cisa-d5-protection-info-assets-security-incident-response-management

Security Incident Response Management

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Security Incident Response Management

Security Incident Response Management (SIRM) is a structured organizational capability that detects, analyzes, contains, eradicates, and recovers from cybersecurity incidents — then improves controls to prevent recurrence. It governs the full lifecycle of security events from the moment anomalous activity surfaces through post-incident lessons learned. In ISACA CISA Domain 5, SIRM functions as both a protective control and an assurance mechanism: auditors evaluate whether an organization's incident response program is adequately designed, implemented, and operating effectively to safeguard information assets.

Where it stops · what it isn't

—IS: The full lifecycle management of a declared security incident — preparation, detection, analysis, containment, eradication, recovery, and post-incident review (aligned to NIST SP 800-61 Rev 2 and ISO/IEC 27035:2023).
—IS: Governance structures (RACI matrices, escalation procedures), documentation requirements (incident response plan, playbooks, runbooks, communication templates), and regulatory notification obligations.
—IS: Forensic evidence preservation, chain of custody procedures, and coordination among technical responders, legal counsel, and executive stakeholders.
—IS NOT: Routine IT operations, change management, or standard help desk ticket resolution — these do not constitute security incidents unless a security boundary is violated.
—IS NOT: A pure technical function. SIRM spans people (roles, training), process (plans, playbooks), and technology (SIEM, EDR, SOAR) simultaneously.
—IS NOT: Business Continuity Management (BCM) or Disaster Recovery (DR), though SIRM coordinates with those functions during major incidents affecting availability.
—IS NOT: Threat intelligence management or vulnerability management in isolation — those disciplines feed SIRM's detection and preparation phases but are distinct competencies.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

CISA Domain 5: Protection of Information Assets

REQUIRES

Security Monitoring and Event Detection (SIEM/SOC Operations)Digital Forensics and Evidence CollectionInformation Asset Classification and Valuation

ENABLES

Regulatory Breach Notification Compliance (GDPR, HIPAA, SEC, NIS2)Post-Incident Control Improvement and Risk Remediation

RELATED TO

Business Continuity and Disaster Recovery PlanningVulnerability and Patch Management

CONSTRAINS

Ransom Payment Decision Frameworks (legal, regulatory, reputational boundaries)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.