RS.IM-2: Response Strategy Updates
Response strategies must evolve as threats, technology, and organizational capabilities change. RS.IM-2 ensures your incident response plan stays current and effective, reducing blind spots during actual security events. A stale response strategy can cost you days of wasted effort when you need clarity most.
What this means
This control requires organizations to systematically review, test, and update their incident response strategies based on lessons learned, threat intelligence, organizational changes, and regulatory shifts. Response strategies include documented procedures for detection, containment, eradication, and recovery from security incidents. Updates should reflect new attack vectors, personnel changes, system modifications, and outcomes from previous incidents or tabletop exercises.
How to comply
- 1.Establish a formal schedule (at least annually) for reviewing and updating response strategies, documenting who owns this process
- 2.Conduct post-incident reviews after any security event to identify gaps and incorporate findings into updated procedures
- 3.Monitor external threat intelligence, industry advisories, and regulatory guidance to detect required strategy changes
- 4.Include response strategy updates in your change management process and track all modifications with version control
- 5.Test updated strategies through tabletop exercises, simulations, or limited incident response drills before full deployment
- 6.Communicate strategy updates to all incident response team members and relevant stakeholders
- 7.Document the rationale and effective date for each update to demonstrate continuous improvement
Evidence auditors look for
- Incident response plan with version history showing at least one annual update
- Post-incident review reports documenting findings and resulting strategy changes
- Meeting minutes or records showing cross-functional review of response procedures
- Updated runbooks, playbooks, and escalation procedures with approval dates
- Tabletop exercise results showing strategy testing and validation
- Change log or version control system tracking response strategy modifications
- Training records confirming team awareness of updated response procedures
- Threat intelligence summaries used to inform strategy revisions
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch tracks response strategy review schedules, automates post-incident documentation collection, and flags when your incident response procedures are due for updates—ensuring RS.IM-2 compliance without manual spreadsheet tracking.
See how GRCWatch handles this control automatically
Start free trial