What is the primary purpose of the Follow-Up phase in incident response?

• A. Follow-Up confirms backups are intact.
• B. Follow-Up audits user access logs for compliance.
• C. Follow-Up is used to verify the incident has been mitigated, the adversary has been removed, and additional countermeasures have been implemented correctly.
• D. Follow-Up restores systems to full service immediately.

Answer: (C)

The Follow-Up phase focuses on verifying that the incident is truly resolved and that defenses are reinforced. It ensures the mitigation actually worked, the adversary has no remaining footholds, and the new countermeasures are deployed correctly. This involves validating system integrity after containment and eradication, confirming there’s no persistence, and updating defenses and documentation to prevent recurrence. It’s also the time to capture lessons learned and update incident response playbooks for future incidents.

Backups and restoration timing are part of recovery activities, not the core purpose of Follow-Up, and auditing user access logs serves governance/compliance or verification work that can occur in other phases.