The incident management team is typically activated during the Identification phase of the incident
response process. This phase involves detecting and determining the nature of the incident, which is
crucial before any containment, eradication, or recovery efforts can begin. The team’s activation at
this early stage ensures that the incident is properly identified and assessed, allowing for a more
effective response.
Reference = The ISACA resources outline the incident response process and emphasize the
importance of the Identification phase as the starting point for the incident management team’s
activities. This is supported by the incident response models and guidance provided by ISACA, which
detail the steps and phases involved in responding to security incidents12.
