Skip to main content

IRO-06.1: Coordination with Related Plans

IRO 7 — High Protect

Mechanisms exist to coordinate incident response testing with organizational elements responsible for related plans.

Control Question: Does the organization coordinate incident response testing with organizational elements responsible for related plans?

General (19)
Framework Mapping Values
CSA CCM 4 BCR-06
Generally Accepted Privacy Principles (GAPP) 1.2.7
GovRAMP Moderate IR-03(02)
GovRAMP High IR-03(02)
ISO 27002 2022 5.29
NIST Privacy Framework 1.0 PR.PO-P8
NIST 800-53 R4 IR-3(2)
NIST 800-53 R4 (moderate) IR-3(2)
NIST 800-53 R4 (high) IR-3(2)
NIST 800-53 R5 (source) IR-3(2)
NIST 800-53B R5 (moderate) (source) IR-3(2)
NIST 800-53B R5 (high) (source) IR-3(2)
NIST 800-82 R3 MODERATE OT Overlay IR-3(2)
NIST 800-82 R3 HIGH OT Overlay IR-3(2)
NIST CSF 2.0 (source) RS.CO
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IRO-06.1
SCF CORE ESP Level 1 Foundational IRO-06.1
SCF CORE ESP Level 2 Critical Infrastructure IRO-06.1
SCF CORE ESP Level 3 Advanced Threats IRO-06.1
US (13)
Framework Mapping Values
US C2M2 2.1 RESPONSE-3.J.MIL3 RESPONSE-3.K.MIL3
US CJIS Security Policy 5.9.3 (source) IR-3(2)
US CMS MARS-E 2.0 IR-3(2)
US FedRAMP R4 IR-3(2)
US FedRAMP R4 (moderate) IR-3(2)
US FedRAMP R4 (high) IR-3(2)
US FedRAMP R5 (source) IR-3(2)
US FedRAMP R5 (moderate) (source) IR-3(2)
US FedRAMP R5 (high) (source) IR-3(2)
US FFIEC D5.IR.Te.B.1 D5.IR.Te.B.3
US IRS 1075 IR-3(2)
US - TX SB 820 11.175(e)
US - TX TX-RAMP Level 2 IR-3(2)
EMEA (1)
Framework Mapping Values
EMEA Saudi Arabia OTCC-1 2022 2-12-2-8
Americas (2)
Framework Mapping Values
Americas Canada CSAG 2.8
Americas Canada OSFI B-13 3.4.1

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to coordinate incident response testing with organizational elements responsible for related plans.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to coordinate incident response testing with organizational elements responsible for related plans.

Level 2 — Planned & Tracked

Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.

  • Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
Level 3 — Well Defined

Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
  • The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
  • A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
  • Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to coordinate incident response testing with organizational elements responsible for related plans.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to coordinate incident response testing with organizational elements responsible for related plans.

Assessment Objectives

  1. IRO-06.1_A01 incident response testing is coordinated with organizational elements responsible for related plans.

Evidence Requirements

E-IRO-01 Incident Response Program (IRP)

Documented evidence of a Incident Response Plan (IRP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.

Incident Response

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free