IRO-04: Incident Response Plan (IRP)
Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.
Control Question: Does the organization maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders?
General (62)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2-POF10 CC2.3-POF8 CC7.3 CC7.3-POF1 CC7.4 CC7.4-POF1 CC7.4-POF10 CC7.4-POF11 CC7.4-POF12 CC7.4-POF13 CC7.4-POF2 CC7.4-POF3 CC7.4-POF4 CC7.4-POF5 CC7.4-POF6 CC7.4-POF7 CC7.4-POF8 CC7.4-POF9 |
| CIS CSC 8.1 | 17.1 17.4 17.5 17.6 17.9 |
| CIS CSC 8.1 IG1 | 17.1 |
| CIS CSC 8.1 IG2 | 17.1 17.4 17.5 17.6 17.7 |
| CIS CSC 8.1 IG3 | 17.1 17.4 17.5 17.6 17.7 17.9 |
| COBIT 2019 | DSS02.01 DSS02.05 |
| CSA CCM 4 | LOG-05 SEF-03 |
| CSA IoT SCF 2 | IAM-09 IMT-01 |
| ENISA 2.0 | SO16 |
| Generally Accepted Privacy Principles (GAPP) | 1.2.7 |
| GovRAMP Core | IR-08 |
| GovRAMP Low | IR-08 |
| GovRAMP Low+ | IR-08 |
| GovRAMP Moderate | IR-08 |
| GovRAMP High | IR-08 |
| IMO Maritime Cyber Risk Management | 3.5.3.7 |
| ISO/SAE 21434 2021 | RQ-13-02 |
| ISO 27002 2022 | 5.24 5.26 |
| ISO 27017 2015 | 16.1.5 |
| MPA Content Security Program 5.1 | OR-4.0 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.H(1) 4.H(2) 4.H(2)(a) 4.H(2)(b) 4.H(2)(c) 4.H(2)(d) 4.H(2)(e) 4.H(2)(f) 4.H(2)(g) |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 6.2 MANAGE 4.0 |
| NIST AI 600-1 | GV-6.2-003 MG-2.3-001 MG-4.2-002 |
| NIST Privacy Framework 1.0 | PR.PO-P7 |
| NIST 800-53 R4 | IR-8 |
| NIST 800-53 R4 (low) | IR-8 |
| NIST 800-53 R4 (moderate) | IR-8 |
| NIST 800-53 R4 (high) | IR-8 |
| NIST 800-53 R5 (source) | IR-8 |
| NIST 800-53B R5 (privacy) (source) | IR-8 |
| NIST 800-53B R5 (low) (source) | IR-8 |
| NIST 800-53B R5 (moderate) (source) | IR-8 |
| NIST 800-53B R5 (high) (source) | IR-8 |
| NIST 800-82 R3 LOW OT Overlay | IR-8 |
| NIST 800-82 R3 MODERATE OT Overlay | IR-8 |
| NIST 800-82 R3 HIGH OT Overlay | IR-8 |
| NIST 800-161 R1 | IR-8 |
| NIST 800-161 R1 C-SCRM Baseline | IR-8 |
| NIST 800-161 R1 Flow Down | IR-8 |
| NIST 800-161 R1 Level 2 | IR-8 |
| NIST 800-161 R1 Level 3 | IR-8 |
| NIST 800-171 R2 (source) | NFO-IR-8 |
| NIST 800-171 R3 (source) | 03.06.01 03.06.05.a 03.06.05.a.01 03.06.05.a.02 03.06.05.a.03 03.06.05.a.04 03.06.05.a.05 03.06.05.a.06 03.06.05.b |
| NIST 800-171A R3 (source) | A.03.06.02.ODP[01] A.03.06.02.ODP[02] A.03.06.05.a.01 A.03.06.05.a.02 A.03.06.05.a.03 A.03.06.05.a.04 A.03.06.05.a.05 A.03.06.05.a.06 A.03.06.05.b[01] A.03.06.05.b[02] |
| NIST CSF 2.0 (source) | DE.AE-06 ID.IM-04 RS RS.MA RS.MA-01 RS.MA-02 RS.MA-04 RS.MI |
| PCI DSS 4.0.1 (source) | 12.10 12.10.1 12.10.5 12.10.7 |
| PCI DSS 4.0.1 SAQ A (source) | 12.10.1 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 12.10.1 |
| PCI DSS 4.0.1 SAQ B (source) | 12.10.1 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 12.10.1 |
| PCI DSS 4.0.1 SAQ C (source) | 12.10.1 |
| PCI DSS 4.0.1 SAQ C-VT (source) | 12.10.1 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 12.10.1 12.10.5 12.10.7 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 12.10.1 12.10.5 12.10.7 |
| PCI DSS 4.0.1 SAQ P2PE (source) | 12.10.1 |
| SWIFT CSF 2023 | 7.1 |
| TISAX ISA 6 | 1.6.3 9.6.2 |
| SCF CORE Fundamentals | IRO-04 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IRO-04 |
| SCF CORE ESP Level 1 Foundational | IRO-04 |
| SCF CORE ESP Level 2 Critical Infrastructure | IRO-04 |
| SCF CORE ESP Level 3 Advanced Threats | IRO-04 |
US (35)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | SITUATION-3.G.MIL3 RESPONSE-1.A.MIL1 RESPONSE-1.B.MIL2 RESPONSE-1.C.MIL2 RESPONSE-2.A.MIL1 RESPONSE-2.B.MIL1 RESPONSE-2.C.MIL2 RESPONSE-2.D.MIL2 RESPONSE-2.E.MIL2 RESPONSE-2.F.MIL2 RESPONSE-2.G.MIL2 RESPONSE-2.H.MIL3 RESPONSE-2.I.MIL3 RESPONSE-3.A.MIL1 RESPONSE-3.B.MIL1 RESPONSE-3.C.MIL1 RESPONSE-3.D.MIL2 RESPONSE-3.E.MIL2 RESPONSE-3.F.MIL2 RESPONSE-1.I.MIL3 |
