How Does Formal CSIRT Designation Move Beyond a Checklist?
A formal CSIRT (Computer Security Incident Response Team) designation under Article 10 of EU Regulation 2024-2690 is not a mere administrative stamp; it is the operational backbone of cyber resilience across all critical sectors. Modern regulators have shifted expectations: today’s designation delivers living, defensible evidence that the team is both structurally and functionally prepared, mapped to sector requirements, and maintaining independence in action-not just on paper. Your CSIRT’s designation now becomes a living record, subject to evidence-based scrutiny year-round, not just in annual reviews.
Documentation fades, but evidence builds trust-reviewers chase proof, not promises.
What Does Real Evidence Look Like for CSIRT Audit-Readiness?
The move from formality to functional proof is non-negotiable: every CSIRT must now show operational linkage between its official designation and the evolving responsibilities, authorities, and coverage of each team member. Article 10 mandates that designated CSIRTs present a waterproof audit trail-spanning delegated authority, sector-specific mappings, change logs, and HR-verified separation-that stands up under digital forensics. When a regulator requests documentation, the expectation is for a live system: logs, board-signed mappings, and real-time independence records.
| Expectation | Evidence to Provide | ISO/NIS2/ENISA Reference |
|---|---|---|
| Named CSIRT | Signed org chart, delegation letters | ISO 27001 A.5.2; Art. 10 NIS2 |
| Sector scope coverage | Board-endorsed sector assignment | NIS2 Annex I/II; SoA, ENISA |
| Independence from operational units | Org chart; HR logs; distinct lines | ISO 27001 A.5.2, ENISA Guide |
| Authority to respond | Incident decision logs; approvals | Art. 10(2) NIS2 |
Live, sector-aligned evidence must persist as circumstances shift-adding a new critical sub-sector (like energy or health) requires your audit logs to tell the story: who requested change, which board members approved, how the coverage overlaps, and when the switch became effective. Audits increasingly chase not the static declaration, but the update rhythm and integrity of your logs.
Mapping Sectors to Scope-No More “We Cover Everything”
Assertions of “all sectors” fall flat under scrutiny. Regulators now expect a board-signed table mapping each sector to a CSIRT member or sub-team, highlighting any gaps or overlaps, and documenting rationale for exceptions. This is not a set-and-forget exercise-regular reviews buffer against regulatory drift and sector creep (bsi.bund.de/EN/Themen/NIS2).
Structural Independence-Proof Over Promises
Regulatory assurance demands real operational segregation; cross-over in reporting lines or support personnel must be auditable. Org charts are only proof-positive when they are current, digitally signed, and mapped to incident handover records (enisa.europa.eu/csirt-capabilities). Any unlogged overlap risks critical non-conformance findings.
Appointment and Change-Living the Lifecycle
Staff turnover is the most common audit risk. Every staff appointment, onboarding, or role change must generate a digitally signed artefact, preserved in the CSIRT’s compliance archive. Inadequate onboarding records and unclear revocation workflows are cited by regulators as root causes for compliance disputes.
Compliance is a Shifting Relay, Not a Finish Line
Your challenge: transform compliance from static to continuous. Every CSIRT update-new member, sector change, duty rotation-must prompt a digitally signed log with a clear sign-off trail. Those who treat compliance as a living, update-driven exercise are rewarded with audit velocity and resilience; others, with corrective action findings.
Book a demoWhat Operational Proofs Must a CSIRT Deliver to Satisfy Article 10?
NIS 2 Article 10 asks for more than compliance paperwork; auditors will probe live systems for enduring, behaviour-based evidence of independence, readiness, and real-time governance. The test isn’t “Did you build a CSIRT?” but “Can you prove it survived the last 12 months of staff, sector, and incident changes?”
Independence isn’t declared-it’s discovered by audit. Logs beat diagrams every time.
Proving Independence in Daily Practise
Beyond the org chart, practical independence must show in role and meeting logs. Each cross-entity handoff, escalation, and role change should trigger an audit-traceable entry. Forensic analysis of these logs is now a basic regulatory move. Incomplete or out-of-date entries signal structural gaps.
