GRCWatch
Sign inStart free trial

RS.RP-1: Incident Response Plan Execution

When a security incident strikes, execution speed determines damage control. NIST Cybersecurity Framework control RS.RP-1 requires you to activate and execute your incident response plan during or immediately after an incident. This guide shows SMBs how to implement effective plan execution with practical, auditable steps.

What this means

RS.RP-1 mandates that organizations have a documented incident response plan and actually execute it when incidents occur—not just keep it gathering dust. Execution means activating your team, following defined procedures, containing the threat, documenting actions, and preserving evidence. The control ensures your organization can respond methodically rather than reactively improvising during crisis.

How to comply

  1. 1.Develop a written incident response plan that includes roles, responsibilities, communication chains, containment steps, and recovery procedures
  2. 2.Define incident severity levels and corresponding activation triggers (e.g., data breach, system outage, malware detection)
  3. 3.Assign an incident response team with clear leaders and escalation paths
  4. 4.Conduct annual tabletop exercises or simulations to test plan execution and identify gaps
  5. 5.Document every incident response action taken, including timestamps, decisions, and evidence collected
  6. 6.Review and update your plan at least annually or after each major incident
  7. 7.Ensure all staff knows how to report incidents and where to escalate them

Evidence auditors look for

  • Incident response plan document signed and dated by management
  • Incident response team roster with assigned roles and contact information
  • Logs from incident response drills or simulations with documented outcomes
  • Incident tickets or reports showing plan execution during actual incidents
  • Post-incident review reports documenting lessons learned and plan adjustments
  • Evidence of plan communication and training to relevant staff
  • Call trees or escalation procedures used during incident response

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates incident logging, team notifications, and documentation during response—eliminating manual chaos and ensuring every action is timestamped and audit-ready without adding overhead to your incident command.

See how GRCWatch handles this control automatically

Start free trial

Related controls

RS.RP-2: Incident response plan coordinationRS.CO-1: Incident personnel public awareness and understandingDE.DP-4: Anomalies and events detected and analyzed