IR.L2-3.6.1—Incident Handling
Level 2
800-171: 3.6.1
>Control Description
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your incident response policy and program governance?
- •How is your incident response team structured and who leads it?
- •What is your process for classifying and prioritizing incidents?
- •How often do you review and update your incident response procedures?
- •What authorities and resources does your incident response team have?
Technical Implementation:
- •What incident response tools and platforms do you use (SIEM, SOAR)?
- •What technical capabilities support incident detection?
- •What forensic tools support incident analysis?
- •What technologies enable incident containment?
- •What systems support incident tracking and case management?
- •What communication tools support incident response?
Evidence & Documentation:
- •What incident response plan and procedures can you provide?
- •What incident tracking records demonstrate incident handling?
- •What incident reports show incidents were properly documented?
- •What incident response test documentation shows capability testing?
- •What evidence shows incident response team training?
- •What notification records show required reporting occurred?
Ask AI
Configure your API key to use AI features.