12.10 12.10.5 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 12.10.5 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 12.10.5 |
| SWIFT CSF 2023 | 6.1 6.2 6.3 7.1 |
| TISAX ISA 6 | 1.6.1 1.6.2 1.6.3 9.6.2 |
| SCF CORE Fundamentals | IRO-02 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IRO-02 |
| SCF CORE ESP Level 1 Foundational | IRO-02 |
| SCF CORE ESP Level 2 Critical Infrastructure | IRO-02 |
| SCF CORE ESP Level 3 Advanced Threats | IRO-02 |
US (42)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | SITUATION-3.G.MIL3 RESPONSE-1.A.MIL1 RESPONSE-1.B.MIL2 RESPONSE-1.C.MIL2 RESPONSE-2.A.MIL1 RESPONSE-2.B.MIL1 RESPONSE-2.C.MIL2 RESPONSE-2.D.MIL2 RESPONSE-2.E.MIL2 RESPONSE-2.F.MIL2 RESPONSE-2.G.MIL2 RESPONSE-2.H.MIL3 RESPONSE-2.I.MIL3 RESPONSE-3.A.MIL1 RESPONSE-3.B.MIL1 RESPONSE-3.C.MIL1 RESPONSE-3.D.MIL2 RESPONSE-3.E.MIL2 RESPONSE-3.F.MIL2 |
| US CERT RMM 1.2 | IMC:SG1.SP1 IMC:SG1.SP2 IMC:SG2.SP1 IMC:SG2.SP2 IMC:SG2.SP3 IMC:SG2.SP4 IMC:SG3.SP1 IMC:SG3.SP2 IMC:SG4.SP1 IMC:SG4.SP2 IMC:SG4.SP3 IMC:SG4.SP4 IMC:SG5.SP1 IMC:SG5.SP2 |
| US CISA CPG 2022 | 2.S 5.A |
| US CJIS Security Policy 5.9.3 (source) | IR-4 |
| US CMMC 2.0 Level 2 (source) | IR.L2-3.6.1 IR.L2-3.6.2 |
| US CMMC 2.0 Level 3 (source) | IR.L2-3.6.1 IR.L2-3.6.2 |
| US CMS MARS-E 2.0 | IR-4 |
| US DoD Zero Trust Execution Roadmap | 6.7.2 |
| US DHS CISA TIC 3.0 | 3.UNI.IRPIH |
| US DHS ZTCF | SEC-02 |
| US FCA CRM | 609.930(c)(3) 609.930(c)(3)(i) 609.930(c)(3)(ii) 609.930(c)(3)(iii) |
| US FedRAMP R4 | IR-4 |
| US FedRAMP R4 (low) | IR-4 |
| US FedRAMP R4 (moderate) | IR-4 |
| US FedRAMP R4 (high) | IR-4 |
| US FedRAMP R4 (LI-SaaS) | IR-4 |
| US FedRAMP R5 (source) | IR-4 |
| US FedRAMP R5 (low) (source) | IR-4 |
| US FedRAMP R5 (moderate) (source) | IR-4 |
| US FedRAMP R5 (high) (source) | IR-4 |
| US FedRAMP R5 (LI-SaaS) (source) | IR-4 |
| US FFIEC | D5.IR.Pl.Int.4 D5.IR.Te.E.1 D5.ER.Es.E.1 D1.RM.RMP.A.4 D5.DR.De.B.1 D3.DC.An.E.4 D3.DC.An.Int.3 D5.IR.Pl.B.1 D5.DR.De.B.3 D5.DR.De.Int.3 D5.ER.Es.B.4 D5.DR.Re.E.1 D5.DR.Re.B.1 D5.DR.Re.E.4 D5.DR.Re.E.2 D5.DR.Re.E.3 D5.DR.De.B.1 D5.DR.Re.E.3 D3.PC.Im.E.4 |
| US GLBA CFR 314 2023 (source) | 314.4(h) 314.4(h)(1) 314.4(h)(2) 314.4(h)(3) 314.4(h)(4) 314.4(h)(5) 314.4(h)(6) 314.4(h)(7) |
| US HIPAA Administrative Simplification 2013 (source) | 164.308(a)(6)(ii) 164.412 164.412(a) 164.412(b) 164.530(f) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.308(a)(6)(ii) |
| US HIPAA HICP Small Practice | 8.S.A |
| US HIPAA HICP Medium Practice | 8.M.A 8.M.B |
| US HIPAA HICP Large Practice | 8.M.A 8.M.B 2.L.D |
| US IRS 1075 | IR-4 |
| US NERC CIP 2024 (source) | CIP-008-6 1.1 CIP-008-6 1.2.1 CIP-008-6 1.4 |
| US NISPOM 2020 | 1-303 4-218 |
| US NNPI (unclass) | 8.1 8.2 8.3 8.4 |