| US CERT RMM 1.2 | IMC:SG1.SP1 IMC:SG1.SP2 |
| US CISA CPG 2022 | 2.S |
| US CJIS Security Policy 5.9.3 (source) | IR-8 |
| US CMS MARS-E 2.0 | IR-8 |
| US DoD Zero Trust Execution Roadmap | 6.7.1 |
| US DHS CISA TIC 3.0 | 3.UNI.IRPIH |
| US DHS ZTCF | SEC-02 |
| US FCA CRM | 609.930(c)(3) |
| US FedRAMP R4 | IR-8 |
| US FedRAMP R4 (low) | IR-8 |
| US FedRAMP R4 (moderate) | IR-8 |
| US FedRAMP R4 (high) | IR-8 |
| US FedRAMP R4 (LI-SaaS) | IR-8 |
| US FedRAMP R5 (source) | IR-8 |
| US FedRAMP R5 (low) (source) | IR-8 |
| US FedRAMP R5 (moderate) (source) | IR-8 |
| US FedRAMP R5 (high) (source) | IR-8 |
| US FedRAMP R5 (LI-SaaS) (source) | IR-8 |
| US GLBA CFR 314 2023 (source) | 314.4(h) 314.4(h)(1) 314.4(h)(2) 314.4(h)(3) 314.4(h)(4) 314.4(h)(5) 314.4(h)(6) 314.4(h)(7) |
| US HIPAA HICP Small Practice | 8.S.A |
| US HIPAA HICP Medium Practice | 8.M.A 8.M.B |
| US HIPAA HICP Large Practice | 8.M.A 8.M.B |
| US IRS 1075 | 1.8.4 1.8.5 IR-8 |
| US NERC CIP 2024 (source) | CIP-008-6 1.1 CIP-008-6 1.4 CIP-008-6 2.2 CIP-008-6 R1 CIP-008-6 R2 CIP-008-6 R3 |
| US NISPOM 2020 | 8-103 1-302 |
| US NNPI (unclass) | 8.1 8.2 8.3 8.4 |
| US SSA EIESR 8.0 | 5.9 |
| US - CA CCPA 2025 | 7123(c)(17)(B)(i) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.16(a) 500.16(a)(1) 500.16(a)(1)(i) 500.16(a)(1)(ii) 500.16(a)(1)(iii) 500.16(a)(1)(iv) 500.16(a)(1)(v) 500.16(a)(1)(vi) 500.16(a)(1)(vii) 500.16(a)(1)(viii) 500.16(b) |
| US - OR 646A | 622(2)(d)(B)(iii) |
| US - TX DIR Control Standards 2.0 | IR-8 |
| US - TX TX-RAMP Level 1 | IR-8 |
| US - TX TX-RAMP Level 2 | IR-8 |
| US - VT Act 171 of 2018 | 2447(b)(10) 2447(b)(10)(A) |
EMEA (12)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.5.1(59) 3.5.1(60) 3.5.1(60)(a) 3.5.1(60)(b) 3.5.1(60)(c) 3.5.1(60)(d) 3.5.1(60)(d)(i) 3.5.1(60)(d)(ii) 3.5.1(60)(e) 3.5.1(60)(f) 3.5.1(60)(f)(i) 3.5.1(60)(f)(ii) |
| EMEA EU DORA | 17.1 17.2 17.3(a) 17.3(b) 17.3(c) 17.3(d) 17.3(e) 17.3(f) |
| EMEA EU NIS2 Annex | 3.1.1 3.1.2(b) 3.1.2(d) 3.5.1 6.10.2(d) |
| EMEA Israel CDMO 1.0 | 7.2 24.2 24.3 24.8 24.9 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 2-12-1 2-12-2 |
| EMEA Saudi Arabia ECC-1 2018 | 2-13-3-1 2-13-3-2 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-12-2-2 2-12-2-3 2-12-2-4 2-12-2-5 |
| EMEA Saudi Arabia SACS-002 | TPC-23 TPC-88 |
| EMEA Spain BOE-A-2022-7191 | 25.1 25.2 |
| EMEA Spain 311/2022 | 25.1 25.2 |
| EMEA UK CAF 4.0 | D1.a |
| EMEA UK DEFSTAN 05-138 | 4101 4102 |
APAC (11)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0043 ISM-0576 ISM-0917 ISM-1784 |
| APAC Australia Prudential Standard CPS234 | 23 24 25(a) 25(b) |
| APAC China Cybersecurity Law | 25 |
| APAC China Privacy Law | 57 57(1) 57(2) 57(3) |
| APAC India SEBI CSCRF | DE.DP.S2 GV.RM.S3 RS.MA.S1 RS.MA.S3 |
| APAC Japan ISMAP | 16.1.5 |
| APAC New Zealand HISF 2022 | HHSP07 HML07 HMS20 HSUP07 |
| APAC New Zealand HISF Suppliers 2023 | HSUP07 |
| APAC New Zealand NZISM 3.6 | 5.1.12.C.01 5.1.12.C.02 5.6.3.C.01 5.6.3.C.02 7.2.18.C.01 7.3.5.C.01 7.3.9.C.01 7.3.10.C.01 16.1.47.C.01 |
| APAC Singapore MAS TRM 2021 | 7.7.3(a) 7.7.3(b) 7.7.3(c) 12.3.1 12.3.2 12.3.3 |
| APAC South Korea | 34 |
Americas (4)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 6.4 |
| Americas Canada CSAG | 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 |
| Americas Canada OSFI B-13 | 2.7.1 2.7.2 3.4.3 |
| Americas Canada ITSP-10-171 | 03.06.01 03.06.05.A 03.06.05.A.01 03.06.05.A.02 03.06.05.A.03 03.06.05.A.04 03.06.05.A.05 03.06.05.A.06 03.06.05.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.