Ensuring True Continuous Coverage
Operational continuity is demonstrated through call logs and shift rosters, with explicit zero-gap evidence-covering holidays, after-hours, and increased threat periods. ISMS log planners and timestamped rosters are key shields: any mismatch draws regulator attention (first.org/resources/guides/csirt-services). “We call someone if there’s a breach” is no longer defensible.
Safeguarding Confidentiality and Data Access
Every onboarding, role transition, and offboarding event must result in privilege audits and digitally signed records. Gaps in handovers or access reviews are flagged instantly by new regulatory tooling. Missing handoffs are not minor errors-they are treated as evidence of shallow governance.
Role Segregation in Incident Response
Segregation between incident responders and reviewers is essential-no team member should investigate and approve alone. Shared logins or ambiguous roles are red flags (pl.harvard.edu/newsroom/eu-cyber-security). Regulators expect logs that confirm dual control at every stage.
Always-On: Handling the Red Team Test
Auditors may now initiate “cold calls” during holidays or time-stress periods-testing live responses, not just claims of 24/7 cover (lhc.gov.uk/insights/csirt-readiness). Standby logs, call trees, and readiness tests are the expectation-not the exception.
Access Log Integrity Across Roles
Each change of staff, role, or privilege requires a closing loop: entry and exit should trigger aligned logs in HR, IT, and CSIRT privilege records (techuk.org/resource/controls-for-csirt-data.html). Any break here undermines auditor trust and, increasingly, board confidence.
Governance & Ongoing Review
Routine, bi-annual, and event-driven governance reviews must be logged and auditable. Not only is the frequency scrutinised, but the depth and outcome tracking as well (controlrisks.com/insights/cyber-governance). Skipped follow-up actions or review notes are flagged by both internal audit and external regulators.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
What Technical and Evidence Capabilities Are Auditors Looking For?
CSIRTs are judged on their digital audit muscle: the ability to instantly produce evidence of incident handling, privileged access, and encrypted communications-with end-to-end traceability from detection to board sign-off.
Real trust is built by logs that match reality-not wishful reporting or isolated systems.
From SIEM Alert to Audit Export-Proving the Incident Trail
Live, export-ready SIEM logs and incident management records must document each step from threat detection to incident closure. Auditors now cherry-pick incidents, expecting regulator-ready, timestamped evidence at each touch (op.europa.eu/document/siem-misp-reqs). Gaps or manual-only records are grounds for instant improvement requirements.
Encryption and Communication Logs
All communications-routine or emergency-are expected to be encrypted and fully logged. Timestamps and proof of TLS/VPN (or equivalents) are checked during audits. Lapsed encryption or missing log trails attract repeat citations, especially under cross-sector requirements (tessian.com/blog/email-encryption-reg-compliance).
Documenting Workforce Resilience
Auditors link staffing levels and skill-sets to sectoral obligations-demanding 3+ years of CMDB (Configuration Management Database) logs for workforce, role, and redundancy planning (techtarget.com/searchsecurity/feature/csirt-team-building). This includes cross-mapping to sector coverage, ensuring capacity is more than a paperwork claim.
Real-Incident Traceability
Auditors expect you to demonstrate at least three end-to-end incident chains, from SIEM trigger to lesson-learned. These must be live, not sample records (darkreading.com/enterprise-security/incident-review-lessons). Walkbacks and digital cross-links are the new audit gold.
Automated Audit Logs and Workflow
Built-in, auto-exportable logs are now mandatory. Manual summaries or spreadsheet-driven reviews invite penalty, both in time and in compliance scoring (securitybrief.eu/story/automate-your-cyber-resilience).
Regulatory Incident Reporting-End-to-End Mapping
Incidents are no longer isolated: each must tie directly to an external or sectoral report. Your SIEM, risk register, and compliance logs must flow, unbroken, from alert through remediation to final disclosure (scmagazine.com/analysis/reporting-eu-cyber-incidents).
| Trigger | Risk Register Update | Control / SoA Link (ISO 27001) | Evidence Logged |
|---|---|---|---|
| New sector onboarding | Sector risk updated (CMDB) | ISO Annex I/II; SoA sector update | Board sign-off, Roster |
| Critical incident | Incident risk elevated (SIEM) | A.5.25/26 escalation log | Log export, Incident review |
A unified log, not a glossary, is what wins digital audits.
How Can You Demonstrate Ongoing Workforce Competence and Live Readiness?
