Incident Response Policy

1. Purpose and Scope

This policy defines how the organisation prepares for, detects, responds to, and recovers from information security incidents to ensure confidentiality, integrity, and availability of information assets. It applies to all employees, contractors, suppliers, and partners.

Policy Statements:

• Incident response is documented, tested, and reviewed annually, consistent with ISO/IEC 27001:2022 Annex A.16.1.
• Incident response planning aligns with NIST CSF v2.0 Respond (RS) functions, including RS.RP (Response Planning), RS.MI (Mitigation), and RS.CO (Communications).
• Breach notification obligations are fulfilled under GDPR Articles 33–34, POPIA Section 22, and HIPAA §164.308(a)(6).
• Incident response governance is overseen by the board, consistent with ISO/IEC 38500:2015 Clause 5.1–5.6 and, where applicable to the organisation’s jurisdiction, instruments such as US SOX Section 404 and equivalent national governance codes.
• Supplier participation in incident response is mandated under SIAM v4 (2020) and ISO 44001:2017 Clause 7.4 (Joint Incident Response).

2. Governance and Accountability

Security responsibilities for incident response are clearly defined and enforced.

Policy Statements:

• The board demonstrates leadership and commitment to incident response governance (ISO 27001 Clause 5.1).
• A formally appointed Incident Response Manager is accountable for plan execution (Clause 5.3).
• Department heads ensure incident reporting compliance within their teams.
• Quarterly incident response performance reports are presented to the Audit & Risk Committee in the form required by applicable governance instruments; representative reference points include US SOX Section 404, South Africa King IV Principle 12, and equivalent national codes.
• Collaborative incident responsibilities with suppliers and partners are documented and reviewed annually (ISO 44001 Clause 5.2).
• Incident governance aligns with COSO Principle 17 (Risk Reporting & Communication) or equivalent risk-reporting framework adopted by the organisation.

3. Risk Management

Incident response integrates with enterprise risk management.

Policy Statements:

• Incident risks are identified and assessed quarterly (ISO 27001 Clause 6.1.2).
• Incident treatment plans are documented and approved (Clause 6.1.3).
• Business continuity risks are integrated into enterprise risk registers (ISO 22301:2019 Clause 8.2).
• Cybercrime risks are tracked under applicable cybercrime legislation in each operating jurisdiction; representative references include the South Africa Cybercrimes Act (2020) and the Mauritius Cybercrime Act (2003/2018).
• Shared risk registers with strategic partners include incident risks (ISO 44001 Clause 6.3).
• Incident risk assessments are embedded into the organisation’s enterprise risk management framework — COSO ERM (Principle 6), ISO 31000:2018, or equivalent ERM framework adopted by the organisation.

4. Incident Detection and Reporting

Incidents are detected, reported, and escalated promptly.

Policy Statements:

• Event logging is implemented and reviewed weekly (ISO 27001 Annex A.12.4.1).
• Detection capabilities align with NIST CSF DE.CM (Detection & Monitoring).
• Employees are trained to report incidents immediately (ISO 27001 Annex A.7.2.2).
• Breach notifications follow the timing and scope required by applicable data protection law. Reference obligations include the 72-hour window under EU GDPR Articles 33–34, POPIA Section 22, and equivalent provisions in each operating jurisdiction.
• HIPAA breach notifications, where HIPAA applies, are executed under §164.408; equivalent breach-notification obligations apply under other jurisdictions’ health-data protection regimes.
• Escalation paths are documented in incident playbooks.

5. Incident Response Procedures

Incidents are contained, eradicated, and recovered systematically.

Policy Statements:

• Incident response plans are maintained and tested annually (ISO 27001 Annex A.5.25).
• Containment procedures isolate affected systems and accounts (Annex A.16.1.5).
• Eradication procedures remove malware and patch vulnerabilities.
• Recovery procedures restore systems from backups and validate controls (NIST CSF RC.IM).
• Lessons learned are documented and integrated into ISMS improvements (ISO 27001 Annex A.5.29).
• Case studies drawn from significant publicly-reported cybersecurity incidents are used in tabletop exercises. Illustrative examples include supply-chain compromises (e.g. SolarWinds 2020, MOVEit 2023), critical-infrastructure ransomware events (e.g. Colonial Pipeline 2021), and regionally-relevant incidents in each organisation’s operating jurisdiction.

6. Communication and Notification

Incident communication is coordinated internally and externally.

Policy Statements:

• Internal notifications include executives, legal, HR, and affected business units.
• External notifications include regulators, customers, partners, and law enforcement.
• Public relations messaging is coordinated to protect reputation.
• Documentation of incidents is retained for compliance audits (SOC 2 CC7, PCI DSS Req. 12.10.5).

7. Training and Awareness

Employees and partners are trained to respond effectively.

Policy Statements:

• Annual incident response training is mandatory (ISO 27001 Annex A.7.2.2, PCI DSS Req. 12.6).
• Role‑specific training is provided to Incident Response Team members.
• Tabletop exercises and simulations are conducted quarterly.
• Awareness campaigns reinforce reporting culture.

8. Compliance Obligations

Incident response complies with applicable laws and standards.

Policy Statements:

• Breach obligations under applicable data protection and health-data law are integrated into response plans; representative regimes include EU GDPR, POPIA, HIPAA, and California CCPA/CPRA.
• Cross-border incident reporting follows the lawful transfer mechanisms of applicable data protection law in each operating jurisdiction; representative references include EU GDPR Chapter V and Mauritius DPA Section 36.
• The organisation maintains a living register of data protection obligations applicable to its jurisdictions of operation; representative reference points include Singapore PDPA, India DPDP Act, and Brazil LGPD.
• Incident response obligations under the AU Convention on Cybersecurity (2014) are observed where the organisation operates in signatory states.

9. Audit and Assurance

Independent audits validate incident response effectiveness.

Policy Statements:

• Internal audits are conducted annually (ISO 27001 Clause 9.2).
• Management reviews incident response performance quarterly (Clause 9.3).
• External audits validate compliance with recognised assurance frameworks applicable to the organisation’s market context; representative reference: SOC 2 Trust Services Criteria (AICPA).
• Corrective actions are tracked and verified (ISO 9001 continual improvement).

10. Appendices

• Appendix A: Incident Severity Classification Matrix.
• Appendix B: Escalation Flowchart.
• Appendix C: Breach Notification Templates (GDPR, HIPAA, POPIA).
• Appendix D: Contact List (Regulators, Law Enforcement, Vendors).
• Appendix E: Incident Response Playbooks (Malware, Phishing, Insider Threat, DDoS).
• Appendix F: Incident Report Form template.
• Appendix G: Post‑Incident Review checklist.

Enterprise and Conglomerate implementation content will be added here.