Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.  [SP 800-84] provides guidance on testing programs for information technology capabilities. 

Priority: Medium

Category: Incident Response Operations 

Services Associated with AWS:   

  • AWS Security Hub, AWS Incident Manager 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing incident response roles
  • Administrative: Incident Response Plan (IRP) practices that cover all phases of incident response operations
  • Administrative: supporting documentation of incident response testing / exercises 

Possible Technology Considerations : 


What needs to be answered :  

Is there a company incident response policy? Does it outline requirements for regular testing and reviews/improvements to incident response capabilities? Does the company test its incident response capabilities? 

  • Organizational Incident Response Capability Testing
    Description: This check ensures that organizations regularly test their incident response capabilities to assess their effectiveness and identify potential weaknesses or deficiencies. Incident response testing involves the use of various methods such as checklists, walk-through exercises, simulations, and comprehensive exercises to evaluate the organization's ability to respond to security incidents.

More Details:   

Organization response capability tested periodically for all employees and IT staff.