GRCWatch
Sign inStart free trial

PCI DSS 12.10.1: Maintain Incident Response Plan Ready for Activation

A documented incident response plan isn't just compliance theatre—it's your organization's lifeline when a breach happens. PCI DSS 12.10.1 requires your plan to be fully developed, tested, and ready to activate immediately. Learn how to build and maintain one that actually works.

What this means

This control requires organizations to establish, document, and maintain a formal incident response plan that can be activated without delay in the event of a system breach or security incident. The plan must be comprehensive, regularly reviewed, and periodically tested to ensure all stakeholders understand their roles and the procedures work in practice. It's not enough to have a plan—it must be operationalized and current.

How to comply

  1. 1.Create a written incident response plan that covers detection, containment, eradication, recovery, and post-incident activities
  2. 2.Define clear roles and responsibilities for each team member involved in breach response
  3. 3.Document specific procedures for isolating affected systems, preserving evidence, and communicating with stakeholders
  4. 4.Include escalation paths, notification timelines (especially for regulatory and customer notification), and contact information for internal and external resources
  5. 5.Establish testing schedules and conduct tabletop exercises or simulations at least annually
  6. 6.Review and update the plan within 12 months and whenever significant business or security changes occur
  7. 7.Ensure all relevant personnel are trained on their assigned roles and responsibilities

Evidence auditors look for

  • Signed incident response plan document with approval dates and version control
  • RACI matrix showing defined roles (incident commander, forensics lead, communications officer, etc.)
  • Incident response procedures manual with step-by-step breach handling workflows
  • Contact registry or escalation tree with updated phone numbers and email addresses
  • Test logs documenting annual incident response drills or tabletop exercises with participation records
  • Training records showing incident response personnel completed awareness training
  • Plan review records with updates dated within the past 12 months
  • Post-incident reports demonstrating the plan was activated and followed during real or simulated events

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch's centralized control management system automatically tracks incident response plan versions, testing schedules, and personnel training completion, ensuring your plan stays current and audit-ready without manual spreadsheet updates.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.10.2 — Review and testing of incident response planPCI DSS 12.10.3 — Incident response procedures for payment card dataPCI DSS 12.10.4 — Business continuity and disaster recovery proceduresPCI DSS 12.10.5 — Forensic investigation procedures