Best guide to creating an incident response plan.

Best guide to creating an incident response plan.

What is incident response?

Incident response (IR) is the process by which Computer Security Incident Response Teams (CSIRT) help organizations to identify, stop and recover from any data breach as quickly as possible.

What is an incident response plan?

An incident response plan is a document that guideline organizations about responding effectively to disasters, cyber-attack, or security breaches, helping to mitigate incident-related expenses and reduce the likelihood that they will happen again in the future.

Components of incident response plan

An incident response plan typically includes:

  1. Introduction
  2. Incident Identification and First Response
  3. Resources
  4. Roles and Responsibilities
  5. Detection and Analysis
  6. Containment, Eradication, and Recovery
  7. Incident Communications
  8. Appendices


The current section should outline the goals, scope, and guiding principles, highlighting the plan’s purpose. Also, the introduction should include what your plan intends to do and what its limitations are.

Incident Identification and First Response

This section details how the CSIRT recognizes and determines if the plan should activating. Also, particularly in the COVID-19 stage, it is advisable to define in advance who can invoke the plan, how to communicate, and where to meet.


Incident responders will detail what resources are available to support the team’s efforts, including personnel and equipment. Often they have a kit ready in an incident with contact cards, chargers, spare cables, notepads, etc.

Roles and Responsibilities

It’s crucial to define the roles and responsibilities of the incident response team members, including support contacts or secondary if any member is unavailable.

Detection and Analysis

Here, the team documents how an incident is defined and detected, depending greatly on the type and scope of an attack. Sometimes the CSIRT uses templates, web examples or seeks professional assistance to get real-life insights. These ideas will help generate the playbooks that will form the essence of this section of your plan.

Containment, Eradication, and Recovery

Frequently, this portion of the plan is the most technical of the document. The section outlines the strategies for limiting the incident scope and procedures for eradicating and recovering all affected systems. –In the coming section of the article “How to create an incident response plan,” you will have specific information about Containment, Eradication, and Recovery.

Incident Communications

The communication protocols are effective during the notification incident procedure to stakeholders, customers, and other organizations. Here, the team details all notifications and covers the involvement of internal personnel, cybersecurity consultants, and all providers, even managed service providers, law enforcement, privacy regulators, and analytics forensics specialists. Remind that all the involucred have to be previously identified to avoid improvisations.


Depending on the scope and size of your plan, you may choose to include reference materials as appendices to the incident response plan. Some are physical and logical network infrastructure diagrams, web and cloud service connections, backup schedules, etc. Also, documentation of security solutions at sensitive points such as firewalls, IDS/IPS that provide resistance to attack, logs of incidents, etc. Information about phones and emails of all contacts, providers, and partners has to be notified. Therefore, in this section, you will attach all the additional documentation to complement the plan. Many organizations still resort to maintaining a paper copy of the plan and resources if systems are unavailable.

How to create an incident response plan?

The first thing that an incident response plan needs to define is the company’s strategy on how to deal with the incidents. It should list out all needed resources for cyber security, people responsible, and their contacts.

The incident response phases are:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

Keep reading to look at each phase in more depth.

incident response plan
Incident Response Life Cycle Steps.


The incident response preparation phase is key to a successful response. In this scenario, organizations need to define the computer incident response team (CIRT), their roles, responsibilities, and who require to notify. Also, it is the right time to choose the possible sophisticated hardware and software resources. In turn, organizations use the preparation phase to ensure the team’s training according to their responsibilities in a data breach. In effect, when CIRT triages an incident, they must know how to prioritize it and when to escalate it.

One excellent way to evaluate the team’s knowledge is by performing incident response drills. Remind that to higher preparation, less probability to make critical mistakes.


When an incident happens, the CSIRT has to identify its size and scope to remove it successfully. Indicators of compromise (IOCs) are a vital component of cybersecurity that supports the likelihood of a particular event or incident. They allow to computer security incident response team to quickly identify incidents in organizations and respond to potential threats. Also, many organizations adopt an IOC-based approach to cyber threat hunting. However, the IOC process is not always straightforward and requires proper knowledge and tools to do it effectively.


The incident containment phase is the process of controlling the scope and severity of cyber-attacks. A containment strategy may include shutting down vulnerable services, locking down system access, and isolating affected devices from the network. Also, securing sensitive data by moving it offline or encrypting it. Even the team can require a deep-dive analysis and need long-term containment to conduct hard disk forensics. This analysis may generate further IOC’s and the identification phase may need to be revisited.


Once the incident is successfully contained, then the eradication phase of the threat can start. Here it is where the experts identify what caused the security breach and how to remove it. Usually, patching devices, disarming malware, disabling compromised accounts, and applying updates are the usual actions to eradicate threats.


The Recovery phase includes all the actions required to bring back the computing services of an organization following a disruption. Here is where the team starts rebuilding affected devices and restoring data from clean backups saved previously. Also, it’s crucial to make new configurations and ensure that there are no more threats by monitoring compromised devices.

Lessons Learned

Once the threat is resolved, it’s time to analyze all incident response planning and improve them systematically. The team should make a Post Incident Review (PIR) meeting, documenting and updating the playbooks to improve the response. Adding, what went well, and where there were some gaps to help prevent similar incidents from occurring in the future or common cyber-attacks.

Importance of incident response plan

Incident response plans are essential because of collect a set of procedures that help organizations overcome data breaches. Usually, the planning is designed to address any incidents resulting in data loss, theft, disclosure, modification, denial of service, physical destruction, or misuse. Also, it helps organizations protect their customers and other stakeholders by minimizing the impact or severity of breaches. It’s recommended that organizations apply information security incident response policies and best practices to protect state systems and data.

Share this post