Auditors no longer accept expired PDF certificates or static skills spreadsheets. They seek dynamic dashboards, live peer reviews, and event-driven skills assessments-evidence that your CSIRT is fit today, not just last year.
Readiness lives in your logs-the only expiry you want is in training certificates, not auditor trust.
Building a Live Training and Competence Ecosystem
Training logs must be granular-each event requires unique sign-off with digital traceability. Bulk attestation is flagged as a compliance risk (digital-strategy.ec.europa.eu/en/library/csirt-capability-building). Live dashboards aligned with ENISA skills frameworks are checked both by internal and external reviewers.
Sector-Specific Skill Matrices
Sector alignment is now mandatory: skill matrices must connect live CSIRT personnel with sector requirements-energy, transport, finance, and health each need attributable, current logs (ec.europa.eu/soteu/en/policy-evidence/sector-skills). Generic cyber-security badges are no longer enough.
Regulators don't just want generic cyber-security-they require sector proof (ec.europa.eu/soteu/en/policy-evidence/sector-skills)
Expiry, Recertification, and Assessment Logs
Automatic expiry reminders for skills and certificates, training updates, and ongoing skills assessment are monitored live (isc2.org/certification-renewal). Missed renewals trigger audit findings.
Continuous Improvement Through Incident Learning
Every incident feeds into training: post-event reviews must be logged per individual, linking debriefs to future assessment and remediation actions (sans.org/newsletters/ouch/post-incident-training). Audits follow these loops across multiple events.
Peer Review-A Living Feedback Cycle
Digitally logged peer reviews, not static supervisor sign-offs, are the new normal. Internal and regulator reviews are cross-checked for log activity and completeness (knowbe4.com/products/skills-gaps).
Unified Skills Matrix-Legal, Technical, and Sector
One dynamic, regularly updated skills matrix links compliance training, sector fluency, legal understanding, and technical mastery (mondaq.com/uk/cyber-security/nis2-skills). Siloed training records are red-flagged for evidence fragmentation.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
How Are Cross-Border, Sector, and Network Integrations Orchestrated for Audit-Ready Trails?
Article 10 compliance now extends well beyond the boundaries of your organisation-requiring demonstrable integration with national, EU, sectoral, and third-party networks, all traceable through coherent system logs and digital contracts.
Proof of integration-across borders or sectors-comes in logs, not claims. Modular evidence packs win every time.
Living Evidence of ENISA and National Integration
Digitally signed, current data-sharing agreements and technical handoff logs are base expectations. Connectivity with ENISA’s CSIRT network and sectoral peers must be traceable from request through information transfer to closure (enisa.europa.eu/topics/csirt-cert-services/csirt-network).
Cross-Border Escalation Trails
Audit packs must contain logs for every cross-border incident or test event, documenting escalation protocols, technical contact handovers, and closure reviews (getcyberresilient.com/articles/nis2-best-practises). Missing evidence or fragmentation here risks major non-conformance findings.
Exercises and After-Action Learning
Joint exercises and the resulting after-action reports are a regulatory fixture. Learning must be visible in logs-documenting updates, not just recommendations (europa.eu/newsroom/cyber-europe-exercises). Auditors expect to see lessons implemented, not lost.
Sensitive Handling with TLP Classification
Sensitive incident management logs should be TLP-classified and case-linked-not just colour-coded-and be fully exportable and reviewable (first.org/tlp/).
Third-Party Integration and Pipeline Testing
Proof of private/third-party CSIRT linkage is demonstrated by evidence of joint reviews, feedback cycles, and synchronised audit exports (eureporter.co/eu-cyber-security-handovers). Siloed platforms or asynchrony slow down-not satisfy-audit requests.
Modular Evidence and Synchronisation Cadence
Auditors reward modular, exportable, and harmonised evidence packs. Speed and completeness of export mark out progressive teams (computerweekly.com/feature/cross-sector-incident-proof). Test export cadence as rigorously as incident response.
Resource Pipeline Synchronisation
Resource allocation and escalation contracts must flow as swiftly as evidence trails-mismatches between planning and live logs are a common audit warning sign (barracuda.com/blog/csirt-incident-activation).
Real Incident Pipeline Testing
Use cross-border exercises to find-and resolve-pipeline breaks before real incidents test your integrations (computerworld.com/article/csirt-jurisdiction-fail).
