12.10.2 At least once every 12 months, the security incident response plan is:

Defined Approach Requirements

12.10.2 At least once every 12 months, the security incident response plan is:

• Reviewed and the content is updated as needed.
• Tested, including all elements listed in Requirement 12.10.1.

Customized Approach Objective

The incident response plan is kept current and tested periodically.

Defined Approach Testing Procedures

12.10.2 Interview personnel and review documentation to verify that, at least once every 12 months, the security incident response plan is:

• Reviewed and updated as needed.
• Tested, including all elements listed in Requirement 12.10.1.

Purpose

Proper testing of the security incident response plan can identify broken business processes and ensure key steps are not missed, which could result in increased exposure during an incident. Periodic testing of the plan ensures that the processes remain viable, as well as ensuring that all relevant personnel in the organization are familiar with the plan.

Good Practice

The test of the incident response plan can include simulated incidents and the corresponding responses in the form of a "table-top exercise" that includes participation by relevant personnel. A review of the incident and the quality of the response can provide entities with the assurance that all required elements are included in the plan.