PCI DSS 12.10.2: Test Your Incident Response Plan Every 12 Months
PCI DSS 12.10.2 mandates that your organization test its incident response plan at least once per year to ensure it actually works when a breach occurs. This control validates that your team can execute the plan effectively, identify gaps, and respond quickly to security incidents. Without regular testing, your incident response plan remains untested theory rather than proven operational capability.
What this means
This control requires organizations to conduct a full test of their incident response plan annually. Testing validates that documented procedures are executable, team members understand their roles, communication channels work, and the organization can contain and remediate incidents within acceptable timeframes. The test should simulate realistic incident scenarios and include all relevant stakeholders—security, IT, management, legal, and communications teams. Results must be documented to demonstrate compliance and identify areas for improvement.
How to comply
- 1.Document a comprehensive incident response plan that covers detection, containment, eradication, recovery, and post-incident activities
- 2.Schedule and conduct at least one formal test or simulation per calendar year involving all key departments
- 3.Record the test date, scope, participants, and scenarios executed during the annual test
- 4.Document findings, issues discovered, and time required to execute response procedures
- 5.Create remediation action items to address gaps identified during testing
- 6.Update the incident response plan based on test results and lessons learned
- 7.Maintain records of all annual tests and follow-up improvements for audit review
Evidence auditors look for
- Dated incident response plan test report signed by management
- Test execution logs showing simulation start/end times and participant involvement
- Tabletop exercise documentation with scenario details and team responses
- Post-test findings summary identifying response gaps or process inefficiencies
- Updated incident response procedures reflecting test-identified improvements
- Email communications showing test scheduling, execution, and results distribution
- Evidence of metrics captured: mean time to detect (MTTD), mean time to respond (MTTR), and containment effectiveness
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates incident response plan testing workflows by tracking annual test deadlines, consolidating test documentation, and generating compliance evidence reports—eliminating manual spreadsheet tracking and ensuring you never miss your annual testing window.
See how GRCWatch handles this control automatically
Start free trial