Incident Response

Incident response is the structured set of activities a service organization performs when a security event is detected, including triage, containment, eradication, recovery, and post-incident review. SOC 2 requires a documented incident response plan, designated responder roles, communication procedures including customer and regulatory notifications where applicable, evidence that the plan is tested at least annually through tabletop exercises or simulations, and records of actual incidents handled per the plan. The plan typically defines severity levels, response time objectives for each severity, escalation paths, and decision authorities for actions like taking systems offline or engaging external counsel. Auditors test incident response by reviewing the plan document, examining tabletop exercise reports, sampling actual incidents from ticket systems, and verifying notifications occurred where contractually or legally required. Mature programs also conduct post-incident reviews that identify root causes and feed remediation actions into the broader security backlog. Weak incident response often appears as audit exceptions when actual incidents lack documented handling.