CAF - Objective D

Created:  30 Apr 2018
Updated:  31 Oct 2018
Indicators of Good Practice for Objective D

D1. Response and Recovery Planning

Capabilities to minimise the impact of a cyber security incident on the delivery of essential services including, the restoration of those services, where necessary.


There are well-defined and tested incident management processes in place, that aim to ensure continuity of essential services in the event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise are also in place.

D1.a   Response Plan

You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential service and covers a range of incident scenarios.

Not Achieved

Partially Achieved


At least one of the following statements is true

 All the following statements are true

All the following statements are true

Your incident response plan is not documented.

Your incident response plan does not include your organisation's identified essential service.

Your incident response plan is not well understood by relevant staff.

Your response plan covers your essential services.

Your response plan comprehensively covers scenarios that are focused on likely impacts of known and well-understood attacks only.  

Your response plan is understood by all staff who are involved with your organisation's response function

Your response plan is documented and shared with all relevant stakeholders



Your incident response plan is based on a clear understanding of the security risks to the networks and information systems supporting your essential service .

Your incident response plan is comprehensive (i.e. covers the complete lifecycle of an incident, roles and responsibilities, and reporting) and covers likely impacts of both known attack patterns and of possible attacks, previously unseen

Your incident response plan is documented and integrated with wider organisational business and supply chain response plans.

Your incident response plan is communicated and understood by the business areas  involved with the supply or maintenance of your essential services.


D1.b   Response and recovery capability

You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions.

Not Achieved


At least one of the following statements is true

All the following statements are true

Inadequate arrangements have been made to make the right resources available to implement your response plan.

Your response team members are not equipped to make good response decisions and put them into effect.

Inadequate back-up mechanisms exist to allow the continued delivery of your essential service during an incident.

You understand the resources that will likely be needed to carry out any required response activities, and arrangements are in place to make these resources available.

You understand the types of information that will likely be needed to inform response decisions and arrangements are in place to make this information available.

Your response team members have the skills and knowledge required to decide on the response actions necessary to limit harm, and the authority to carry them out.

Back-up mechanisms are available that can be readily activated to allow continued delivery of your essential service (although possibly at a reduced level) if primary networks and information systems fail or are unavailable.

Arrangements exist to augment your organisation’s incident response capabilities with external support if necessary (e.g. specialist cyber incident responders).


D1.c   Testing and exercising

Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.

Not Achieved


At least one of the following statements is true

All the following statements are true

Exercises test only a discrete part of the process (e.g. that backups are working), but do not consider all areas.

Incident response exercises are not routinely carried out, or are carried out in an ad-hoc way.

Outputs from exercises are not fed into the organisation's lessons learned process.

Exercises do not test all parts of the response cycle. 

Exercise scenarios are based on incidents experienced by your and other organisations, or are composed using experience or threat intelligence.

Exercise scenarios are documented, regularly reviewed, and validated.

Exercises are routinely run, with the findings documented and used to refine incident response plans and protective security, in line with the lessons learned. 

Exercises test all parts of your response cycle relating to particular services or scenarios (e.g. restoration of normal service levels).

D2  Lessons Learned


When an incident occurs, steps are taken to understand its root causes and to ensure appropriate remediating action is taken to protect against future incidents.

D2.a  Incident root cause analysis

Your organisation identifies the root causes of incidents you experience, wherever possible.

Not Achieved


At least one of the following statements is true

All the following statements are true

You are not usually able to resolve incidents to a root cause.

You do not have a formal process for investigating causes. 

Root cause analysis is conducted routinely as a key part of your lessons learned activities following an incident.

Your root cause analysis is comprehensive, covering organisational process issues, as well as vulnerabilities in your networks, systems or software.

All relevant incident data is made available to the analysis team to perform root cause analysis.

D2.b   Using incidents to drive improvements

Your organisation uses lessons learned from incidents to improve your security measures.

Not Achieved


At least one of the following statements is true

All the following statements are true

Following incidents, lessons learned are not captured or are limited in scope.

Improvements arising from lessons learned following an incident are not implemented or not given sufficient organisational priority.

You have a documented incident review process/policy  which ensures that lessons learned from each incident are identified, captured, and acted upon.

Lessons learned cover issues with reporting, roles, governance, skills and organisational processes as well as technical aspects of networks and information systems.

You use lessons learned to improve security measures, including updating and retesting response plans when necessary.

Security improvements identified as a result of lessons learned are prioritised, with the highest priority improvements completed quickly.

Analysis is fed to senior management and incorporated into risk management and continuous improvement.




< previous                     next >


Was this guidance helpful?

We need your feedback to improve this content.

Yes No