Skip to main content

IRO-09: Situational Awareness For Incidents

IRO 8 — High Detect

Mechanisms exist to document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident.

Control Question: Does the organization document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident?

General (40)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.2-POF6 CC2.3-POF8 CC7.3-POF2 CC7.4 CC7.4-POF6 CC7.4-POF9
CIS CSC 8.1 17.2 17.6
CIS CSC 8.1 IG1 17.2
CIS CSC 8.1 IG2 17.2 17.6
CIS CSC 8.1 IG3 17.2 17.6
ENISA 2.0 SO17
Generally Accepted Privacy Principles (GAPP) 1.2.7
GovRAMP Low IR-05
GovRAMP Low+ IR-05
GovRAMP Moderate IR-05
GovRAMP High IR-05
IEC 62443-4-2 2019 CR 6.2 (10.4.1)
IMO Maritime Cyber Risk Management 3.5.5.2
ISO 27002 2022 5.25
MITRE ATT&CK 10 T1564.008
MPA Content Security Program 5.1 OR-4.0
NIST 800-53 R4 IR-5
NIST 800-53 R4 (low) IR-5
NIST 800-53 R4 (moderate) IR-5
NIST 800-53 R4 (high) IR-5
NIST 800-53 R5 (source) IR-5
NIST 800-53B R5 (privacy) (source) IR-5
NIST 800-53B R5 (low) (source) IR-5
NIST 800-53B R5 (moderate) (source) IR-5
NIST 800-53B R5 (high) (source) IR-5
NIST 800-82 R3 LOW OT Overlay IR-5
NIST 800-82 R3 MODERATE OT Overlay IR-5
NIST 800-82 R3 HIGH OT Overlay IR-5
NIST 800-161 R1 IR-5
NIST 800-161 R1 C-SCRM Baseline IR-5
NIST 800-161 R1 Level 2 IR-5
NIST 800-161 R1 Level 3 IR-5
NIST 800-171 R3 (source) 03.06.02.a 03.06.02.b
NIST 800-171A R3 (source) A.03.06.02.a[01] A.03.06.02.a[02]
NIST CSF 2.0 (source) DE.AE-06 RC.RP-06 RS RS.AN-06 RS.CO
TISAX ISA 6 1.6.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IRO-09
SCF CORE ESP Level 1 Foundational IRO-09
SCF CORE ESP Level 2 Critical Infrastructure IRO-09
SCF CORE ESP Level 3 Advanced Threats IRO-09
US (30)
Framework Mapping Values
US C2M2 2.1 RESPONSE-3.F.MIL2
US CERT RMM 1.2 IMC:SG2.SP1 IMC:SG2.SP2 IMC:SG2.SP3
US CISA CPG 2022 1.D
US CJIS Security Policy 5.9.3 (source) IR-5
US CMS MARS-E 2.0 IR-5
US FCA CRM 609.930(c)(3)(iv)
US FedRAMP R4 IR-5
US FedRAMP R4 (low) IR-5
US FedRAMP R4 (moderate) IR-5
US FedRAMP R4 (high) IR-5
US FedRAMP R4 (LI-SaaS) IR-5
US FedRAMP R5 (source) IR-5
US FedRAMP R5 (low) (source) IR-5
US FedRAMP R5 (moderate) (source) IR-5
US FedRAMP R5 (high) (source) IR-5
US FedRAMP R5 (LI-SaaS) (source) IR-5
US FFIEC D3.DC.Ev.E.1
US GLBA CFR 314 2023 (source) 314.4(h)(6)
US HIPAA Administrative Simplification 2013 (source) 164.308(a)(1)(ii)(D)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.308(a)(1)(ii)(D)
US HIPAA HICP Medium Practice 8.M.A 8.M.B
US HIPAA HICP Large Practice 8.M.A 8.M.B
US IRS 1075 IR-5
US NERC CIP 2024 (source) CIP-008-6 2.3
US NISPOM 2020 1-303 4-218
US - TX DIR Control Standards 2.0 IR-5
US - TX SB 820 11.175(e) 11.175(f)
US - TX TX-RAMP Level 1 IR-5
US - TX TX-RAMP Level 2 IR-5
US - VT Act 171 of 2018 2447(b)(10) 2447(b)(10)(A)
EMEA (8)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.5.1(60)(d) 3.5.1(60)(d)(ii)
EMEA EU GDPR (source) 33.5
EMEA EU NIS2 Annex 3.5.3(b) 3.5.4 6.10.2(a)
EMEA Israel CDMO 1.0 24.5
EMEA Saudi Arabia SACS-002 TPC-89 TPC-90
EMEA Spain BOE-A-2022-7191 25.2
EMEA Spain 311/2022 25.2
EMEA UAE NIAF 3.3.1
APAC (6)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0125 ISM-0137 ISM-0733 ISM-1609 ISM-1803
APAC Australia Prudential Standard CPS234 23 24
APAC India DPDPA 2023 8(6)
APAC India SEBI CSCRF RS.CO.S3
APAC New Zealand NZISM 3.6 3.2.16.C.01 7.3.6.C.01 7.3.6.C.02
APAC Singapore MAS TRM 2021 7.7.5
Americas (2)
Framework Mapping Values
Americas Canada OSFI B-13 2.7
Americas Canada ITSP-10-171 03.06.02.A 03.06.02.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident.

Level 2 — Planned & Tracked

Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.

  • Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
Level 3 — Well Defined

Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data protection and business function representatives that can perform coordinated incident response.
  • The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data protection response operations.
  • A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
  • Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
  • Administrative processes and technologies exist to report incidents both internally to organizational incident response personnel (within defined time-periods) and externally to governmental authorities and affected parties, as necessary.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident.

Assessment Objectives

  1. IRO-09_A01 suspected incidents are reported to the organizational incident response capability within an organization-defined time period.
  2. IRO-09_A02 system security incidents are tracked / reported to internal stakeholders.
  3. IRO-09_A03 system security incidents are documented.
  4. IRO-09_A04 system security incidents are tracked.

Evidence Requirements

E-IRO-03 Incident Tracking

Documented evidence of a centralized repository to track cybersecurity & data privacy incidents.

Incident Response

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free