The organization shall establish a incident response plan for security incidents to critical information systems. Response plans should also be tested by the necessary organizational elements. The plan should take into account at least:
- The purpose of the information system and the precautions to be taken in the event of its disruption
- Recovery plans, targets, and priorities for the order of recovery of assets
- The role of implementing the response plans and the contact details of the persons assigned to the roles
- Continuation of normal operations regardless of the state of the information systems.
- Distribution, approval and review of response plans
In addition, the plan should at least:
- Establish a roadmap for developing disruption management capacity
- Describe the structure and organization of incident management capability
- Provides metrics to measure incident management capability
