CRISP Security Shield Logo

Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

21-T: Information Security
Incidental Management

This section evaluates how your organization detects, responds to, and learns from information security incidents.

The questions focus on whether you have a documented incident response process, defined roles and escalation paths, and clear criteria for identifying and classifying incidents. They also address how you investigate events, contain and remediate impact, communicate with affected stakeholders, and preserve evidence where required.

Overall, this section confirms that security incidents are handled in a controlled, timely, and repeatable way instead of improvised on the fly.

Explanation: A Business Continuity and Disaster Recovery (BCDR) plan ensures that critical business functions can continue during and after a disaster. This minimizes downtime, data loss, and disruptions to services.

Risks of Incorrect Answer: Prolonged downtime during disasters, leading to loss of client trust and revenue.

Non-compliance with industry standards or client agreements.

Inability to recover critical data, causing operational failure.

Applicable Frameworks:

NIST SP 800-34: Guidelines for contingency planning.

ISO 22301: Standards for business continuity management.

PCI DSS (Requirement 12.10.1): Requires an incident response and recovery plan.

Explanation: Regular testing ensures the BCDR plan is effective and up-to-date. Testing identifies gaps and provides an opportunity to refine procedures before an actual disaster.

Risks of Incorrect Answer: Outdated plans may fail during a real disaster.

Unprepared personnel and untested procedures lead to delays in recovery.

Regulatory penalties for failing to meet compliance requirements.

Applicable Frameworks: ISO 22301 (Clause 8.5): Focuses on BCDR testing and evaluation.

NIST SP 800-84: Guidance for conducting contingency plan tests.

SOX: Requires organizations to periodically assess disaster recovery protocols.

Explanation: RTO specifies the maximum acceptable time to restore services, while RPO defines the maximum data loss tolerable. Together, they align recovery expectations with business needs.

Risks of Incorrect Answer: Prolonged downtime beyond acceptable limits.

Loss of critical client data, leading to legal and reputational issues.

Misalignment with client service level agreements (SLAs).

Applicable Frameworks: ISO 22301 (Clause 8.3): Addresses recovery objectives in continuity planning.

NIST SP 800-34: Emphasizes defining RTOs and RPOs for recovery strategies.

Explanation: Regular backups ensure data can be recovered in case of accidental deletion, system failures, or cyberattacks. The frequency of backups determines the extent of potential data loss.

Risks of Incorrect Answer: Inability to recover client data after an incident.

Significant data loss impacting business operations and compliance.

Loss of client trust and potential regulatory penalties.

Applicable Frameworks: NIST CSF (PR.DS-1): Recommends protecting and backing up data.

HIPAA (164.308(a)(7)(ii)(A)): Requires data backup plans for electronic protected health information.

PCI DSS (Requirement 9.5): Covers secure backup practices.

Explanation: Encrypting backups protects sensitive data from unauthorized access. This is especially critical when backups are stored offsite or in the cloud.

Risks of Incorrect Answer: Exposure of sensitive client data in case of theft or unauthorized access.

Non-compliance with data protection regulations, resulting in fines.

Increased risk during ransomware attacks if backups are not secured.

Applicable Frameworks: NIST CSF (PR.DS-1): Emphasizes encrypting stored data.

GDPR (Article 32): Requires appropriate encryption of personal data.

HIPAA (164.312(a)(2)(iv)): Recommends encryption for data in transit and at rest.

Explanation: A geographically distant backup site ensures redundancy and continuity in case of localized disasters, such as earthquakes or floods.

Risks of Incorrect Answer: Simultaneous failure of primary and backup sites during a disaster.

Inability to restore services, leading to significant business disruption.

Applicable Frameworks: ISO 27031: Emphasizes ICT readiness and geographic redundancy.

NIST SP 800-34: Recommends backup site considerations in contingency planning.

Explanation: A work-from-home policy ensures employees can continue operations remotely during emergencies. This is critical for maintaining productivity and client services.

Risks of Incorrect Answer: Inability to maintain business operations during disasters.

Increased security risks if remote work protocols are not defined.

Applicable Frameworks: ISO 22301 (Clause 8.4): Encourages continuity strategies for personnel.

NIST CSF (PR.AC-5): Recommends secure remote access policies.

Explanation: Ransomware defenses include regular backups, endpoint protection, user training, and incident response plans. These measures reduce the risk and impact of ransomware attacks.

Risks of Incorrect Answer: Data encryption by attackers, making recovery impossible without paying a ransom.

Significant financial and reputational damage.

Non-compliance with data protection regulations.

Applicable Frameworks: NIST CSF (PR.IP-9): Focuses on incident response to malware.

ISO 27001 (A.12.6.1): Encourages controls against malware.

HIPAA: Requires safeguards against malware targeting PHI.

THANK YOU


You have successfully completed
the Information Security Incidental Management portion of this Assessment.

Please Press Submit
so that we can process your results

NEXT
CRISP Secrity Logo

​Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

© 2025 Compliance Risk & Information Security Partners (CRISP). All rights reserved.