Level 2 — Planned & Tracked
Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
- Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- IT/cybersecurity personnel update the IRP, based on lessons learned from incidents / exercises.
Level 3 — Well Defined
Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
- The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
- A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
- Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
Level 4 — Quantitatively Controlled
Incident Response (IR) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.
Assessment Objectives
- IRO-04_A01 personnel or roles that review and approve the incident response plan is/are identified.
- IRO-04_A02 entities, personnel or roles with designated responsibility for incident response are defined.
- IRO-04_A03 an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability.
- IRO-04_A04 an incident response plan is developed that describes the structure and organization of the incident response capability.
- IRO-04_A05 an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization.
- IRO-04_A06 an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure and functions.
- IRO-04_A07 an incident response plan is developed that defines reportable incidents.
- IRO-04_A08 an incident response plan is developed that provides metrics for measuring the incident response capability within the organization.
- IRO-04_A09 an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability.
- IRO-04_A10 an incident response plan is developed that addresses the sharing of incident information.
- IRO-04_A11 an incident response plan is developed that is reviewed and approved by personnel or roles frequency.
- IRO-04_A12 an incident response plan is developed that designates responsibilities to organizational entities, personnel, or roles.
- IRO-04_A13 copies of the incident response plan are distributed to designated incident response personnel (identified by name or by role).
- IRO-04_A14 incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined.
- IRO-04_A15 organizational elements to which copies of the incident response plan are to be distributed are defined.
- IRO-04_A16 incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined.
- IRO-04_A17 organizational elements to which changes to the incident response plan are communicated are defined.
- IRO-04_A18 copies of the incident response plan are distributed to organizational elements.
- IRO-04_A19 the frequency at which to review and approve the incident response plan is defined.
- IRO-04_A20 the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution or testing.
- IRO-04_A21 incident response plan changes are communicated to incident response personnel.
- IRO-04_A22 incident response plan changes are communicated to organizational elements.
- IRO-04_A23 the incident response plan is protected from unauthorized disclosure.
- IRO-04_A24 the incident response plan is protected from unauthorized modification.
- IRO-04_A25 the time period to report suspected incidents to the organizational incident response capability is defined.
- IRO-04_A26 authorities to whom incident information is to be reported are defined.
Evidence Requirements
- E-IRO-01 Incident Response Program (IRP)
-
Documented evidence of a Incident Response Plan (IRP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.
Incident Response
Technology Recommendations
Micro/Small
- Incident Response Plan (IRP)
Small
- Incident Response Plan (IRP)
Medium
- Integrated Incident Response Program (IIRP)
Large
- Integrated Incident Response Program (IIRP)
Enterprise
- Integrated Incident Response Program (IIRP)