Incident response and recovery are crucial components of an enterprise’s cybersecurity strategy, focusing on how to effectively respond to and recover from cybersecurity incidents. This sector includes the processes for identifying, containing, eradicating, and recovering from cybersecurity threats, as well as developing comprehensive disaster recovery plans. By implementing strong incident response and recovery procedures, enterprises can minimise the impact of cyberattacks, reduce data loss, and ensure continuity of operations.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure 5.1: Establish an Incident Response Plan (IRP)

Does your enterprise have a clear, simple incident response plan that outlines the procedures to follow in the event of a cybersecurity incident?
Example: A basic document should include roles and responsibilities, contact details for key personnel, and clear steps for identifying, containing, and recovering from a cyber incident.

Measure 5.2: Identify Key Personnel and Responsibilities

Does your enterprise have designated personnel responsible for responding to cybersecurity incidents, and are they trained in their roles?
Example: Appoint an incident response lead and backup team members who are familiar with your systems and procedures.

Measure 5.3: Develop a Backup and Recovery Process

Does your enterprise regularly back up critical data to ensure it can be restored in case of data loss or a cyberattack?
Example: Use cloud-based services such as Google Drive or Dropbox for regular backups and automate the backup process on a daily or weekly basis.

Measure 5.4: Test Incident Response Procedures Regularly

Does your enterprise conduct regular tests of its incident response procedures to ensure readiness in case of an attack?
Example: Run tabletop exercises every six months to simulate a data breach or malware attack and evaluate your team’s response.

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 5.5: Create a Dedicated Incident Response Team (IRT)

Does your enterprise have a dedicated incident response team with clearly defined roles for technical, communications, and legal aspects of the response?
Example: Your IRT should include IT staff, legal advisors, and communications personnel who work together to address the full scope of an incident.

Measure 5.6: Implement Real-Time Monitoring and Detection Systems

Does your enterprise deploy tools to monitor and detect potential security incidents in real time?
Example: Use intrusion detection systems (IDS) or security information and event management (SIEM) tools like Splunk to detect abnormal behaviour and alert the team immediately.

Measure 5.7: Develop a Communication Plan for Incident Management

Does your enterprise have a communication plan to ensure stakeholders (employees, customers, and partners) are informed during and after an incident?
Example: Create predefined communication templates to guide messaging to internal staff and external clients during a security incident.

Measure 5.8: Test and Refine the Incident Response Plan

Does your enterprise regularly test its incident response plan to identify and correct any weaknesses in your response procedures?
Example: Conduct simulated cyberattack drills, such as ransomware or data breach scenarios, to refine your team’s response and ensure all steps are covered.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 5.9: Implement Automated Incident Response Tools

Does your enterprise use automated tools to help detect, contain, and recover from cybersecurity threats more efficiently?
Example: Implement automated incident response tool such as Cortex XSOAR. to automate tasks like isolating affected systems and blocking malicious activity.

Measure 5.10: Develop a Comprehensive Disaster Recovery Plan (DRP)

Does your enterprise have a detailed disaster recovery plan in place to restore critical systems, applications, and data after an incident?
Example: Ensure your DRP covers all essential business functions and specifies the recovery process, including roles and responsibilities for the recovery team.

Measure 5.11: Perform Regular Incident Response Drills and Tabletop Exercises

Does your enterprise conduct regular incident response drills and tabletop exercises to test the enterprise’s preparedness for major cybersecurity incidents?
Example: Organise quarterly simulated attacks, such as a Distributed Denial of Service (DDoS) or ransomware attack, involving all key departments and stakeholders to ensure smooth coordination during an actual incident.

Measure 5.12: Analyse Post-Incident and Implement Improvements

Does your enterprise analyse each incident after it is resolved to identify lessons learned and improve your incident response procedures?
Example: After each incident, conduct a post-mortem review, document the timeline of events, and adjust your response plans based on identified weaknesses or gaps in your processes.

———————————————————————————————————