IRO-07: Integrated Security Incident Response Team (ISIRT)
Mechanisms exist to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and data protection incident response operations.
Control Question: Does the organization establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and data protection incident response operations?
General (30)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2-POF6 CC7.4 CC7.4-POF1 |
| CIS CSC 8.1 | 17.1 17.4 17.5 17.6 17.9 |
| CIS CSC 8.1 IG1 | 17.1 |
| CIS CSC 8.1 IG2 | 17.1 17.4 17.5 17.6 17.7 |
| CIS CSC 8.1 IG3 | 17.1 17.4 17.5 17.6 17.7 17.9 |
| COBIT 2019 | DSS02.05 |
| CSA IoT SCF 2 | IMT-01 |
| ENISA 2.0 | SO16 |
| ISO 27002 2022 | 5.25 5.26 |
| ISO 27017 2015 | 16.1.4 |
| NIST 800-53 R4 | IR-10 |
| NIST 800-53 R5 (source) | IR-4(11) |
| NIST 800-53B R5 (high) (source) | IR-4(11) |
| NIST 800-82 R3 HIGH OT Overlay | IR-4(11) |
| NIST 800-161 R1 | IR-4(11) |
| NIST 800-161 R1 Level 3 | IR-4(11) |
| NIST 800-171A R3 (source) | A.03.06.02.b A.03.06.02.d |
| NIST 800-172 | 3.6.2e |
| NIST CSF 2.0 (source) | DE.AE-06 RS RS.MA RS.MA-01 RS.MA-04 |
| PCI DSS 4.0.1 (source) | 12.10.3 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 12.10.3 |
| PCI DSS 4.0.1 SAQ C (source) | 12.10.3 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 12.10.3 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 12.10.3 |
| SWIFT CSF 2023 | 7.1 |
| TISAX ISA 6 | 1.6.3 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IRO-07 |
| SCF CORE ESP Level 1 Foundational | IRO-07 |
| SCF CORE ESP Level 2 Critical Infrastructure | IRO-07 |
| SCF CORE ESP Level 3 Advanced Threats | IRO-07 |
US (14)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | SITUATION-3.G.MIL3 |
| US CERT RMM 1.2 | IMC:SG1.SP2 OPD:SG1.SP6 |
| US CMMC 2.0 Level 3 (source) | IR.L3-3.6.2E |
| US DHS ZTCF | SEC-02 |
| US FedRAMP R4 | IR-7(2) |
| US FedRAMP R5 (source) | IR-4(11) |
| US FedRAMP R5 (high) (source) | IR-4(11) |
| US FFIEC | D5.ER.Es.Int.3 D5.IR.Pl.Int.1 D5.IR.Pl.B.3 D5.ER.Is.B.1 D5.IR.Pl.Int.1 |
| US GLBA CFR 314 2023 (source) | 314.4(h)(3) |
| US HIPAA HICP Medium Practice | 8.M.A 8.M.B |
| US HIPAA HICP Large Practice | 8.M.A 8.M.B |
| US NERC CIP 2024 (source) | CIP-008-6 1.3 |
| US SEC Cybersecurity Rule | Form 8-K Item 1.05(a) |
| US - TX BC521 | 521.053 |
EMEA (7)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.5.1(60)(d) 3.5.1(60)(d)(i) |
| EMEA EU DORA | 14.1 14.2 14.3 |
| EMEA EU NIS2 Annex | 3.1.2(c) 3.1.3 3.5.3(a) 4.3.3 |
| EMEA Israel CDMO 1.0 | 24.7 24.9 |
| EMEA Saudi Arabia SACS-002 | TPC-89 |
| EMEA Spain BOE-A-2022-7191 | 33.3 |
| EMEA Spain 311/2022 | 33.3 |
APAC (5)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0733 ISM-1618 |
| APAC Australia Prudential Standard CPS234 | 23 24 25(a) 25(b) |
| APAC Japan ISMAP | 16.1.4 |
| APAC New Zealand NZISM 3.6 | 7.2.18.C.01 |
| APAC Singapore MAS TRM 2021 | 7.7.5 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 |
| Americas Canada OSFI B-13 | 2.7.2 3.3.3 3.4.4 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and data protection incident response operations.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and data protection incident response operations.
Level 2 — Planned & Tracked
Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
- Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
Level 3 — Well Defined
Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data protection and business function representatives that can perform coordinated incident response.
- The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data protection response operations.
- A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
- Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
Level 4 — Quantitatively Controlled
Incident Response (IR) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and data protection incident response operations.
Assessment Objectives
- IRO-07_A01 an integrated incident response team is established and maintained.
- IRO-07_A02 the time period within which an integrated incident response team can be deployed is defined.
- IRO-07_A03 the cyber incident response team can be deployed by the organization within an organization-defined time period.
- IRO-07_A04 suspected incidents are reported to the organizational incident response capability within an organization-defined time period.
- IRO-07_A05 an incident response support resource that offers advice and assistance to system users on handling and reporting incidents is provided.
- IRO-07_A06 a time period for deploying a cyber incident response team is defined.
- IRO-07_A07 the cyber incident response team can be deployed by the organization within an organization-defined time period.
- IRO-07_A08 the cyber incident response team is maintained.
- IRO-07_A09 suspected incidents are reported to the organizational incident response capability within <A.03.06.02.ODP[01]: time period>.
Evidence Requirements
- E-IRO-01 Incident Response Program (IRP)
-
Documented evidence of a Incident Response Plan (IRP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.
Incident Response - E-IRO-09 Formally Assigned Incident Response Roles & Responsibilities
-
Documented evidence of the establishment of a formally-assigned, integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity & data privacy incident response operations.
Incident Response
Technology Recommendations
Medium
- Integrated Security Incident Response Team (ISIRT)
Large
- Integrated Security Incident Response Team (ISIRT)
Enterprise
- Integrated Security Incident Response Team (ISIRT)