How do I audit incident response without a real incident?
My organization has not had a major incident, so I have nothing to trace. How do I conclude on response capability?
Three sources beyond a real incident:
- Tabletop exercise reports. The organization should run at least one tabletop exercise per year, ideally with cybersecurity scenarios (ransomware, data exposure, account takeover). Audit the exercise documentation, the participants, the gaps identified, and the follow-up actions.
- Detection-to-resolution trace on smaller incidents. Even without a major incident there are typically smaller events: a phishing report from an employee, an alert from the SIEM that turned out to be a false positive after investigation, an outage that triggered the response process. Pick a sample and trace each event from detection through closure.
- Process design walk-through. Confirm the response plan defines roles, communication paths, escalation, breach notification timelines, and a post-incident review. Confirm trained alternates for each role.
Common findings even when there has been no major incident: the plan was last updated more than 18 months ago, the tabletop exercise had no follow-up actions tracked, alternates were named but never trained, breach notification timelines do not match regulatory requirements for the organization's data.
The biggest mistake is to issue a clean opinion because nothing has gone wrong. Absence of incidents is not evidence of capability.
Master Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
How do I scope a cybersecurity internal audit engagement?
What makes evidence reliable in a cybersecurity audit?
Is a cloud provider's SOC 2 report enough evidence for our cybersecurity audit?
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
Related Articles
Join the Discussion
Ask questions and get expert answers.