Incident Training Testing and Evaluation
Key Takeaways
- Tabletop exercises, simulations, and red-team drills validate that the IRP works and that people know their roles before a real incident.
- The post-incident review (lessons learned) is the program-improvement loop; its purpose is to fix root causes, not assign blame.
- Incident metrics, MTTD, MTTC, MTTR, dwell time, drive measurable program improvement reported to management.
- Training, testing, and evaluation turn a static plan into a tested capability; ISACA treats an untested plan as ineffective.
Building and Proving Readiness
An incident response plan that is written but never exercised is, in ISACA's view, not a real capability. Training, testing, and evaluation are what convert the document into responders who know their roles under pressure. This section also includes the final lifecycle phase, Lessons Learned, which closes the improvement loop.
Exercise Types, From Light to Heavy
Mirroring DRP testing, incident exercises escalate in realism and cost:
| Exercise | What happens | Primary value |
|---|---|---|
| Tabletop | Team discusses a scenario around a table | Cheap validation of roles, gaps |
| Walkthrough | Step through procedures in detail | Confirms procedure completeness |
| Simulation / functional | Inject realistic events; team responds | Tests detection and coordination |
| Red team / purple team | Adversary emulates an attack | Tests real detection and response |
| Full-scale / live | End-to-end response, possibly with failover | Highest realism, highest disruption |
Tabletop exercises are the most common starting point because they surface plan gaps, unclear ownership, missing contacts, and decision bottlenecks cheaply and without operational risk. A scenario asking how to validate a new IRP without endangering production points to a tabletop or simulation first, not a live attack.
Training the People
Beyond the CSIRT, broader security awareness training matters: most incidents start with a user (phishing, weak passwords, mishandled data), and users are the first to notice and report anomalies. The IRP only works if every employee knows how and to whom to report a suspected incident.
Post-Incident Review and Metrics
Lessons Learned (Post-Incident Review)
After recovery, the team conducts a post-incident review while details are fresh. Its purpose is improvement, not blame: identify the root cause, what worked, what failed, and what controls or plan changes prevent recurrence. ISACA stresses a blameless culture, fear of punishment suppresses the honest reporting the program needs. Outputs feed back into Preparation: updated playbooks, new detection rules, additional training, and control changes. This is the loop that raises program maturity.
Key questions the review answers: Was detection timely? Was containment effective? Were the right stakeholders notified on time? Did the classification hold up? What is the root cause, and is it systemic?
Metrics That Demonstrate Maturity
The security manager reports incident-management performance to senior leadership using consistent metrics. Memorize these:
| Metric | Meaning |
|---|---|
| MTTD (Mean Time to Detect) | Average time from occurrence to detection |
| MTTA (Mean Time to Acknowledge) | Time from alert to someone responding |
| MTTC (Mean Time to Contain) | Time from detection to containment |
| MTTR (Mean Time to Recover/Respond) | Time to restore normal operations |
| Dwell time | How long an attacker was present undetected |
Falling MTTD and MTTC over time evidence a maturing program; rising numbers signal investment needs. These metrics, plus incident volume by category and severity, are the language a CISM-aligned manager uses to justify budget and demonstrate due diligence to the board.
Trap to avoid: A post-incident review that focuses on disciplining the employee who clicked the phishing link misses the point, the deliverable is a fixed root cause (better filtering, training, and controls), not a scapegoat. Likewise, declaring an incident closed without a documented review forfeits the single most valuable output of the entire lifecycle.
Designing Effective Exercises and Closing the Loop
Good exercises are designed, not improvised. Each should have objectives (what capability is being tested, detection, escalation, communication, recovery), a realistic scenario drawn from current threats, defined participants including business and legal where relevant, and observers who record what actually happens against what the plan says. After the exercise, a written after-action report captures gaps and assigns owners and due dates for fixes, so testing produces change rather than reassurance.
What Exercises Commonly Reveal
Across organizations, the same weaknesses recur, and the exam often describes one as a scenario:
- Unclear authority, no one is sure who can declare an incident or approve external communication.
- Stale contact information, the escalation list points to people who have left.
- Notification gaps, legal or executives are told too late to meet regulatory deadlines.
- Tool blind spots, an attack path the SIEM does not cover.
- Recovery assumptions that fail, backups that will not restore, undocumented dependencies.
A tabletop is often the cheapest way to surface these before a real adversary does.
Continuous Improvement and Maturity
Training, testing, evaluation, and lessons learned form a continuous improvement cycle that raises program maturity over time. The security manager evidences this to the board with trend data, falling mean time to detect (MTTD) and mean time to contain (MTTC), shrinking dwell time, and rising exercise participation and pass rates. Improvement is demonstrated by measured outcomes, not by the existence of documents.
Two enduring CISM principles anchor this section. First, an untested plan is treated as ineffective, regardless of how thorough it looks on paper; capability is proven through exercises. Second, the post-incident review is a blameless, root-cause-focused activity whose deliverable is prevention, fixing the systemic weakness so the same incident cannot recur, rather than identifying someone to punish. A program that exercises regularly, reviews honestly, and reports measurable improvement is exactly the picture of due diligence ISACA expects an information security manager to present.
What is the primary purpose of the post-incident review (lessons learned) phase?
An organization wants to validate a newly developed incident response plan with the least operational risk. Which approach is most appropriate first?