Writing an Effective Incident Response Plan

When considering the realm of cyber security today, an incident response plan (IRP) is the foundation of your organisation’s defence. Not only does it work towards mitigating potential damages or loss and providing a method to recover swiftly, but it also aims to safeguard the integrity, confidentiality, and availability of the information that might be affected.

But what do you need to know to ensure your incident response plan contains the required information? This article will cover the key points and best practices for putting this together while tailoring it to meet the needs of your business against an increasingly hostile cyber security environment.

Why is an Incident Response Plan Important to My Organisation?

Simply put, an IRP is a documented set of steps for detecting, responding to, and recovering from cyber security incidents, and it’s designed to cover the following goals:

  1. Minimise Damage
  2. Quick Recovery
  3. Prevent Future Incidents
  4. Meet Compliance

Now that we know the goals, let’s cover the elements that any incident response plan needs to include. For each segment, there will be some questions to help get your thoughts going. As you read through this, why not write them down? By the end, you will likely have the makings of an IR plan without too much effort!


1) Establish an Incident Response Team:

  • Gather a team of skilled individuals from various departments within your organisation, including non-IT related departments like Legal, Marketing, Management, and Human Resources.
  • Questions:
    • Do you have a list of all the individuals and how to contact them?
    • What about an organisational chart?

2) Define Roles and Responsibilities:

  • Clearly outline who is responsible for making decisions during an incident.
  • Questions:
    • Who is allowed to inform the staff of an incident?
    • Who is allowed to talk to the media?
    • If the CEO isn’t available, who do individuals in the organisation turn to next?

3) Inventory of Assets:

  • Generate a complete list of all hardware, software, and data in your organisation.
  • Questions:
    • Where are the crown jewels of your organisation stored?
    • Is the software running your finance department up to date?
    • Who do you need to ask to get this information together?


1) Monitoring and Detection Systems:

  • Implement a SIEM (Security Information and Event Management) solution and MDR (Managed Detection and Response).
  • Questions:
    • What tools do we have in place that will detect potential threats?
    • Who manages these tools?
    • Who is our SME (Subject Matter Expert) in the organisation?

2) Incident Classification:

  • Develop a classification system to prioritise incidents based on their severity and impact.
  • Questions:
    • How impactful is a ransomware attack compared to a business email compromise?
    • Should there be separate approaches to both? (Cheat answer: yes!)


1) Immediate Actions:

  • Define steps to contain the cyber incident and prevent further damage.
  • Questions:
    • Can and should we isolate our systems?
    • Can we block malicious IP addresses?
    • Should we disable compromised accounts?
    • Do we need to call in external help?

2) Short-term and Long-term Containment:

  • Plan for immediate and long-term containment measures to ensure the threat is fully eradicated.
  • Questions:
    • How long should we aim to get the database clean and back online?
    • Can we stop workstations from accessing the internet for more than a day?


1) Root Cause Analysis:

  • Determine the root cause of the problem and eliminate it.
  • Questions:
    • How did this malware get on the machine?
    • How should we handle the evidence we find?

2) System Clean-Up:

  • Remove malware, patch vulnerabilities, and implement security measures to prevent recurrence.
  • Questions:
    • What is the procedure for removing the malware?
    • What is our patching process?
    • If we segment the network, will this occur again?


1) System Restoration:

  • Restore affected systems and data from backups.
  • Questions:
    • Who manages our backups?
    • Do we test our backups?
    • When was the last backup taken?

2) Validation:

  • Conduct thorough testing to ensure systems are secure and operational before reopening them.
  • Questions:
    • Who is responsible for testing?
    • What do we do if we find more issues?
    • Is everyone in agreement that we can put the systems back online?

3) Monitoring:

  • Monitor restored systems closely for any signs of lingering threats.
  • Questions:
    • Who is responsible for monitoring each system?
    • What should we be looking for?
    • What do we do if we find something?

Lessons Learned

Once an incident is over, review the incident and consider what elements of the incident response plan were weak and what were strong. Document your findings, review all actions taken, and update your incident response plan based on the lessons learned from the previous incident.

By following these guidelines and continuously improving your incident response plan, you can ensure your organisation is well-prepared to handle any cybersecurity incidents that come your way.

Secure your organisation
from cyber security threats

Share this post:

Written by:

Avatar photoMarc Thomas

See more by Marc Thomas