Control: The organisation tests the incident response capability for the information system [Assignment: organisation-defined frequency] using [Assignment: organisation-defined tests] to determine the incident response effectiveness and documents the results.
Incident Response Testing Supplemental Guidance:
Organisations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organisational operations (e.g., reduction in mission capabilities), organisational assets, and individuals due to incident response.
Incident Response Testing Control Enhancements:
IR-3 (1) Incident Response Testing - Automated Testing
The organisation employs automated mechanisms to more thoroughly and effectively test the incident response capability.
Supplemental Guidance: Organisations use automated mechanisms to more thoroughly and effectively test incident response capabilities, for example:
- (i) by providing more complete coverage of incident response issues;
- (ii) by selecting more realistic test scenarios and test environments; and
- (iii) by stressing the response capability.
Related control: AT-2.
IR-3 (2) Incident Response Testing - Co-ordination with related plans
The organisation coordinates incident response testing with organisational elements responsible for related plans.
Supplemental Guidance: Organisational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.