Date: 6 July 2026
A cyber incident response plan outlines the steps an organisation should take to prepare for, identify, contain, eradicate, recover from, and learn from cybersecurity incidents. A well-structured plan defines responsibilities, communication procedures, escalation paths, reporting requirements, and recovery actions to minimise business disruption and improve cyber resilience.
Every organisation will experience cybersecurity incidents at some point. Whether it is ransomware, phishing, unauthorised access, insider threats or supply chain compromise, the speed and effectiveness of your response often determines the overall business impact.
Unfortunately, many organisations rely on undocumented processes or generic policies that provide little practical guidance during a real incident. When critical systems are unavailable and senior stakeholders require immediate updates, uncertainty can quickly become the biggest risk.
A well-designed cyber incident response plan provides a structured approach for handling security incidents. It ensures technical teams, business leaders, legal advisers and communications teams understand exactly what actions to take throughout the incident lifecycle.
This guide explains what an incident response plan includes, provides a practical cyber incident response plan example, outlines roles and responsibilities, explains incident escalation procedures and shares best practices for building an effective response capability.
What Is a Cyber Incident Response Plan?
A cyber incident response plan is a documented framework that explains how an organisation prepares for, detects, investigates, contains, eradicates and recovers from cybersecurity incidents.
Rather than making decisions under pressure, organisations establish predefined procedures that enable teams to respond consistently and efficiently.
An effective incident response plan typically covers:
- Incident detection processes
- Incident classification
- Severity ratings
- Escalation procedures
- Technical containment actions
- Internal communications
- External communications
- Regulatory reporting
- Evidence preservation
- Recovery activities
- Lessons learned
The plan should support both technical responders and business decision-makers, ensuring that operational recovery, legal obligations and stakeholder communications are coordinated throughout the incident.
Why Every Organisation Needs an Incident Response Plan
Cyber attacks continue to increase in sophistication and frequency. While preventive security controls remain essential, organisations must also assume that some attacks will eventually succeed.
An incident response plan helps organisations:
- Reduce downtime
- Limit financial losses
- Protect sensitive information
- Improve regulatory compliance
- Preserve forensic evidence
- Coordinate technical and executive teams
- Reduce reputational damage
- Restore business operations more quickly
Many cybersecurity regulations and standards—including NIST, ISO 27001, NIS2, DORA and numerous sector-specific frameworks—also expect organisations to maintain documented incident response procedures.
Key Components of an Incident Response Plan
Although every organisation has different requirements, most incident response plans contain the following core components.
1. Preparation
Preparation establishes the people, processes and technologies needed before an incident occurs.
Typical preparation activities include:
- Creating an Incident Response Team (IRT)
- Defining roles and responsibilities
- Maintaining contact lists
- Developing communication templates
- Deploying monitoring tools
- Maintaining offline backups
- Running cyber tabletop exercises
- Conducting incident response training
2. Identification
The identification phase determines whether unusual activity represents a genuine security incident.
Common sources include:
- SIEM alerts
- Endpoint Detection and Response (EDR)
- User reports
- Threat intelligence feeds
- Firewall logs
- Identity monitoring
- Cloud security alerts
Responders validate the incident, determine its scope and assign an appropriate severity level.
3. Containment
Containment prevents the incident from spreading further.
Examples include:
- Disconnecting infected devices
- Disabling compromised accounts
- Blocking malicious IP addresses
- Isolating servers
- Preventing lateral movement
- Restricting privileged access
Organisations often use both short-term containment to stop immediate damage and long-term containment while remediation activities continue.
4. Eradication
Once the threat is contained, teams remove the root cause.
This may involve:
- Removing malware
- Closing exploited vulnerabilities
- Resetting passwords
- Applying security patches
- Rebuilding affected systems
- Removing unauthorised accounts
The objective is to eliminate the attacker’s persistence mechanisms before systems return to production.
5. Recovery
Recovery restores normal business operations while carefully monitoring for signs of reinfection.
Activities commonly include:
- Restoring backups
- Reconnecting systems
- Validating business services
- Enhanced monitoring
- User acceptance testing
- Executive reporting
Recovery should be gradual, ensuring systems remain stable before returning to full production.
6. Lessons Learned
Every incident provides valuable opportunities to improve security.
Following recovery, organisations should conduct a formal post-incident review to identify:
- Root causes
- Control failures
- Response gaps
- Communication issues
- Technology improvements
- Policy updates
- Training requirements
These findings should be incorporated into future versions of the incident response plan.
Sample Cyber Incident Response Framework
The following example illustrates how many organisations structure their incident response lifecycle.
|
Phase |
Primary Objective |
Typical Activities |
|
Preparation |
Build readiness |
Policies, training, monitoring, backups |
|
Identification |
Detect incidents |
Alert review, investigation, validation |
|
Containment |
Limit damage |
Isolate systems, disable accounts |
|
Eradication |
Remove threat |
Malware removal, patching, credential resets |
|
Recovery |
Restore operations |
Restore services, monitor systems |
|
Lessons Learned |
Improve future response |
Root cause analysis, plan updates |
This framework closely aligns with recognised industry guidance such as the NIST Computer Security Incident Handling Guide and remains one of the most widely adopted approaches across both public and private sectors.
