WithPCI Logo
WithPCI.com

12.10.6 The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

12.10.6 The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments.

Customized Approach Objective

The effectiveness and accuracy of the incident response plan is reviewed and updated after each invocation.

Applicability Notes

This requirement is not applicable if there have been no security incidents, no changes to the security incident response plan based on industry developments, or no new industry developments.

Defined Approach Testing Procedures

12.10.6.a Examine policies and procedures to verify that processes are defined to modify and evolve the security incident response plan according to lessons learned and to incorporate industry developments.

12.10.6.b Examine the security incident response plan and interview responsible personnel to verify that the incident response plan is modified and evolved according to lessons learned and to incorporate industry developments.

Purpose

Incorporating lessons learned into the incident response plan after an incident occurs and in-step with industry developments, helps keep the plan current and able to react to emerging threats and security trends.

Good Practice

The lessons-learned exercise should include all levels of personnel. Although it is often included as part of the review of the entire incident, it should focus on how the entity's response to the incident could be improved.

It is important to not just consider elements of the response that did not have the planned outcomes but also to understand what worked well and whether lessons from those elements that worked well can be applied to areas of the plan that did not.

Another way to optimize an entity's incident response plan is to understand the attacks made against other organizations and use that information to fine-tune the entity's detection, containment, mitigation, or recovery procedures.

purpose

Include procedures for business continuity and disaster recovery in the incident response plan.

compliance strategies

  • BC/DR integration
  • Plan testing

typical policies

  • Business Continuity and Disaster Recovery Policy

common pitfalls

  • No BC/DR in IR plan
  • No testing

type

Process Control

difficulty

Moderate

key risks

  • Extended downtime after incident

recommendations

  • Test BC/DR as part of IR exercises

Eligible SAQ

  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy