Question: Has the organization defined an incident-response policy and roles approved by leadership?

Why This Matters

Without a formal policy, response efforts are uncoordinated and slow. Defined authority, scope, and roles ensure decisions happen quickly during crises.

Maturity

0 — Unaware
No documented policy; ad-hoc reactions.

1 — Ad Hoc
Informal roles; unclear authority.

2 — Defined
Policy approved; IR Team chartered.

3 — Managed
Roles trained; communication matrix in place.

4 — Integrated
Policy linked to risk & BCP; tested annually.

5 — Optimized
Continuous review and alignment to new threats.

How to Level Up

From → To	Actions
0 → 1	Appoint an incident lead; record contact list.
1 → 2	Write and approve IR policy with scope & authority.
2 → 3	Train members; publish contact matrix.
3 → 4	Align IR policy with risk & continuity plans.
4 → 5	Review quarterly; benchmark with peers.

Enablers

People: CISO / IR Manager / Legal / Comms.
Process: Policy creation, review, testing.
Technology: Document portal, alerting channels (Slack, Teams).

Evidence

Signed policy and charter.
Role descriptions & org chart.
Proof of training/acknowledgment.

KPIs

Policy review frequency.
% of staff aware of IR roles.
Time to acknowledge incident notification.

Low-Cost / Open-Source Options (MSME)

Purpose	Tool	Notes
Policy storage	Git / Wiki	Versioned change history.
Alerting	Slack / Rocket.Chat	Team notifications.
Contact list	Google Sheets / Nextcloud	Simple shared matrix.

Common Pitfalls

Policy exists but never tested.
Roles unclear in off-hours.
No integration with BCP or risk register.

Compliance Mapping

Standard	Clauses / Notes
ISO/IEC 27001:2022	A.5.24 (Incident Management)
CERT-In 2022	Section 28 (Incident Response Policy)
DPDP Act 2023	Sec 10 (Accountability & Governance)
NIST CSF 2.0	RS.MA / RS.RP
NIRMATA Mapping	IR-Q01 anchors formal incident policy evidence.