cism-d4-incident-management-incident-management-and-response-plans

Incident Management and Response Plans

isaca-cism · framework · Production-ready

Drawn fromCISM Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Incident Management and Response Plans

An Incident Management and Response Plan (IRP) is a formally documented, executive-approved strategic framework that defines an organization's pre-authorized capability to detect, respond to, and recover from information security incidents. It specifies who does what, when, and how — establishing roles, responsibilities, escalation paths, communication protocols, and recovery objectives before an incident occurs. A PLAN is a strategic governance document (owned at senior management or board level) distinct from PROCEDURES, which are the tactical, step-by-step operational instructions that implement the plan. The IRP answers 'what is our overall approach and who has authority to act?' Procedures answer 'what exact steps do we execute for this incident type?'

Where it stops · what it isn't

—IS: A formally documented, approved strategic document defining organizational incident response capability, roles, authority, and communication frameworks
—IS: A governance artifact maintained by the information security function with explicit executive or board approval and scheduled review cycles
—IS: A living document integrating legal, HR, communications, and technical functions into a unified response posture
—IS NOT: A step-by-step technical runbook or playbook — those are tactical procedures that implement the plan, not the plan itself
—IS NOT: A Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) — IRPs govern hours-to-days incident response windows; DRPs address weeks-to-months recovery of operational capability after catastrophic events
—IS NOT: The operational execution of incident response — containment, eradication, and recovery steps are covered in operational procedures referenced by, but separate from, the plan
—IS NOT: A static compliance artifact — an IRP is only effective when tested, exercised, and regularly updated to reflect evolving threats and organizational changes

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

REQUIRES

Incident Classification and CategorizationBusiness Impact Analysis

ENABLES

Incident Investigation, Containment, and EradicationIncident Communication and EscalationPost-Incident Review and Lessons LearnedRegulatory Notification Compliance (GDPR, HIPAA, PCI DSS)

PART OF

Incident Management Program

RELATED TO

Disaster Recovery PlanningBusiness Continuity Planning

CONSTRAINS

Incident Response Procedures and Playbooks

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.