Preparation Before Developing a Cyber Security Incident Response Program
Written by Dr. Michael C. Redmond, PhD   


A Cyber Incident Response Program allows an organization to respond with speed and agility, while empowering businesses to maintain continuous operations. A good program with a documented plan and playbooks can also reduce revenue loss, reduce fines and lawsuits, and protects brand reputation. Information and cyber security are the responsibility of the entire enterprise, not just IT or Info Sec.

Information security, governance & risk, are all critical aspects of planning and execution of the information security plan. Organizations have a key responsibility to develop an information security governance program; review existing information security policies and standards to ascertain their adequacy in coverage scope against industry best practices, and update them as appropriate, taking into account compliance recommendations.

Organizations should use Key Performance Indicators (KPI) to determine if the information systems incident response program meets business objectives and operational metrics for ongoing process improvement.

Having a good cyber incident response program can help minimize loss to the entity and help continue serving customers by mitigating the negative effects disruptions can have on an institution's strategic plans. Reputation, operations, liquidity, credit quality, market position, and the ability to remain in compliance with applicable laws and regulations are a few of the reasons why planning is critical.

In preparation for planning, knowing which standards to use as guidelines is a great starting point. In addition to the National Institute of Standards and Technology (NIST), Federal Financial Institutions Examination Council (FFIEC) Section J, and many others, International Standard Organization (ISO) offers good best practices to implement.

One standard to review and utilize is ISO/IEC 27032:2012, which covers many of the dependencies of cyber security such as:

  • Critical information infrastructure protection (CIIP)
  • Information security
  • Network security
  • Internet security

ISO/IEC 38500 Information Technology Governance covers areas that help with establishing responsibilities, planning to best support the organization, validating the required performance, ensuring conformance with rules, and ensuring respect for the human factors.

Some of the other ISO standards that I recommend include some different views related to information technology and security techniques.

ISO/IEC 27000:2014 covers:

Information technology

  • Security techniques
  • Information security management systems
  • Overview and vocabulary

ISO/IEC 27001:2013 covers:

  • Information security management system
  • Requirements

ISO/IEC 27002:2013 covers:

  • Code of practice for information security management
  • Information technology
  • Security techniques

ISO/IEC 27003:2010 covers:

  • Information security management system implementation guidance
  • Information technology
  • Security techniques

ISO/IEC 27004:2009 covers:

  • Information security management
  • Information technology
  • Measurement
  • Security techniques

ISO/IEC 27005:2011 covers:

  • Information security risk management
  • Information technology
  • Security techniques

ISO/IEC 27007 covers:

  • Guidelines for information security management systems auditing
  • Information technology
  • Security techniques

By reviewing these standards and others before planning the Cyber Security Incident Response Planning, you will be able to develop a better structure for your program, plans and playbooks.

The ISO standards list many security controls that will help in developing a good Cyber Incident Response Program. Although I normally do not quote Wikipedia, it does have a good definition and explanation of controls. It defines controls as “safeguards or countermeasures to avoid, counteract or minimize security risks". To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:

  • Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders
  • During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
  • After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.”[1]

I encourage you to research and develop a thorough project plan before developing your program.


About the author

Dr. Michael C. Redmond, PhD, PMP, FBCI, MBCP, CEM, is also certified in ISO 22301, ISO 27001, and ISO 27035. She is also a certified trainer for the Professional Evaluation and Certification Board (PECB) and is an international consultant, speaker and writer. She can be reached at:, (917) 882-5453