| US SEC Cybersecurity Rule | Form 8-K Item 1.05(a) |
| US SSA EIESR 8.0 | 5.6 5.9 |
| US TSA / DHS 1580/82-2022-01 | III.D.2.d |
| US - CA CCPA 2025 | 7027(m)(2) 7123(c)(17)(B)(i) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.16(a) |
| US - TX DIR Control Standards 2.0 | IR-4 |
| US - TX SB 820 | 11.175(e) |
| US - TX TX-RAMP Level 1 | IR-4 |
| US - TX TX-RAMP Level 2 | IR-4 |
| US - VT Act 171 of 2018 | 2447(b)(10) 2447(b)(10)(A) |
EMEA (17)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.5.1(59) 3.5.1(60) 3.5.1(60)(a) 3.5.1(60)(b) 3.5.1(60)(c) 3.5.1(60)(d) 3.5.1(60)(d)(i) 3.5.1(60)(d)(ii) 3.5.1(60)(e) 3.5.1(60)(f) 3.5.1(60)(f)(i) 3.5.1(60)(f)(ii) |
| EMEA EU DORA | 14.1 14.2 14.3 18.1 18.1(a) 18.1(b) 18.1(c) 18.1(d) 18.1(e) 18.1(f) 18.2 9.4(b) |
| EMEA EU NIS2 | 21.2(b) 23.1 |
| EMEA EU NIS2 Annex | 3.1.2(b) 3.4.1 3.4.2(e) 3.5.2(a) 3.5.2(b) 3.5.2(c) 3.5.3(b) |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 4.7 |
| EMEA Germany C5 2020 | SIM-02 |
| EMEA Israel CDMO 1.0 | 7.2 24.2 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 2-12-2 |
| EMEA Saudi Arabia ECC-1 2018 | 2-13-3-2 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-12-2-1 2-12-2-2 2-12-2-3 2-12-2-4 2-12-2-5 2-12-2-6 2-12-2-7 2-12-2-8 |
| EMEA Saudi Arabia SACS-002 | TPC-23 TPC-88 TPC-89 |
| EMEA Spain BOE-A-2022-7191 | 25.1 25.2 33.4 |
| EMEA Spain 311/2022 | 25.1 25.2 33.4 |
| EMEA Spain CCN-STIC 825 | 7.3.7 [OP.EXP.7] 7.3.9 [OP.EXP.9] |
| EMEA UAE NIAF | 3.3.1 3.3.2 |
| EMEA UK CAF 4.0 | D1.b |
| EMEA UK DEFSTAN 05-138 | 3105 4104 |
APAC (11)
| Framework | Mapping Values |
|---|---|
| APAC Australia Essential 8 | ML2-P3 ML2-P4 ML2-P5 ML2-P7 ML3-P3 ML3-P4 ML3-P5 ML3-P7 |
| APAC Australia ISM June 2024 | ISM-0123 ISM-0141 ISM-0917 ISM-1618 ISM-1803 |
| APAC Australia Prudential Standard CPS230 | 32 |
| APAC Australia Prudential Standard CPS234 | 23 24 |
| APAC China Privacy Law | 57 57(1) 57(2) 57(3) |
| APAC India SEBI CSCRF | RS.MA.S2 |
| APAC Japan ISMAP | 16.1.3 16.1.4 16.1.5 |
| APAC New Zealand HISF 2022 | HHSP07 HML07 HSUP07 |
| APAC New Zealand HISF Suppliers 2023 | HSUP07 |
| APAC New Zealand NZISM 3.6 | 5.7.4.C.01 7.2.17.C.01 7.2.17.C.02 7.2.18.C.01 7.2.19.C.01 7.3.9.C.01 7.3.10.C.01 |
| APAC Singapore MAS TRM 2021 | 7.7.3(a) 7.7.3(b) 7.7.3(c) |
Americas (3)
| Framework | Mapping Values |
|---|---|
| Americas Brazil LGPD | 48 |
| Americas Canada OSFI B-13 | 2.7 2.7.1 2.7.2 3.3 3.3.3 3.4.1 3.4.3 3.4.4 |
| Americas Canada ITSP-10-171 | 03.03.04.B 03.06.01 03.06.02.A 03.06.02.B 03.06.02.C 03.06.02.D |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to cover: (1) Preparation; (2) Automated event detection or manual incident report intake; (3) Analysis; (4) Containment; (5) Eradication; and (6) Recovery.
