ISMS Compliance
CyFun BasicRespond

RS.IM-1: Lessons learned

Response plans incorporate lessons learned

RESPONDRS.IM-1

Requirement

The organisation shall conduct post-incident evaluations to analyse lessons learned from incident response and recovery, and consequently improve processes/procedures/technologies to enhance its cyber resilience.

Our Implementation

The Incident Response Plan includes a dedicated post-incident review phase (Phase 5) that establishes the process for capturing and applying lessons learned:

  • Post-incident review: Lessons-learned sessions are conducted after High and Critical incidents, completed within one week of incident resolution
  • Incident log: A structured incident log is maintained to track all security events, their resolution, and identified improvements
  • Process improvement: Review findings are used to update response procedures, security controls, and technical configurations to prevent recurrence
  • Continuous improvement: The incident response plan itself is updated based on lessons learned from each incident

Gaps / Planned improvements:

  • Post-incident review procedures are documented in the IRP. Lessons learned will be captured upon first incident or tabletop exercise (NEX-359)
  • Tabletop exercises planned to validate review process and generate initial findings (NEX-359)
  • Scenario-specific playbooks to be developed based on common threat patterns (NEX-378)

Evidence

Partially ImplementedL1 — Initial

RS.CO-3: Information sharing

Information is shared consistent with response plans

Recover

Recovery planning and execution

On this page

RequirementOur ImplementationEvidence