Skip to main content

IRO-10: Incident Stakeholder Reporting

IRO 9 — Critical Respond

Mechanisms exist to timely-report incidents to applicable: (1) Internal stakeholders; (2) Affected clients & third-parties; and (3) Regulatory authorities.

Control Question: Does the organization timely-report incidents to applicable: (1) Internal stakeholders; (2) Affected clients & third-parties; and (3) Regulatory authorities?

General (59)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.2-POF6 CC2.3 CC2.3-POF1 CC2.3-POF8 CC7.3-POF2 CC7.4 CC7.4-POF13 CC7.4-POF6 CC7.4-POF9 CC7.5-POF2 P6.3 P6.7
CIS CSC 8.1 17.2
CIS CSC 8.1 IG1 17.2
CIS CSC 8.1 IG2 17.2 17.6
CIS CSC 8.1 IG3 17.2 17.6
COBIT 2019 EDM05.02 DSS02.07
COSO 2017 Principle 15
CSA CCM 4 BCR-07 SEF-07 TVM-09
ENISA 2.0 SO18
Generally Accepted Privacy Principles (GAPP) 1.2.7
GovRAMP Core IR-06
GovRAMP Low IR-06
GovRAMP Low+ IR-06
GovRAMP Moderate IR-06
GovRAMP High IR-06
IMO Maritime Cyber Risk Management 3.5.5.1
ISO/SAE 21434 2021 RQ-14-01
ISO 22301 2019 8.4.3 8.4.3.1 8.4.3.2
ISO 27002 2022 6.8
ISO 27017 2015 16.1.2
ISO 29100 2024 6.10
ISO 42001 2023 A.8.3 A.8.4
MPA Content Security Program 5.1 OR-4.0
NAIC Insurance Data Security Model Law (MDL-668) 6.E(1)(a) 6.E(1)(b)
NIST AI 100-1 (AI RMF) 1.0 MANAGE 4.3
NIST AI 600-1 MG-4.3-001
NIST 800-53 R4 IR-6
NIST 800-53 R4 (low) IR-6
NIST 800-53 R4 (moderate) IR-6
NIST 800-53 R4 (high) IR-6
NIST 800-53 R5 (source) IR-6
NIST 800-53B R5 (privacy) (source) IR-6
NIST 800-53B R5 (low) (source) IR-6
NIST 800-53B R5 (moderate) (source) IR-6
NIST 800-53B R5 (high) (source) IR-6
NIST 800-82 R3 LOW OT Overlay IR-6
NIST 800-82 R3 MODERATE OT Overlay IR-6
NIST 800-82 R3 HIGH OT Overlay IR-6
NIST 800-161 R1 IR-6
NIST 800-171 R3 (source) 03.06.02.b 03.06.02.c
NIST 800-171A R3 (source) A.03.06.02.ODP[01] A.03.06.02.b A.03.06.02.c A.03.06.02.d
NIST CSF 2.0 (source) DE.AE-06 RS RS.CO RS.CO-02 RS.CO-03 RS.MA-01
PCI DSS 4.0.1 (source) 12.1.4 12.10.1 A1.2.3
PCI DSS 4.0.1 SAQ A (source) 12.10.1
PCI DSS 4.0.1 SAQ A-EP (source) 12.1.4 12.10.1
PCI DSS 4.0.1 SAQ B (source) 12.10.1
PCI DSS 4.0.1 SAQ B-IP (source) 12.10.1
PCI DSS 4.0.1 SAQ C (source) 12.10.1
PCI DSS 4.0.1 SAQ C-VT (source) 12.10.1
PCI DSS 4.0.1 SAQ D Merchant (source) 12.1.4 12.10.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 12.1.4 12.10.1
PCI DSS 4.0.1 SAQ P2PE (source) 12.10.1
SWIFT CSF 2023 7.1
TISAX ISA 6 1.6.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IRO-10
SCF CORE ESP Level 1 Foundational IRO-10
SCF CORE ESP Level 2 Critical Infrastructure IRO-10
SCF CORE ESP Level 3 Advanced Threats IRO-10
SCF CORE AI Model Deployment IRO-10
US (37)
Framework Mapping Values
US C2M2 2.1 RESPONSE-3.F.MIL2
US CERT RMM 1.2 COMM:SG2.SP3 IMC:SG2.SP1
US CISA CPG 2022 4.A
US CJIS Security Policy 5.9.3 (source) IR-6
US CMS MARS-E 2.0 IR-6
US DFARS Cybersecurity 252.204-70xx 252.204-7018(d)(1) 252.204-7018(d)(2)(i) 252.204-7018(d)(2)(ii)
US FCA CRM 609.930(c)(3)(v) 609.930(c)(3)(vi)
US FedRAMP R4 IR-6
US FedRAMP R4 (low) IR-6
US FedRAMP R4 (moderate) IR-6
US FedRAMP R4 (high) IR-6
US FedRAMP R4 (LI-SaaS) IR-6
US FedRAMP R5 (source) IR-6
US FedRAMP R5 (low) (source) IR-6
US FedRAMP R5 (moderate) (source) IR-6
US FedRAMP R5 (high) (source) IR-6
US FedRAMP R5 (LI-SaaS) (source) IR-6
US FFIEC D5.IR.Pl.B.2 D5.DR.Re.B.4 D5.DR.Re.E.6 D5.ER.Es.B.4 D5.ER.Es.B.2 D2.IS.Is.B.3 D2.IS.Is.E.2
US GLBA CFR 314 2023 (source) 314.4(h)(4)
US HIPAA Administrative Simplification 2013 (source) 164.404(b) 164.408(a) 164.408(b) 164.408(c)
US HIPAA HICP Medium Practice 8.M.A 8.M.B
US HIPAA HICP Large Practice 8.M.A 8.M.B 9.L.A 9.L.D
US IRS 1075 1.8.3 IR-6
US NERC CIP 2024 (source) CIP-008-6 4.2 CIP-008-6 4.3
US NISPOM 2020 1-303 4-218
US SEC Cybersecurity Rule Form 8-K Item 1.05(a)
US SSA EIESR 8.0 5.9
US - CA SB1386 SEC2-Section 1798.29
US - MA 201 CMR 17.00 17.03(2)(j)
US - NV NOGE Reg 5 5.260.4(a) 5.260.4(c)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.17(a)(1) 500.17(c) 500.17(c)(1) 500.17(c)(2)
US - OR 646A 604(1) 604(2) 604(3) 604(4) 604(5)
US - TX BC521 521.053
US - TX DIR Control Standards 2.0 IR-6
US - TX SB 820 11.175(e) 11.175(f)
US - TX TX-RAMP Level 1 IR-6
US - TX TX-RAMP Level 2 IR-6
EMEA (16)
Framework Mapping Values
EMEA EU AI Act 17.1(j)
EMEA EU EBA GL/2019/04 3.7.5(91)
EMEA EU DORA 14.1 14.2 14.3 19.1 19.2 19.3 19.4 19.4(a) 19.4(b) 19.4(c) 19.5 45.3
EMEA EU GDPR (source) 34.1 34.2
EMEA EU NIS2 23.1 23.2 23.4 23.4(a) 23.4(b) 23.4(c) 23.4(d) 23.4(d)(i) 23.4(d)(ii) 23.4(d)(iii) 23.4(d)(iv) 23.4(e)
EMEA EU NIS2 Annex 13.2.2(c) 3.1.2(b)
EMEA Germany C5 2020 SIM-03 SIM-04
EMEA Israel CDMO 1.0 24.6 24.8
EMEA Qatar PDPPL 14
EMEA Saudi Arabia IoT CGIoT-1 2024 2-12-2
EMEA Saudi Arabia ECC-1 2018 2-13-3-3 2-13-3-4
EMEA Saudi Arabia SACS-002 TPC-23 TPC-89
EMEA South Africa 22
EMEA Spain BOE-A-2022-7191 25.2 33.2 33.4 33.7
EMEA Spain 311/2022 25.2 33.2 33.4 33.7
EMEA UAE NIAF 3.3.3
APAC (10)
Framework Mapping Values
APAC Australia Essential 8 ML2-P3 ML2-P4 ML2-P5 ML2-P7 ML3-P3 ML3-P4 ML3-P5 ML3-P7
APAC Australia ISM June 2024 ISM-0123 ISM-0137 ISM-0733 ISM-1088 ISM-1609
APAC Australia Prudential Standard CPS230 33 42
APAC India DPDPA 2023 8(6)
APAC India SEBI CSCRF DE.DP.S3 RC.CO.S2 RC.CO.S3 RS.CO.S2 RS.CO.S3
APAC Japan ISMAP 16.1.2
APAC New Zealand HISF 2022 HHSP75 HML75 HSUP65
APAC New Zealand HISF Suppliers 2023 HSUP65
APAC New Zealand NZISM 3.6 7.2.18.C.01 7.2.20.C.01 7.2.21.C.01 7.2.23.C.01
APAC Singapore MAS TRM 2021 7.7.5 7.7.6 7.7.7
Americas (4)
Framework Mapping Values
Americas Bermuda BMACCC 6.5
Americas Brazil LGPD 48
Americas Canada OSFI B-13 3.4.1
Americas Canada ITSP-10-171 03.06.02.B 03.06.02.C