Example Cyber Incident Response Plan
Below is a simplified example showing how an organisation might respond to a ransomware attack.
|
Stage |
Example Actions |
|
Detection |
SOC receives EDR alert showing ransomware activity on finance server. |
|
Validation |
Security analyst confirms encrypted files and suspicious processes. |
|
Classification |
Incident classified as Critical (Severity 1). |
|
Escalation |
Incident Response Team, CISO, CIO and executive management notified. |
|
Containment |
Infected server isolated. Compromised accounts disabled. Firewall rules updated. |
|
Investigation |
Determine infection vector, affected systems and attacker activity. |
|
Eradication |
Malware removed. Vulnerabilities patched. Credentials reset. |
|
Recovery |
Systems restored from clean backups and monitored closely. |
|
Review |
Conduct lessons learned workshop and update response procedures. |
This example demonstrates the importance of following predefined procedures rather than making decisions reactively during a high-pressure incident.
Roles and Responsibilities
One of the biggest reasons incident response efforts fail is a lack of clearly defined ownership. During a cyber incident, multiple teams may be working simultaneously to investigate technical issues, restore business services, manage communications and comply with legal obligations. Without clearly assigned responsibilities, confusion can delay critical decisions and increase the impact of the incident.
Every cyber incident response plan should identify who is responsible for each stage of the response.
|
Role |
Primary Responsibilities |
|
Incident Response Manager |
Coordinates the overall response, manages priorities and ensures response activities remain aligned. |
|
Security Operations Centre (SOC) |
Monitors alerts, investigates suspicious activity and validates incidents. |
|
IT Operations Team |
Restores affected infrastructure, manages backups and supports system recovery. |
|
Digital Forensics Team |
Preserves evidence, identifies attack methods and supports investigations. |
|
Chief Information Security Officer (CISO) |
Provides strategic oversight, approves major decisions and updates executive leadership. |
|
Executive Leadership |
Makes business decisions, approves recovery priorities and manages organisational risk. |
|
Legal & Compliance |
Determines regulatory reporting obligations and advises on legal risks. |
|
Communications Team |
Manages internal communications, customer notifications and media statements. |
|
Human Resources |
Supports incidents involving employees or insider threats. |
|
Third-Party Suppliers |
Assist with cloud services, managed security services or specialist incident response where required. |
It is equally important to define deputies or backups for each role. Cyber incidents frequently occur outside normal business hours, so organisations should ensure that critical responsibilities can always be fulfilled.
Incident Severity Classification
Not every cybersecurity event requires the same level of response. A structured severity model helps organisations prioritise incidents, allocate resources appropriately and determine when escalation is necessary.
An example classification model is shown below.
|
Severity |
Description |
Example |
|
Severity 1 (Critical) |
Major business disruption or widespread compromise |
Enterprise ransomware attack, critical infrastructure outage, significant data breach |
|
Severity 2 (High) |
Significant impact affecting important services |
Multiple compromised user accounts, successful phishing campaign, cloud compromise |
|
Severity 3 (Medium) |
Limited impact requiring investigation |
Malware infection on a single endpoint, suspicious administrator activity |
|
Severity 4 (Low) |
Minor security event with little business impact |
Spam emails, isolated antivirus alerts, unsuccessful login attempts |
Defining severity levels allows organisations to establish consistent escalation criteria and avoid both overreacting to minor events and underestimating serious threats.
Incident Escalation Procedures
A well-designed escalation process ensures that the appropriate people are involved at the appropriate time. Escalation should be based on business impact rather than technical complexity alone.
Typical escalation triggers include:
Critical Incidents
Immediate executive escalation should occur when incidents involve:
- Ransomware affecting critical business systems
- Confirmed data breaches
- Active attacker presence
- Widespread operational disruption
- Safety-critical environments
- Regulatory reporting obligations
- Media attention
- National security implications
These incidents often require involvement from executive leadership, legal advisers, communications teams and external incident response specialists.
High Severity Incidents
Examples include:
- Privileged account compromise
- Business email compromise
- Cloud service compromise
- Malware affecting multiple systems
- Third-party supplier breaches
These incidents typically require senior security management and IT leadership involvement.
Medium Severity Incidents
Examples include:
- Malware isolated to one workstation
- Suspicious insider activity
- Failed phishing attempts requiring investigation
- Limited unauthorised access
These can usually be managed by the internal security team while remaining under observation.
Low Severity Incidents
Examples include:
- Spam emails
- Minor policy violations
- Routine vulnerability notifications
- False positive security alerts
These are generally handled through normal operational processes.
