2. Planning and preparation
Organisations establish and maintain capabilities to respond to cyber incidents, and to recover and restore critical activities, systems and data affected by cyber incidents to normal operations. Planning and preparation occur before an incident and play a significant role in determining the effectiveness of CIRR activities.
10. Policies. Organisations establish policies that define the involvement of the organisation's functions in the CIRR process. The policies are based on regulatory, legal and business requirements and are enforced at all levels of the organisation, according to its size, complexity and risks, with coherence across relevant jurisdictions where the organisation operates. Policies include relevant high-level statements that drive the development of more detailed plans and playbooks. For instance, policies should, among other things, address the classification and the assessment of cyber incidents and include a clear communication strategy and plan, which describe whom to inform of the cyber incident within a given timeframe.