GRCWatch
Sign inStart free trial

PCI DSS 12.10.2: Test Your Incident Response Plan Every 12 Months

PCI DSS 12.10.2 mandates that your organization test its incident response plan at least once per year to ensure it actually works when a breach occurs. This control validates that your team can execute the plan effectively, identify gaps, and respond quickly to security incidents. Without regular testing, your incident response plan remains untested theory rather than proven operational capability.

What this means

This control requires organizations to conduct a full test of their incident response plan annually. Testing validates that documented procedures are executable, team members understand their roles, communication channels work, and the organization can contain and remediate incidents within acceptable timeframes. The test should simulate realistic incident scenarios and include all relevant stakeholders—security, IT, management, legal, and communications teams. Results must be documented to demonstrate compliance and identify areas for improvement.

How to comply

  1. 1.Document a comprehensive incident response plan that covers detection, containment, eradication, recovery, and post-incident activities
  2. 2.Schedule and conduct at least one formal test or simulation per calendar year involving all key departments
  3. 3.Record the test date, scope, participants, and scenarios executed during the annual test
  4. 4.Document findings, issues discovered, and time required to execute response procedures
  5. 5.Create remediation action items to address gaps identified during testing
  6. 6.Update the incident response plan based on test results and lessons learned
  7. 7.Maintain records of all annual tests and follow-up improvements for audit review

Evidence auditors look for

  • Dated incident response plan test report signed by management
  • Test execution logs showing simulation start/end times and participant involvement
  • Tabletop exercise documentation with scenario details and team responses
  • Post-test findings summary identifying response gaps or process inefficiencies
  • Updated incident response procedures reflecting test-identified improvements
  • Email communications showing test scheduling, execution, and results distribution
  • Evidence of metrics captured: mean time to detect (MTTD), mean time to respond (MTTR), and containment effectiveness

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates incident response plan testing workflows by tracking annual test deadlines, consolidating test documentation, and generating compliance evidence reports—eliminating manual spreadsheet tracking and ensuring you never miss your annual testing window.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.10.1 — Establish incident response planPCI DSS 12.10.3 — Designate incident response personnelPCI DSS 12.10.4 — Notify payment card industry if cardholder data is breachedISO 27035 — Information security incident managementNIST SP 800-61 — Computer Security Incident Handling Guide