Incident response plan preparation, independent review, and risk-response planning
Primary statement
IR plan preparation is the upstream of incident response execution: (1) plan, prepare, and communicate IR management (ISO A.5.24); (2) independent review of the security approach including people, processes, technology (ISO A.5.35); (3) risk responses chosen, prioritised, planned, tracked, communicated (NIST ID.RA-06); (4) PQC roadmap as a forward-looking risk response (SEBI PR.9 — inventory of asymmetric crypto, migration plan to NIST PQC standards). The plan is preparation; the execution side lives in cl-incident-response-execution.
Audit-fatigue payoff
A single IR plan document + independent review record + risk response tracker + PQC roadmap satisfies plan-preparation requirements across all 11 contributing frameworks. The independent review evidence is the audit-defensible anchor that other frameworks reference indirectly.
Strictness matrix
Scope
Scope: planning + preparation + communication of IR management. Three verbs — not just planning. Plan covers definition, establishment, and communication of incident management.
Ceiling source: iso27001:A.5.24
Rationale: ISO 27001 A.5.24 three-verb scope (plan + prepare + communicate) is the audit-defensible specification.
Threshold
Threshold for independent review: organisation's approach to managing information security shall be reviewed INDEPENDENTLY — by parties separate from those who operate the security controls. Internal audit, external assurance, or peer review qualifies.
Ceiling source: iso27001:A.5.35
Rationale: ISO 27001 A.5.35 independence threshold is uniquely strict. Self-assessment fails this threshold.
Method
Method: (1) IR plan documented with all phases (preparation, detection, response, recovery, lessons-learned); (2) communication to all relevant parties; (3) independent review (A.5.35); (4) risk responses chosen / prioritised / planned / tracked / communicated (five verbs per NIST ID.RA-06); (5) PQC roadmap with crypto-agility plan (SEBI PR.9); (6) integration with cl-incident-response-execution.
Ceiling source: nist_csf:ID.RA-06
Rationale: NIST CSF 2.0 ID.RA-06 five-verb risk response method combined with ISO A.5.24 plan and A.5.35 independent review is the most prescriptive method.
Frequency
Independent review: at planned intervals (typically annual) + when significant changes occur. IR plan review: annual minimum + post-incident. Risk response tracking: continuous. PQC roadmap review: annual given evolving standards.
Ceiling source: iso27001:A.5.35
Rationale: Annual independent review with significant-change trigger is the consistent floor. Post-incident plan update is the audit-defensible additional trigger.
Evidence
Required evidence: (1) IR plan document; (2) communication evidence (training, tabletop materials); (3) independent review report (most recent); (4) risk response tracker; (5) PQC roadmap with asymmetric crypto inventory and migration plan (SEBI PR.9); (6) findings closure from independent review.
Ceiling source: iso27001:A.5.35
Rationale: ISO 27001 A.5.35 independent review report is the audit-defensible anchor evidence. Other frameworks reference it indirectly.
Auditor test pattern
Step 1: Inspect the IR plan document. Step 2: Verify communication evidence (training, tabletops). Step 3: Inspect the most recent independent review report; verify independence of the reviewer. Step 4: Verify findings from independent review are tracked and closed. Step 5: Inspect the PQC roadmap with asymmetric crypto inventory. Step 6: For Maturity Level 4 banks, verify PQC migration plan aligns with NIST FIPS 203/204/205.
Common findings
Common 2024–26 findings: (1) IR plan exists but never communicated; "plan" lives only with the CISO; (2) Independent review absent or conducted by parties who operate the controls (fails independence); (3) Risk response tracker dormant — risks logged but no responses planned; (4) PQC roadmap absent despite published NIST PQC standards (2024); (5) IR plan not updated post-incident; lessons not captured.