Incident Response draft
Control over security incident detection, response, and recovery processes
L0 Unaware
No incident response plan exists; security incidents are discovered accidentally and handled ad-hoc with no defined process
Criteria
IR-L0-C1The organisation has no documented incident response plan, and no individual or team is responsible for security incident managementIR-L0-C2No security monitoring or alerting is in place; incidents are typically discovered by end users or external parties
Indicators
- Past security incidents were discovered days or weeks after initial compromise
- No post-incident review or lessons-learned process has ever been conducted
Upgrade path
Designate an incident response lead and draft a basic incident response plan covering detection, containment, eradication, and recovery. Enable basic security alerting on critical systems.
Risk if stagnant
Without incident response capability, breaches go undetected and uncontained. The organisation cannot meet regulatory notification deadlines (e.g., GDPR's 72-hour requirement) and suffers extended exposure to attackers who have already gained access.
L1 Dependent
Incident response depends entirely on external providers; the organisation relies on its cloud or managed service provider to detect and respond to security events
Criteria
IR-L1-C1Security monitoring and incident detection are handled exclusively by the cloud or managed service provider with no independent organisational capabilityIR-L1-C2Incident response is reactive, triggered by provider notifications, with no organisational playbooks for containment or recovery
Indicators
- The organisation learns about security incidents from provider email notifications rather than its own monitoring
- No internal staff have incident response training or defined roles during a security event
Upgrade path
Negotiate contractual incident response SLAs with providers, including notification timelines, forensic data access, and joint response procedures. Begin building internal incident response playbooks for the most critical threat scenarios.
Risk if stagnant
Complete reliance on providers for incident response means the organisation has no independent ability to detect, investigate, or contain security events. Provider response priorities may not align with the organisation's urgency, and forensic evidence may be inaccessible.
L2 Contractual
Incident response SLAs are contractually defined with providers, and the organisation has basic internal playbooks and notification procedures
Criteria
IR-L2-C1Contracts with service providers include incident notification SLAs, forensic data access rights, and defined escalation proceduresIR-L2-C2The organisation maintains basic incident response playbooks covering the most likely threat scenarios, with designated internal contacts
Indicators
- Provider contracts specify maximum notification times for security incidents and guarantee access to relevant log data
- Internal incident response playbooks exist and have been reviewed within the past 12 months
Upgrade path
Establish an internal security operations capability with dedicated monitoring tools and trained analysts. Conduct regular incident response tabletop exercises. Deploy a SIEM or equivalent for independent log aggregation and analysis.
Risk if stagnant
Contractual SLAs and basic playbooks provide a framework but not operational capability. Without internal monitoring and trained responders, the organisation cannot independently validate provider-reported incidents or detect threats the provider misses.
L3 Controlled
Self-managed security operations centre with independent detection, investigation, and containment capabilities across all environments
Criteria
IR-L3-C1The organisation operates an internal SOC or equivalent security operations function with independent monitoring, detection, and investigation capabilitiesIR-L3-C2Incident response procedures are regularly tested through tabletop exercises and simulated attacks, with findings incorporated into updated playbooks
Indicators
- A SIEM or equivalent platform aggregates logs from all critical systems independently of provider-native tooling
- Incident response exercises are conducted at least quarterly, with documented outcomes and improvement actions
Upgrade path
Develop advanced threat hunting capabilities and threat intelligence integration. Implement automated incident response orchestration (SOAR) for common incident types. Establish information-sharing relationships with peer organisations and sector-specific ISACs.
Risk if stagnant
A self-managed SOC requires continuous investment in staff training, tool updates, and threat intelligence. Without sustained commitment, detection rules become stale, analyst skills atrophy, and the SOC's effectiveness degrades against evolving threats.
L4 Autonomous
Fully sovereign incident response with advanced threat hunting, automated orchestration, threat intelligence sharing, and complete forensic independence
Criteria
IR-L4-C1The organisation conducts proactive threat hunting using proprietary detection rules, integrated threat intelligence, and advanced analytics across all environmentsIR-L4-C2Automated incident response orchestration (SOAR) handles common incident types end-to-end, from detection through containment to recovery, with minimal human intervention
Indicators
- Threat hunting campaigns run continuously, identifying threats before they trigger automated alerts
- The organisation actively participates in threat intelligence sharing with peer organisations and sector-specific ISACs
Risk if stagnant
Advanced incident response capabilities require the highest calibre of security talent and continuous investment. Staff retention, evolving threat landscapes, and the arms race with sophisticated adversaries demand ongoing commitment to maintain Level 4 effectiveness.