A security manager observes that the organization's IT environment and external threat-intelligence feeds have shown no significant changes during the past six months. Several executives propose skipping the annual tabletop exercise and document review for the incident response plan. Which of the following is the MOST compelling reason to proceed with the scheduled review and update?
Because the environment is static, proactive changes are unnecessary until after a major breach takes place.
Regular reviews uncover otherwise hidden weaknesses and allow the plan to be improved before an actual incident occurs.
Regulatory and contractual obligations may require documented evidence of regular plan maintenance.
Skipping the review conserves budget and staff time for higher-priority projects.
An incident response plan is a living document that must adapt to evolving threats and to lessons learned during drills and audits. Even when the environment appears static, undetected weaknesses or procedural gaps can persist. Regular reviews-through tabletop exercises, simulations, and document updates-surface these weaknesses so they can be corrected before a real incident occurs. Standards such as NIST SP 800-61 recommend at least annual reviews or reviews after any significant change or exercise. Therefore, uncovering hidden weaknesses is the strongest justification. The other options are either secondary considerations, false economies, or contradict best practice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why should the incident response plan be updated regularly even if threat vectors seem unchanged?
Open an interactive chat with Bash
What are 'threat vectors', and how do they impact an incident response plan?
Open an interactive chat with Bash
What are some common methods to evaluate and test the effectiveness of an incident response plan?