Domain 4: Incident Management Module 24 of 47

Module 24: Incident Response Plan

CISM Domain 4 — Incident Management Section A 11–13 min read

What the Exam Is Really Testing

Expect questions that circle around one concept:

An Incident Response Plan establishes governance, structure, and accountability for managing security incidents effectively.

An IRP must:

  • Define roles and responsibilities
  • Establish escalation paths
  • Align with business continuity objectives
  • Integrate with regulatory obligations
  • Be tested periodically

An undocumented or untested plan is a governance weakness.

The Executive Mindset Shift

Tactical default:

Focus on technical containment procedures.

Strategic default:

Focus on structured, repeatable, governance-driven response capability.

Security leaders must ensure:

  • Executive sponsorship
  • Defined incident classification criteria
  • Cross-functional coordination
  • Legal and regulatory integration
  • Communication planning
  • Post-incident review process

Incident response is organizational coordination — not just technical remediation.

Core IRP Components

A mature IRP should include:

  1. Purpose and Scope
    • What incidents are covered?
    • What systems are in scope?
  2. Roles and Responsibilities
    • Incident response team
    • Executive leadership
    • Legal
    • Communications
    • Business owners
  3. Incident Classification and Severity Levels
    • Clear escalation thresholds
    • Defined categories
  4. Escalation and Notification Procedures
    • Internal reporting paths
    • External notification requirements
    • Regulatory timelines
  5. Containment, Eradication, and Recovery Guidance
    • High-level procedures
    • Coordination expectations
  6. Evidence Handling and Documentation
    • Chain of custody
    • Forensic readiness
  7. Communication Protocols
    • Internal stakeholders
    • External parties
    • Media strategy
  8. Post-Incident Review
    • Lessons learned
    • Root cause analysis
    • Control improvements

CISM focuses heavily on governance and coordination.

IRP Governance Integration

An effective IRP must:

  • Align with BCP and DRP
  • Reflect regulatory reporting requirements
  • Integrate with risk management
  • Be reviewed and updated regularly
  • Be tested through exercises

Incident response is part of enterprise risk management.

Testing and Validation

The IRP should be:

  • Exercised periodically
  • Tested through tabletop simulations
  • Updated based on lessons learned
  • Reviewed for regulatory changes
  • Integrated into awareness programs

Testing ensures readiness — not perfection.

Pattern Recognition

When IRP appears in a scenario, ask:

  1. Is there a documented plan?
  2. Are roles clearly defined?
  3. Is escalation structured?
  4. Are regulatory requirements considered?
  5. Has the plan been tested?

Correct answers often involve:

  • Updating and testing the IRP
  • Clarifying roles
  • Establishing classification criteria
  • Aligning with legal/regulatory obligations
  • Conducting tabletop exercises

Not:

  • Writing overly technical containment instructions
  • Waiting for an incident before planning
  • Security acting independently
  • Ignoring communication strategy

Trap Pattern

Common wrong instincts:

  • “Focus on malware removal steps.”
  • “Legal can be involved later.”
  • “We’ll update the plan after a breach.”
  • “Technical team owns the entire response.”

CISM emphasizes structured readiness and cross-functional coordination.

Scenario Practice

Question 1

An organization has no documented incident response plan but relies on experienced technical staff.

What is the PRIMARY risk?

  1. Encryption weakness
  2. Monitoring deficiency
  3. Lack of structured governance and escalation
  4. Vendor inefficiency
Answer & Explanation
Correct Answer: C
Experience alone does not replace formal governance structure.

Question 2

An IRP exists but has not been reviewed in four years.

What is the MOST significant concern?

  1. Reduced automation
  2. Monitoring delay
  3. Vendor inefficiency
  4. Misalignment with current threat landscape and regulatory requirements
Answer & Explanation
Correct Answer: D
Incident response plans must evolve with risk and regulation.

Question 3

During a breach, confusion arises regarding who must notify regulators.

What is the PRIMARY plan deficiency?

  1. Undefined roles and notification procedures
  2. Encryption gap
  3. Vendor inefficiency
  4. Monitoring delay
Answer & Explanation
Correct Answer: A
Escalation and notification responsibilities must be clearly defined.

Question 4

An organization conducts technical recovery but fails to perform a lessons-learned review.

What is the PRIMARY governance gap?

  1. Encryption weakness
  2. Failure to integrate post-incident improvement process
  3. Vendor inefficiency
  4. Monitoring deficiency
Answer & Explanation
Correct Answer: B
Post-incident review strengthens program maturity.

Question 5

An executive asks how prepared the organization is for a ransomware event.

What provides the MOST reliable assurance?

  1. Recent antivirus updates
  2. Increased firewall rules
  3. Documented IRP tested through tabletop exercises
  4. Vendor certification
Answer & Explanation
Correct Answer: C
Testing and exercising the IRP validates readiness.

Key Takeaway

In CISM:

Readiness reduces chaos. Structure enables coordination. Testing validates capability.

An effective IRP:

  • Defines roles.
  • Establishes escalation.
  • Integrates legal and regulatory requirements.
  • Aligns with BCP and DRP.
  • Is tested regularly.
  • Includes post-incident review.

That is what governance looks like when incidents strike.

Related Modules

CISM Domain 4 — Incident Management Business Impact Analysis (BIA) CRISC Domain 3 — Risk Response and Reporting Risk Treatment Plans
Next Module Module 25: Business Impact Analysis (BIA)