What to include in your Incident Response Plan

Criminals act fast and encourage panic to achieve their objectives. An incident response plan will keep you organised and in control during a pressure situation.

Timely decision making is essential during a cyber attack. Similarly to fire drills, you should prepare for the worst-case scenario; review and practice the plan to identify gaps and be confident that it will be fit for purpose.

Here is a brief summary of what to include in your incident response plan:


Assess the type and severity of the attack; where does it classify on a “critical” to “low risk” register? Find out the top threats to your business and envisage how the attack will play out from identifying the attack to recovery. The threat will be less daunting if you understand what you are up against and sound preparation potentially reduces the impact.

Contact List

Identify key contacts for during and after the incident e.g. tech support, PR, web developer, insurance, ICO, Action Fraud. Then create an incident response team and assign roles; these contacts need to be prominent in the plan so everyone knows exactly who to notify and, importantly, when. Make a back-up plan with alternative contact details – an attack might make email and/or phones unusable. DO NOT make a single individual critical to the plan – sods law she will be on leave when the attack comes!

Who to notify

Set the levels for when to escalate the incident. Know at what point you will inform senior management, ICO, etc and anyone impacted (such as customers, staff, and supply chain). Remember, you have 72 hours to report a data breach to the ICO and recognising the severity of threat will determine who to update and when.

Know your assets

Knowing in advance where important information and tools are stored (such as logs, asset register, map of the network) will greatly reduce your response time.

Legal obligations

Predetermine when you would consider collecting evidence and how best to do so e.g. notes, reports, observations, data capture. Some scenarios require you to document and report the incident to authoritative bodies; you may want to pursue legal action.


Ask yourself the following questions: Can your team respond 24/7/365? How would you communicate efficiently if the usual platforms are unavailable? Which parts of the business are you willing to close down to contain an attack? Have your playbook ready and be prepared to justify those decisions. There is no “one plan fits all” scenario but being aware of your options in advance will help you and your team to make informed decisions under pressure.


To avert unauthorised leaks your staff need to be advised of the incident and their responsibilities. It is vital that the whole business understands when and why action is to be taken, remember to summarise these actions in your plan.

The Incident Response Process

1. Analyse

Recognise what you are up against to plan your approach effectively, with the help of your incident response plan. Continue to examine the attack, you may need to re-evaluate your tactics.