What Do CSIRT Auditors and Regulators Actually Review in Article 10 Audits?
Audit success is as much about digital velocity as proof accuracy. Expect random, electronic-first evidence requests for designation logs, training records, escalation contracts, and learning cycles-each mapped to live, exportable audit packs.
Easy access + cross-referenced logs = trust from both regulators and boards.
Persistent Designation Archives and Amendment Logs
Store every designation, amendment, and appointment with a digital signature and timestamp (ncsc.gov.uk/guidance/designation-proof). A compressed, central, and up-to-date archive is the linchpin of audit agility.
Digital-First, Rapid Export Capability
Readiness now includes rapid, ad hoc export for all essential artefacts-designation, training, incident, and sector engagement logs (isaca.org/resources/digital-compliance). PDF scans or partial exports are below baseline.
Proof of Sectoral and Cross-Border Interoperability
Operational integration means matching digital agreements to audit-logged events. Auditors check not only contracts, but the count and traceability of real-world escalations and handoffs (ec.europa.eu/newsroom/escrow-docs).
Signed, Traceable Approvals
Each control or learning action must be digitally signed with traceable logs. High-level, batch approvals are deprecated; granular sign-off is now base compliance (gdpr.eu/compliance/logging-approval).
Rapid Remediation Cycles
Auditors measure improvement speed-time elapsed between incident, review, and completed changes (ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en). Delays here reflect deeper process weaknesses.
Review Cadence: Keep Pace With Audit Frequency
Set review cycles more frequently than annual-the audit cycle is now biannual or faster. Stale evidence or missed cycles are major audit flags (auditboard.com/blog/compliance-cadence).
Audit-Ready Packs Across Sectors: 24-Hour Turnaround
High-performing CSIRTs routinely generate cross-sector audit packs in under 24 hours-digital-first, fully cross-referenced (forbes.com/sites/cyber-security/audit-trails). Board and regulator expectations now converge on rapid audit support as core resilience.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Where Do Most Teams Trip Up-and How Do Progressive CSIRTs Fix It?
Non-compliance often results not from lack of effort, but from static evidence trails, neglected renewal cycles, fragmented records, and unsynchronised protocols that struggle to match regulatory velocity. Progressive CSIRTs solve with a combination of digital infrastructure, pro-active process, and continuous review.
Compliance gaps aren’t caused by lack of policy-they’re born from evidence blind spots.
The Trap of Static Logs
Most audit failures come from static, single-instance logs that are never refreshed. Progressive teams use digital, rolling evidence systems, auto-update mechanisms, and centralised designation/capability records (enisa.europa.eu/publications/compliance-survey).
Independence Failures-Evidence, Not Just Org Charts
Regulators cite false independence most: if practical logs, approvals, and privilege records are not separated, auditors will escalate (cisecurity.org/blog/csirt-separation-failures).
Lapsed or Out-of-Date Training and Assessment Logs
Missed re-certifications, training expiry, or lapsed skill assessments are cited year after year. Automate reminders, tie skills to sector needs, and retain log chains for minimum three years (zdnet.com/article/compliance-fails-punished).
Peer Reviews That Drive Live Improvement
Turn peer reviews into structured improvement cycles, not mere paperwork. Each cycle must close the loop with a logged, actionable outcome (europolitics.eu/news/csirt-peer-review).
Evidence Fragmentation-The Audit Speed Bump
Central, modular evidence logs scale far better than siloed or team-by-team records. Harmonisation is a leading efficiency driver (infopro-digital.com/sector-evidence-packs).
| Format | Risk | Retrieval Speed | Audit Score |
|---|---|---|---|
| Fragmented, siloed | High | Slow | Low |
| Unified, modular, live | Low | Rapid | High |
Cross-Border Synchronisation-Pipeline Weakness
Many teams discover weak evidence synchronisation only in real events-test your pipelines during exercises and patch findings promptly (computerworld.com/article/csirt-jurisdiction-fail).
Get Audit-Proofed, Not Box-Checked, With ISMS.online
Article 10’s demands cannot be satisfied with static records or point-in-time exports-they require a digital, living archive of designation, incident, competence, and integration logs. ISMS.online unifies these compliance elements, creating a modular, rapid-export platform trusted by CISOs and audit leads across critical sectors (ismsonline.com/case-studies/compliance-cycle).