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to timely-report incidents to applicable: (1) Internal stakeholders; (2) Affected clients & third-parties; and (3) Regulatory authorities.

Level 1 — Performed Informally

Incident Response (IRO) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
  • Incident response operations are decentralized.
Level 2 — Planned & Tracked

Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.

  • Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
  • Administrative processes and technologies exist to document, manage and report on actual and potential cybersecurity and data privacy incidents.
  • Administrative processes and technologies exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Level 3 — Well Defined

Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
  • The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
  • A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
  • Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
  • Administrative processes and technologies exist to report incidents both internally to organizational incident response personnel (within defined time-periods) and externally to governmental authorities and affected parties, as necessary.
  • Administrative processes and technologies exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Level 4 — Quantitatively Controlled

Incident Response (IR) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to timely-report incidents to applicable: (1) Internal stakeholders; (2) Affected clients & third-parties; and (3) Regulatory authorities.

Assessment Objectives

  1. IRO-10_A01 the time period to report suspected incidents to the organizational incident response capability is defined.
  2. IRO-10_A02 authorities to whom incident information is to be reported are defined.
  3. IRO-10_A03 personnel are required to report suspected incidents to the organizational incident response capability within an organization-defined time period.
  4. IRO-10_A04 incident information is reported to organization-defined authorities.
  5. IRO-10_A05 suspected incidents are reported to the organizational incident response capability within an organization-defined time period.
  6. IRO-10_A06 an incident response support resource that offers advice and assistance to system users on handling and reporting incidents is provided.
  7. IRO-10_A07 suspected incidents are reported to the organizational incident response capability within <A.03.06.02.ODP[01]: time period>.
  8. IRO-10_A08 incident information is reported to <A.03.06.02.ODP[02]: authorities>.

Evidence Requirements

E-IRO-01 Incident Response Program (IRP)

Documented evidence of a Incident Response Plan (IRP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.

Incident Response
E-IRO-11 Incident Reporting Capability

Documented evidence of a capability to provide situational awareness of incidents to internal stakeholders and generated necessary reporting to affected clients, applicable third-parties and regulatory authorities.

Incident Response

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free