Level 1 — Performed Informally
Incident Response (IRO) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
- Incident response operations are decentralized.
Level 2 — Planned & Tracked
Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
- Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Incident responders are proficient on their specific IRP role(s) and responsibilities through recurring training events (e.g., annual rock drill).
- IT personnel support incident response operations by provisioning and deprovisioning incident responders with temporary emergency accounts.
- IT/cybersecurity personnel update the IRP, based on lessons learned from incidents / exercises.
Level 3 — Well Defined
Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
- The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
- A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
- Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
Level 4 — Quantitatively Controlled
Incident Response (IR) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to cover: (1) Preparation; (2) Automated event detection or manual incident report intake; (3) Analysis; (4) Containment; (5) Eradication; and (6) Recovery.
Assessment Objectives
- IRO-02_A01 an incident handling capability for incidents is implemented that is consistent with the incident response plan.
- IRO-02_A02 the incident handling capability includes preparation.
- IRO-02_A03 the incident handling capability includes detection and analysis.
- IRO-02_A04 the incident handling capability includes containment.
- IRO-02_A05 the incident handling capability includes eradication.
- IRO-02_A06 the incident handling capability includes recovery.
- IRO-02_A07 incident handling activities are coordinated with contingency planning activities.
- IRO-02_A08 the operational incident-handling capability includes user response activities.
- IRO-02_A09 authorities to whom incidents are to be reported are identified.
- IRO-02_A10 organizational officials to whom incidents are to be reported are identified.
- IRO-02_A11 identified authorities are notified of incidents.
- IRO-02_A12 identified organizational officials are notified of incidents.
- IRO-02_A13 incidents are tracked.
- IRO-02_A14 incidents are documented.
- IRO-02_A15 lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training and testing.
- IRO-02_A16 the changes resulting from the incorporated lessons learned are implemented accordingly.
- IRO-02_A17 the rigor of incident handling activities is comparable and predictable across the organization.
- IRO-02_A18 the intensity of incident handling activities is comparable and predictable across the organization.
- IRO-02_A19 the scope of incident handling activities is comparable and predictable across the organization.
- IRO-02_A20 the results of incident handling activities are comparable and predictable across the organization.
- IRO-02_A21 suspected incidents are reported to the organizational incident response capability within an organization-defined time period.
- IRO-02_A22 suspected incidents are reported to the organizational incident response capability within <A.03.06.02.ODP[01]: time period>.
Evidence Requirements
- E-IRO-03 Incident Tracking
-
Documented evidence of a centralized repository to track cybersecurity & data privacy incidents.
Incident Response
Technology Recommendations
Micro/Small
- Incident Response Plan (IRP)
Small
- Incident Response Plan (IRP)
Medium
- Integrated Incident Response Program (IIRP)
- ITIL 4 (https://axelos.com) - Incident and problem management
Large
- Integrated Incident Response Program (IIRP)
- ITIL 4 (https://axelos.com) - Incident and problem management
Enterprise
- Integrated Incident Response Program (IIRP)
- ITIL 4 (https://axelos.com) - Incident and problem management