Function:   Respond (RS)
Category:  Improvements (IM)

“Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.”

---

RS.IM-1:  Response plans incorporate lessons learned

Incident handling incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.  The organizations incident response plan should include a post-incident review within a set timeframe of the incident concluding to inform changes necessary to improve the overall incident response plan.

Audit Considerations

Auditors may examine the organization’s incident handling reports and testing documentation for action items and lessons learned.   They may look if real-world incidents, testing, and post-incident reporting have been used to update the incident response procedures, training, and testing. 

---

RS.IM-2:  Response strategies are updated

An incident response plan should be reviewed and updated on a regular basis to incorporate improvements identified in lessons learned as well as evaluating the response to changing threats.  The updated incident response plan should be communicated to the organization and to those responsible for response activities.

Audit Considerations

Auditors may check to see that there is a mechanism in place to regularly review, improve, approve, and communicate the incident response plan.