Incident response plan: what does an auditor expect and how do you set it up?

Security6 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

An incident response plan (IRP) describes how an organisation responds to security incidents. It is one of the most frequently tested controls in IT audits and is required by almost every framework: SOC 2, ISO 27001, NIS2, DORA and the GDPR all set requirements for organisations' incident response.

The need for an IRP is evident. When a security incident occurs, there is no time to devise procedures. Every hour counts: with ransomware the encryption spreads, with a data breach more data is compromised, and regulators expect prompt notification. A plan that has been drawn up and rehearsed in advance is essential.

The structure of an effective IRP begins with definitions. What does the organisation consider to be a security incident? Which classification levels are used? An incident is usually categorised into levels of severity, from a phishing attempt on a single employee to a fully compromised network.

Roles and responsibilities form the heart of the plan. Who leads the incident response team? Who communicates with management, with customers, with regulators? Who takes technical measures? The auditor checks whether these roles are defined, whether those involved know their role, and whether deputies have been designated.

Incident response proceeds in phases. Detection and analysis: how are incidents identified and how is the severity determined? Containment: which measures are taken to limit the impact? Eradication: how is the cause removed? Recovery: how are systems restored to normal operation? Evaluation: what are the lessons and how are they translated into improvements?

Communication deserves special attention. The GDPR requires notification to the Dutch Data Protection Authority within 72 hours of a data breach. NIS2 sets comparable requirements for significant incidents. DORA requires notification to the financial regulator. The IRP must contain communication templates and escalation paths for each scenario.

Testing is the component that is often missing and that auditors scrutinise critically. A plan that has never been rehearsed offers false security. The auditor expects the IRP to be tested periodically by means of tabletop exercises, simulations or, in the best case, full incident simulations. Test results must be documented and lessons must lead to adjustments to the plan.

Secure Audit assesses incident response plans as a standard component of IT audits and can advise on drawing up or improving your IRP. Get in touch for advice.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us