Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?
Explanation
External response support is the concern: the question is whether you hold a formal agreement with an outside incident response provider you can engage when an incident exceeds internal capacity. Having a pre-established relationship with incident response specialists ensures rapid access to expertise during critical security events, potentially reducing the impact and recovery time of incidents.
Evidence could include a signed service level agreement (SLA) or contract with an incident response provider, documentation showing the process for requesting external assistance, and contact information for the provider's incident response team.
Implementation Example
Request incident response assistance from the organization's incident response outsourcer
ID: RS.MA-01.309
Context
- Function
- RS: RESPOND
- Category
- RS.MA: Incident Management
- Sub-Category
- The incident response plan is executed in coordination with relevant third parties once an incident is declared
Related questions
- Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?
- Does your organization assign a designated incident lead for each security incident?
- Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?
- Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?
- Does your organization have documented criteria for estimating the severity of security incidents?
- Does your organization have a process to categorize security incidents by type (e.g., data breach, ransomware, DDoS, account compromise)?

