You can prepare for, detect, contain, and recover from incidents.
What it actually means
A working incident-response capability — a documented plan plus the means to actually run it: prepare, detect, analyze, contain, recover, and handle user response. Not just a binder; an ability you could exercise if something happened tonight.
Pass or fail — an assessor needs a "yes" to each
- A documented incident-response plan exists covering the full lifecycle.
- Roles and steps are defined (prep/detect/analyze/contain/recover).
- The capability is real, not just paper.
What to have ready
- Incident response plan
- Defined roles + contact list
- Detection tooling (EDR/SIEM) feeding the process
Where teams trip up
- No plan, or a generic template never tailored
- Detection with no defined response
- Nobody knows their role in an incident
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →