Security Readiness Guide

Incident Response Evidence Checklist

Incident response is not proven by having a document alone. Reviewers want to see that the team can classify, escalate, communicate, and improve after incidents or exercises.

Response plan and roles

Keep a current incident plan with named roles, escalation channels, severity criteria, customer notification decision points, and legal or privacy review triggers.

Tabletop exercise records

Retain the scenario, participant list, timeline, decisions made, gaps discovered, and assigned follow-up items. Exercises should be realistic enough to reveal coordination issues.

Incident tickets and postmortems

For real incidents, preserve investigation notes, impact assessment, containment steps, communications, root cause, corrective actions, and verification that actions were completed.

Monitoring and alert evidence

Show how relevant alerts are configured, who receives them, how they are triaged, and what happens when alerts are missed or escalated.

Key Takeaways

  • Exercises without action tracking provide weak evidence.
  • Customer notification decisions should be documented even when notification is not required.
  • Incident readiness improves when owners and timelines are explicit.