This article provides additional information on how you can meet the requirement for the CAF control – D1.b Response and Recovery Capability
Activating the Incident Management Plan
- Organisations should maintain the capability to activate their Incident Management Plan quickly and effectively to minimise harm to essential services.
- Incident response roles and responsibilities should be defined within Adoptech, and teams should be trained to make timely decisions using the tools, information and resources available.
Ensuring Access to Critical Data and Systems
- During an incident, the following should be available to support rapid and effective response:
-
logs
-
monitoring tools
-
backups
-
communication channels
-
- Backup mechanisms should be tested regularly so essential services can continue to operate if primary systems fail.
Access to External Expertise
Where required, organisations should be able to draw on external cyber-incident specialists to support investigation and remediation.
Regulatory Reporting Requirements
- In accordance with NIS regulation (the Cyber Security and Resilience Bill), organisations must:
-
Submit an initial early warning to the ICO within 24 hours of becoming aware of a significant incident
-
Provide a follow-up notification within 72 hours, including further detail on impact and response actions
-
Deliver a final incident report within 1 month of the 72-hour notification, including:
-
root cause
-
lessons learned
-
evidence of recovery
-
-
- These timelines should inform internal processes, and the approach should be updated when final regulatory guidance is published.
Review and Testing of Response Capability
Response capability should be reviewed and exercised regularly to ensure it remains:
-
effective
-
up to date
-
aligned with emerging threats
-
consistent with regulatory expectations