Control 5.24 : Information Security Incident Management Planning and Preparation

Summary

The organization should plan and prepare for information security incident management by defining, establishing, and communicating information security incident management processes, roles, and responsibilities.

Applicability

In-Scope: Mandatory for all organizations. Effective incident response is the difference between a minor disruption and a catastrophic breach. It is essential for meeting regulatory notification requirements.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Incident Response Plan: Host the Incident Response Plan (IRP) in a secure, offline-accessible SharePoint site and define response roles within a dedicated Microsoft Team.

• Alerting: Configure Microsoft Defender XDR to trigger high-priority alerts for suspicious activity, such as mass file deletions or unauthorized administrative logins.

• Communication: Establish a restricted-access channel in Microsoft Teams for the incident response team to communicate during a live event.

Evidence Checklist

• Documented IRP: A formal Incident Response Plan that includes definitions, escalation paths, and contact details.

• Testing Records: Evidence of a tabletop exercise or simulation conducted within the last 12 months.

• Role Assignment: Evidence that specific individuals have been trained and assigned incident response duties.

Practical Audit Advice

Here are some questions the auditor might ask:

• How are employees instructed to report a suspected security incident, and is this process accessible at all times?

• Who has the authority to declare a major incident and initiate the formal response and notification process?

• When was the last time the Incident Response Plan was tested, and what lessons were incorporated into the updated plan?

• How do you ensure that the response team has access to the necessary tools and logs if the primary network is unavailable?