# Gate 07 — Incident response

**State at `v1.1.0`: 🟡 FAIL** until a quarterly tabletop drill is scheduled and recorded.

## Required items

| Item                                                  | Required | State                                |
| ----------------------------------------------------- | -------- | ------------------------------------ |
| `SECURITY.md` with disclosure address + SLAs          | yes      | ✅ PASS                               |
| Post-mortem template referenced from `DEV_PROCESS.md` | yes      | ✅ PASS                               |
| Rotation log protocol                                 | yes      | ✅ PASS — see `SECRETS_AUDIT_*.md`    |
| Incident-response drill cadence defined               | no       | 🟡 **FAIL** — no scheduled drill yet |

## Closing plan

1. Add a recurring calendar item: Q1 / Q2 / Q3 / Q4 tabletop, 90 min.
2. Drill scenario rotates: secret leak / supply-chain compromise / data exfil / outage.
3. Each drill produces a `postmortems/YYYY-MM-DD-drill-<topic>.md` even when no real incident occurred.
4. After two consecutive drills are recorded, this gate flips ✅.

## Live IR contract

See [Operations / Incident response](/operations/incident-response.md) for the full runbook. Summary:

| Step        | Action                                                | Time budget          |
| ----------- | ----------------------------------------------------- | -------------------- |
| Detect      | Alert / scan / report                                 | t=0                  |
| Declare     | Owner sets severity (P0/P1/P2)                        | < 15 min             |
| Mitigate    | Stop the bleeding (rollback, flag-off, network block) | < 1 h for P0         |
| Resolve     | Patch through normal PR + CI                          | per Vuln Response §7 |
| Communicate | Status every 30 min (P0), 4 h (P1)                    | continuous           |
| Post-mortem | Blameless 4-question format                           | 5 BD (P0/P1)         |

## Why it matters

A bank that adopts Edge takes on operational risk. If they cannot see how you respond to an incident, they cannot insure the risk. Drilling is the proof that the process works under pressure.

## Compliance mapping

* ISO 27001 Annex A.5.24 (Incident planning).
* ISO 27001 Annex A.5.25 (Decision on events).
* ISO 27001 Annex A.5.26 (Response).
* ISO 27001 Annex A.5.27 (Learning).
* DORA Art 17 (ICT-related incident management).
* DORA Art 19 (Major ICT-related incident reporting).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.edge.nyami.fr/banking-readiness/gate-07-incident-response.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.