ISMS Compliance
CyFun BasicRespond

RS.RP-1: Response plan execution

Response plan is executed during or after an incident

RESPONDRS.RP-1

Requirement

An incident response process, including roles, responsibilities, and authorities, shall be executed during or after an information/cybersecurity event on the organisation's critical systems.

Guidance

  • The incident response process should include a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyberattack
  • The roles, responsibilities, and authorities should be specific with regard to the people involved, contact information, different roles and responsibilities, and with regard to who makes the decision to initiate recovery procedures as well as who will be the contact for appropriate external stakeholders

Our Implementation

A formal Incident Response Plan (v1.0) has been established, approved, and is effective as of March 2026. The plan defines a 5-phase response process:

  1. Detection & Reporting: Security and operational alerts are centralised in dedicated Slack channels (data errors, Better Stack uptime alerts, application errors) with mobile notifications enabled for all developers; all staff report suspected incidents to CTO immediately
  2. Assessment & Triage: Scope and severity determination using a 4-level classification (Critical, High, Medium, Low) with defined response time SLAs (Immediate to 72 hours)
  3. Containment: Isolation of affected systems and evidence preservation
  4. Eradication & Recovery: Threat removal, system restoration from backups, integrity verification before returning to production
  5. Post-Incident Review: Lessons-learned sessions, incident log updates, and notification to relevant authorities (CERT.be for Belgian regulatory requirements)

Roles: CTO serves as Incident Commander for all incidents. CEO is escalated for Critical-severity incidents. All team members are responsible for initial detection and reporting.

Gaps / Planned improvements:

  • Tabletop exercise planned to validate response procedures (NEX-359)
  • Scenario-specific playbooks to be developed — data breach, ransomware, account compromise (NEX-378)

Evidence

Partially ImplementedL2 — Repeatable

Cross-references

FrameworkControl
ISO 27001:2022A.5.26 — Response to information security incidents
NIST CSFRS.RP-1
CIS Controls v8.117.4

Respond

Incident response capabilities

RS.CO-3: Information sharing

Information is shared consistent with response plans

On this page

RequirementGuidanceOur ImplementationEvidenceCross-references