Every audit becomes a trust-building exercise when your evidence is one click away.
Automated sign-offs, live dashboards, and cross-sector review enable you to convert ongoing compliance into strategic advantage, not just a regulatory hurdle. Our platform bridges designation, risk, incident, sectoral, and supply chain logs into a continuously ready, cross-referenced audit pack-delivered in hours, not delays. CISOs and compliance teams consistently report major reductions in audit admin, seamless regulator handoff, and the agility to implement regulatory changes with confidence (thebusinessdesk.com/tech/isms-validation).
With Article 10, compliance is no longer statically won, but dynamically sustained. Make your CSIRT a living, trusted node in your sector and national cyber network-hardened by unified evidence, not wishful diagrams.
Take your proof-readiness up a level: schedule an ISMS.online audit capability review today and turn every inspection into a demonstration of trust.
Frequently Asked Questions
Why is CSIRT designation under Article 10 now a “living” compliance obligation-and what changes does it demand?
Article 10 pivots CSIRT designation from a static administrative hurdle to a real-time, living compliance lifecycle-where every team composition, appointment, and sector mapping is digitally tracked, certified by leadership, and export-ready for audit at any moment.
The reality behind NIS 2 and EU 2024-2690 is unmistakable: regulators no longer accept “one and done” PDF designations or annual org chart updates. Teams must demonstrate live fitness-to-operate, with digitally signed logs showing current CSIRT membership, scope, authority lines, and leadership sign-off. When your remit expands or contracts, when staff join or leave (even temporarily), or when obligations change sector, you need updated, timestamped records-linked to digital evidence and ready for regulatory inspection. This “living designation” model eliminates the loopholes of backdated updates and reactive gap-filling, shifting the burden from tick-box reporting to continuous assurance (ENISA, 2023). In practise, resilient teams move from audit anxiety to control-reducing the risk of late discoveries and reputation-damaging findings.
What differentiates a living CSIRT designation from the old approach?
- Continuous updates: Every appointment or sector change is timestamped and board-reviewed.
- Digital-first audit trails: Evidence (signed rosters, approval minutes, sector matrices) is accessible on demand-no more batch-uploaded or backdated PDFs.
- Responsibilities under scrutiny: Independence, operational reach, and sector coverage are now tested at any point, not just at annual review.
Real-time designation means your CSIRT is always audit-ready-even when leadership or the threat landscape changes.
What digital evidence must a CSIRT now produce-what triggers audit risk or remediation?
Your CSIRT must maintain a continuously exportable “evidence chain”-covering appointment logs, board or leadership approvals, role changes, scope expansions, incident response escalations, and training or recertification cycles for at least three years.
Regulators are quick to escalate if any part of this chain is out-of-date (even by one staff member), lacks signatures, or can’t be digitally retrieved within 24 hours. Gone are the days when spreadsheets and backfilled files sufficed. Teams missing records, suffering from fragmented storage, or slow to evidence changes risk forced remediation, imposed external oversight, or escalating enforcement (Bundesamt für Sicherheit in der Informationstechnik, 2024). The gold standard: living, digitally audited chains, signed off at each link as change happens, not retrospectively.
Table: Digital Evidence Types, Retrieval Requirements & Regulatory Reactions
| Evidence Type | Retrieval Expectation | Failing This Triggers |
|---|---|---|
| Signed designation file | Immediate | Escalated audit review |
| Appointment/change log | 24h turn-around | Remediation event |
| Sector coverage matrix | Live, updatable | Sector risk reclassification |
| Escalation/incident logs | 3-year history | Post-incident investigation |
A living compliance culture turns audits into routine checkpoints, not panic-inducing fire drills.
How is CSIRT independence, 24/7 availability, and data confidentiality proven today?
Regulators now demand digital proof that your CSIRT operates independently, is truly available around the clock, and guards data confidentiality with measurable, logged controls-not just written procedures.
This means live org charts (digitally signed and up to date), privilege logs showing who can access what and when, shift rosters tied to real incident events, and board-reviewed escalation paths. Auditors increasingly require cross-referenced logs-such as linking on-call schedules to incident timelines, or tracking privilege escalation handoffs for temporary or external staff (NCC Group, 2023; FIRST, 2024). Gaps like a missing overnight duty roster or undated staff offboarding logs are now flagged as high-risk compliance violations.
