Secure Controls Framework
Download The SCF

Incident Response (IRO)

Domain Principle

Maintain a tested incident response capability that enables trained responders to identify, analyze, contain, eradicate and recover from incidents according to documented Incident Response Plans (IRPs).

Domain Intent

Organizations establish, maintain and exercise the capability to lawfully and effectively respond to cybersecurity incidents in a timely manner, preserve evidence and notify affected stakeholders as required.

Domain Guide

The IRO domain governs the capability to detect, analyze, contain, eradicate and recover from cybersecurity incidents through documented, tested plans. An Incident Response Plan (IRP) that exists only as a document is not an operational capability. The SCF requires that organizations maintain and exercise that capability, meaning responders know their roles, procedures work under stress and the plan reflects current system architecture.

 

The SCF's intent for IRO adds two requirements that organizations frequently underweight: lawful response and stakeholder notification. Legal requirements around evidence preservation, mandatory breach reporting and law enforcement engagement are not incidental to incident response; they are requirements that, if missed, create additional liability on top of whatever the incident itself caused. IRO requires trained responders who understand these obligations, not just technical capabilities for containment.

 

IRO is downstream from MON and upstream from the business resilience activities in BCD. Monitoring produces incident signals; incident response acts on them; BC/DR governs what happens when an incident exceeds the recovery scope that IR can address. All three domains are necessary; substituting one for another produces gaps.