What Is a Cyber Incident Response Plan?

An incident response plan is the business’ “go to” document that details the specific actions and procedures it needs to implement to appropriately minimise and manage a cyber security breach, event, incident, or anomaly. In short, it’s the defensive playbook to ensure your business stays in the game.

The plan is a crucial component of your organisation’s information security risk management, business continuity and disaster recovery controls required to counter the current cyber security threat landscape. It’s a “must have” to ensure the business’ cyber security resiliency.

Risk Crew’s customised incident response plans are based on industry-recognised best practices and comprised of 6 individual components.



Risk Crew’s 6-Step Process Will
Build and Deploy an Effective Incident Response Plan
for Your Business

A Risk Crew customised incident response plan generated for your organisation would typically include the following elements:

Summary of the ISMS

  • A good incident response plan begins by providing a summary overview of the information security management system (ISMS) — that the business has put in place to ensure data protection and identify, minimise, and manage the risk of a security breach.

Risk Appetite Assessment

  • The plan should cite the business’ risk appetite, tolerance, and capacity for a breach and reference all applicable policies, procedures and controls implemented to ensure the risk strategy is executed. The preparation component of the plan should align documented policies with security goals and technological controls.

Incident Response Team Roles

  • The plan should identify the incident response team (or applicable stakeholders) documenting their specific roles and responsibilities in implementing the plan.

Awareness Training Confirmation

  • It should also confirm that all staff have received appropriate cyber security awareness training regarding current threats and what they look like and that they understand the definition of a security incident and the specific procedures for reporting one if identified.

Incident Classification Scheme

  • The second component of an effective incident response plan should identify the definitions of a security event, incident anomaly and breach.
  • The plan should include an incident classification scheme to define and establish categories for incidents according to their severity and potential impact on business operations. These categories should correspond with parameters established in business impact assessments conducted for established business continuity plan(s).

SIEM Description

  • The plan should also describe the security incident and event management (SIEM) systems used to identify and manage security issues identified in the systems. SIEM capability to identify the exact source, location, extent and impact on systems should be defined and documented specifying assumptions and known limitations of capabilities. 
  • In the absence of SIEM capability, the plan should detail the specific procedures used by the business to identify a potential intrusion – specifying the known strengths and weaknesses in coverage and any dependencies that would limit, prohibit, or negatively impact  immediate notification.

Instructions for Containment

  • The third component of a good incident response plan provides specific instructions for containing the security incident as quickly as possible to limit the potential damage.
  • Depending on the nature of the incident, this could mean taking actions to compartmentalise, isolate or completely remove the threat actor from your systems.

Factors to Consider

  • The plan should address the factors to be considered when deciding if systems should be taken offline, isolated or disconnected and whether there are immediate steps to take to close down additional vulnerabilities which may allow the incident to escalate.

Identify Root Causes

  • Upon achieving containment, the next steps are to remediate the problem and identify its “root cause” to ensure it does not reoccur.
  • If the incident is a malware infection, for example, you would first isolate the affected components of your systems to preclude further infection, remove the malicious software, and then identify the user credentials compromised to allow the infection.

Recover, Remediate and Team Member Review

  • Once the incident is eradicated, the plan should address the steps required to recover systems affected to “business as usual” operations. Without a proper recovery process, system may remain vulnerable to similar attacks, compounding the damage.
  • The recovery component of the plan should require testing and monitoring of the affected systems following the incident to ensure the situation has been rectified. This ensures that the remedial measures implemented work as intended and provides the opportunity to correct any mistakes.

Post-Incident Review

  • The final component of a good cyber incident response plan requires team members to thoroughly review the event from start to finish to identify the strengths and weaknesses of the response, procedures, resources and tools to ensure the plan’s optimal return.
  • The review should address every step of the process, assessing what happened, why it happened, who addressed it, what was done to contain and rectify the situation and what could have been done differently while its fresh in everyone’s mind.

What’s Included in the Service?

Risk Crew will deliver a comprehensive plan detailing the step-by-step procedures required for the organisation to appropriately address a cyber incident. The service will also include the following stand-alone deliverables:


Robust Incident Response Plan

A comprehensive plan detailing the step-by-step procedures required for the organisation to appropriately address a cyber incident.


Stakeholder Workshop

Your dedicated consultant will deliver a workshop with your stakeholders to explain the plan and what’s required to effectively implement it.


Dedicated Support

On-call advice and assistance for up to 30 days following the workshop to answer any questions that may arise from implementing the plan.

We Don’t Sell Products, We Sell Results.

Risk Crew’s service provides a strategy and step-by-step guidance to ensure that your business can quickly respond to a cyber-attack and significantly minimise the risk of a breach.
In cyber security risk management – there is no bigger benefit than that.

✓ Cyber Attack Readiness

We work with your business’ stakeholders to confirm existing cyber security risk management goals and objectives and verify current security controls and capabilities to produce a customised, step-by-step process.

✓ Rapid Responsiveness

We will provide a clear, concise, and effective plan to expedite your response time to cyber-attacks minimising the impact on your business.

✓ Recovery & Remediation Efficiency

The plan will prioritise data recovery to ensure your business can quickly and effectively recover from a cyber security problem.

✓ 100% Satisfaction Guarantee

We think deeply, question assumptions, detect cause and effect and deliver measurable results. No one else does that. Our deliverables produce metrics you can use to monitor and manage real-world cyber risks.

Respond Quicker & Come Out Stronger

Contact a Crew member to learn how we can bespoke your incident response plan – to create a best-fit recovery solution that delivers a return on investment.

You can also call us at +44 (0) 02 3653 1234.


Clients Come to Us for Expertise & Stay for Exceptional Service

Risk Crew’s Bespoke Incident Response Management

Risk Crew Information Risk Management consultants possess over 30 years of hands-on skills and experience in designing, drafting and implementing effective incident response plans. It’s what we do.

Additionally, our experts possess a wealth of knowledge in creating cost-effective information security management systems (ISMS), enabling quantifiable compliance to established information security legislation, regulation and best commercial practices such as the Payment Card Industry (PCI), Data Security Standards (DSS), the UK Data Protection Act 2018 (DPA 2018), General Data Protection Regulation (GDPR) and ISO/IEC 27001.



When you choose Risk Crew, you’re electing to work with qualified experts.