Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?
Explanation
During a security incident, organizations may need to activate additional response mechanisms beyond the standard incident response procedures.
This includes business continuity plans to maintain critical operations, disaster recovery procedures to restore systems, or crisis communication plans to manage stakeholder communications.
Having these plans ready for activation ensures a comprehensive response to incidents that may escalate beyond routine security events.
Evidence could include documented procedures for activating supplementary plans during incidents, decision matrices that outline activation criteria, incident response playbooks showing integration with other plans, or records from tabletop exercises demonstrating how these plans work together during simulated incidents.
Implementation Example
Initiate execution of additional cybersecurity plans as needed to support incident response (for example, business continuity and disaster recovery)
ID: RS.MA-01.311
Context
- Function
- RS: RESPOND
- Category
- RS.MA: Incident Management
- Sub-Category
- The incident response plan is executed in coordination with relevant third parties once an incident is declared
Related questions
- Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?
- Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?
- Does your organization assign a designated incident lead for each security incident?
- Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?
- Does your organization have documented criteria for estimating the severity of security incidents?
- Does your organization have a process to categorize security incidents by type (e.g., data breach, ransomware, DDoS, account compromise)?

