Testing Your Incident Response Plan
You must test your incident response plan. What’s the point of the plan if you aren’t sure that it works? Without appropriate testing, major steps or gaps could be missed, which could result in increased exposure during a real incident. PCI requirement 12.10.2 states, “Review and test the plan, including all elements listed in Requirement 12.10.1, at least annually.”
To verify compliance with PCI Requirement 12.10.2, an assessor will interview personnel and review documentation from previous testing to verify that the plan is tested at least annually, and that testing includes all elements listed in Requirement 12.10.1.
Your incident response plan needs to be documented, as we talked about, but your plan also needs to be tested at least annually. The purpose of this is to make sure that whatever you have documented is going to function as you believe it is. A lot of organizations kill two birds with one stone; they test their plan annually and as part of that, they also do the education of their incident response program at the same time. What your assessor is going to be doing is looking for some type of artifact that shows that your plan has been tested and that you carried out the plan as defined within your incident response program.