Incident Response Policy

The Incident Response Policy (Document P30) formalizes a robust framework ensuring the organization can effectively manage and respond to a diverse spectrum of information security incidents. The policy’s primary purpose is to establish repeatable processes for identifying, reporting, analyzing, containing, and recovering from incidents, while fostering continuous improvement through post-incident evaluations. By instituting a central Incident Response Framework aligned with international standards such as ISO/IEC 27035, the policy ensures a structured approach across all incident phases: preparation, detection and analysis, containment/eradication/recovery, and post-incident review. This policy casts a wide net over organizational functions, extending its requirements to all personnel, including contractors and third-party providers, as well as covering all organization information systems, whether on-premises, cloud-based, or hybrid. It applies to a comprehensive set of incident types: unauthorized access, malware and ransomware, denial-of-service attacks, data leakage or exfiltration, insider threats, and even physical breaches affecting digital assets. The governance section mandates that every incident is formally logged in a Security Incident Management System (SIMS), with detailed metadata including time of detection, classification, systems affected, actions taken, evidence captured, and root cause analysis. All incidents are categorized by a tiered severity model, ensuring proportionate response and escalation. Key roles and responsibilities are carefully defined to ensure accountability and streamlined workflow during an incident. The CISO retains overall ownership of the response framework and serves as liaison to executive leadership and regulators during major incidents. The Incident Response Coordinator manages cross-functional teams, tracking every stage of the response and ensuring that corrective actions are carried out. Security Operations Center (SOC) and IT Security Analysts are charged with monitoring and triaging threats, escalating cases, and taking initial containment actions. Legal and DPO roles are tasked with reviewing regulatory impact and ensuring notification timelines, particularly for breaches under GDPR, NIS2, and DORA. Executive management makes strategic decisions for high-severity incidents, including public communications and approving ISMS modifications. The policy adopts rigorous mechanisms for breach notification, digital forensics, and evidence handling, requiring that notification to authorities and affected stakeholders is performed according to defined legal and contractual timelines. Digital forensics procedures include disk imaging with write-blockers, chain-of-custody tracking, and encrypted evidence storage, with law enforcement coordination where required. Any deviations from the policy, such as response time or evidence collection, must follow a strict risk-based exception process, with documentation, CISO approval, and quarterly risk reviews. To ensure effectiveness and regulatory compliance, the policy mandates annual reviews, regular incident response drills, and clear metrics such as Mean Time to Detect (MTTD), Mean Time to Contain (MTTC), and the percentage of post-incident reviews completed. Audit and compliance monitoring validate readiness and enforce adherence, with specified consequences for non-compliance including disciplinary measures up to contract termination or regulatory reporting. The policy is deeply integrated with supporting policies across data classification, change management, cryptographic controls, backup and restore, and logging/monitoring, ensuring a comprehensive and defensible incident readiness posture.