IR.L2-3.6.3—Incident Response Testing
Level 2
800-171: 3.6.3
>Control Description
Test the organizational incident response capability.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy for testing incident response capabilities?
- •How frequently do you conduct incident response exercises or tabletops?
- •Who participates in incident response testing?
- •What is your process for incorporating lessons learned from tests into procedures?
- •How do you measure and improve incident response effectiveness?
Technical Implementation:
- •What tools support incident response exercises (simulations, tabletops)?
- •What technical capabilities do you test during IR exercises?
- •How do you simulate attacks for testing purposes?
- •What tools measure IR team response times?
- •What systems capture lessons learned from tests?
Evidence & Documentation:
- •What incident response plan and procedures can you provide?
- •What incident tracking records demonstrate incident handling?
- •What incident reports show incidents were properly documented?
- •What incident response test documentation shows capability testing?
- •What evidence shows incident response team training?
- •What notification records show required reporting occurred?
Ask AI
Configure your API key to use AI features.