IR-3: Incident Response Testing

Control Family:

Incident Response

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:


  • Low


  • Moderate
  • High
  • Privacy
    • IR-3

Previous Version:

Control Statement

Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].

Supplemental Guidance

Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

Control Enhancements

IR-3(1): Automated Testing


(Not part of any baseline)

Test the incident response capability using [Assignment: organization-defined automated mechanisms].

IR-3(3): Continuous Improvement


(Not part of any baseline)

Use qualitative and quantitative data from testing to: Determine the effectiveness of incident response processes; Continuously improve incident response processes; and Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.