Evidence regularly checked at audit:
- Digitally signed org/escalation charts (not just org charts)
- Live on-call schedules and incident logs, mapped for real-time testing
- Access/privilege change logs, with HR and IT separation
- Minutes from board- or management reviews
- Logs from sector or third-party integration assessments (Control Risks, 2024)
What technical systems and logs enable provable, digital compliance under Article 10 and NIS 2?
SIEM platforms, threat intelligence feeds (like MISP), workflow management systems, and encrypted communication logs now work together to produce the living audit trail regulators expect.
Every CSIRT event-staff onboarding or departure, incident escalation or closure, sector scope expansion, or regulatory approval-must be logged in traceable, versioned form, mapped to specific ISO 27001 (2022) controls (see table), and immediately exportable to audit. Encryption controls are inspected not just for emails, but for event logs, evidence packs, and data handoffs (Tessian, 2024; Techtarget, 2024).
Table: Trigger → Log → Control → Audit Evidence
| Trigger | Log/Event | ISO 27001 Ref | Output |
|---|---|---|---|
| Onboarding | Privilege log | A.5.2, A.8.2 | HR export, role matrix |
| Major incident | SIEM/MISP + Workflow | A.5.24, A.8.15 | SIEM extract, timeline |
| Board approval | Signed export | A.5.4, A.5.35 | Minutes, sign-offs |
| Offboarding | Access revocation | A.5.18, A.5.11 | Checklist, audit file |
When evidence is a click away, compliance stress turns into leadership confidence.
What are the biggest compliance pitfalls for CSIRTs-and how do leaders avoid audit failure?
Most teams fail on CSIRT compliance for three reasons: static or stale logs, missing proof of independence, and evidence archives that can’t be rapidly updated or exported. ENISA’s own survey found that over 70% of interventions trace back to missing or outdated records for CSIRT membership, sector remit, or incident logging (ENISA Compliance Survey, 2023).
Leaders counter this by automating reminder cycles for updates, embedding digital sign-offs throughout operational workflows, and modularizing evidence for rapid export (never relying on “archive rot”). They prioritise peer review and cross-link logs so that sector, incident, and appointment evidence stays current and audit-ready. The result: less panic, fewer findings, and a demonstrable culture of continual, defensible compliance (Infopro Digital, 2024).
Regulatory resilience isn’t built on static forms. Living evidence is a leadership superpower.
How does ISMS.online enable always-on, audit-proof CSIRT resilience for teams facing Article 10 and NIS 2?
ISMS.online offers a modular, living platform where every CSIRT designation, recertification, board decision, sector mapping, and incident log is captured in real time, digitally signed, and ready for one-click audit export anytime.
By automating digital sign-offs, integrating live dashboards for skills and scope, and creating evidence packs directly linked to workflow events, ISMS.online transforms compliance from an annual panic into a seamless process. Leading teams using ISMS.online report up to 70% less admin time, with audits evolving from risk events to trust accelerators (ISMS.online Case Studies, 2024). Your next step: request a readiness review and see how living audit evidence becomes your strongest operational asset-and a visible signal of trust to customers and regulators alike.
ISO 27001 Operationalisation Bridge (CSIRT, Article 10)
| Expectation | Systemised Action | ISO 27001 (2022) Ref |
|---|---|---|
| Continuous designation status | Digital sign-off logs, HR linkage | A.5.4, A.5.35 |
| Board/leadership approval | Modular approval workflows, exports | A.5.24, A.5.36 |
| Sector coverage & changes | Live sector matrices, audit trails | A.5.2, A.5.18, A.8.2 |
Traceability Mini-table
| Trigger | Risk Update | Control/SoA Link | Evidence Logged |
|---|---|---|---|
| New CSIRT appointment | Access/role review | A.5.2, A.5.18 | Signed role change log |
| Scope/sector reclassification | Map/approve change | A.5.4, A.5.35 | Sector matrix snapshot |
| Incident escalation | Authority check | A.5.24, A.8.15 | SIEM/escalation export |
| Offboarding | Privilege revocation | A.5.11 | Checklist, recert log |