Communication During a Cyber Incident
Communication is often overlooked in incident response planning, yet poor communication can cause as much damage as the cyber attack itself. An incident response plan should clearly define:
Internal Communications
Identify:
- Who must be informed
- When updates should be provided
- Which communication channels should be used
- Alternative communication methods if corporate email becomes unavailable
Many organisations establish secure out-of-band communication channels before an incident occurs.
External Communications
The plan should also explain when and how communications should be made to:
- Customers
- Suppliers
- Business partners
- Regulators
- Law enforcement
- Cyber insurers
- Investors
- The media
Messages should be coordinated to ensure consistency and avoid speculation while investigations remain ongoing.
Regulatory Reporting Considerations
Many organisations now operate under regulations that require cyber incidents to be reported within strict timeframes. Depending on the jurisdiction, organisations may need to notify regulators following:
- Personal data breaches
- Critical infrastructure incidents
- Financial sector cyber events
- Essential service disruptions
- Significant operational outages
A good incident response plan includes predefined regulatory reporting procedures, identifies responsible individuals and documents reporting deadlines to help avoid non-compliance.
How to Create a Cyber Incident Response Plan
Developing an effective incident response plan requires more than downloading a generic template. It should reflect the organisation’s business processes, technology, regulatory obligations and risk profile.
The following steps provide a practical starting point.
Step 1 – Understand Your Business Risks
Identify the systems, applications and data that are most important to your organisation. Consider the threats most likely to affect them, such as ransomware, phishing, insider threats, cloud compromise or third-party attacks.
Step 2 – Build an Incident Response Team
Assign responsibilities across technical, operational and business functions. Ensure decision-makers, legal advisers, communications teams and executive sponsors understand their role before an incident occurs.
Step 3 – Define Response Procedures
Document the actions required during each phase of the incident lifecycle, including:
- Detection
- Analysis
- Containment
- Eradication
- Recovery
- Post-incident review
The procedures should be sufficiently detailed to guide responders while remaining flexible enough to adapt to different scenarios.
Step 4 – Create Communication Plans
Prepare contact lists, notification templates and escalation procedures. Consider how teams will communicate if normal collaboration tools become unavailable.
Step 5 – Test the Plan
A plan that has never been exercised cannot be assumed to work.
Run:
- Cyber tabletop exercises
- Technical simulations
- Executive crisis exercises
- Ransomware scenarios
- Third-party compromise exercises
Testing helps identify weaknesses before a real incident exposes them.
Step 6 – Continuously Improve
Cyber threats evolve rapidly. Your incident response plan should be reviewed after:
- Major cyber incidents
- Significant technology changes
- Organisational restructuring
- Regulatory updates
- Annual security reviews
- Incident response exercises
Continuous improvement is essential for maintaining an effective response capability.
Best Practices for Incident Response Planning
The most effective incident response plans share several common characteristics.
Treat the plan as a living document. Review and update it regularly to reflect new technologies, emerging threats and changing business priorities.
Keep procedures practical. Responders need concise, actionable guidance rather than lengthy policy documents during an incident.
Exercise the plan regularly. Tabletop exercises, simulations and technical testing help validate that procedures work under pressure.
Prepare executives as well as technical teams. Senior leaders often make the most important decisions during a cyber crisis, yet many organisations focus training only on technical responders.
Document lessons learned. Every incident and exercise should result in measurable improvements to the plan.
Integrate business continuity planning. Incident response should support wider organisational resilience, ensuring business recovery remains the primary objective.
Prepare for regulatory reporting. Modern cyber incidents frequently require notification to regulators, customers or other stakeholders within prescribed timeframes.
Consider third-party risk. Suppliers, cloud providers and managed service providers play an increasingly important role in incident response and should be included in planning and testing.
Conclusion
An effective cyber incident response plan is far more than a compliance document. It provides a structured framework for making informed decisions during some of the most challenging situations an organisation may face.
By defining responsibilities, establishing escalation procedures, documenting response activities and regularly testing the plan through realistic exercises, organisations can significantly reduce the operational, financial and reputational impact of cyber incidents.
Preparation remains one of the strongest defences against modern cyber threats. Organisations that invest in planning before an incident occurs are far better positioned to respond quickly, recover confidently and continuously strengthen their cyber resilience.
Strengthen Your Incident Response Capability
Having a documented plan is only the first step. It should be regularly reviewed, tested and updated to reflect evolving threats, organisational changes and new regulatory requirements.
Cyber Management Alliance helps organisations improve their cyber resilience through:
- Cyber Incident Response Plan development and review
- Incident Response Playbook creation
- Cyber Tabletop Exercises
- Ransomware Simulation Exercises
- Executive Cyber Crisis Training
- NCSC-Assured Cyber Incident Planning & Response (CIPR) Training
- Post-incident reviews and lessons learned workshops
Whether you are creating your first incident response plan or enhancing an existing capability, our experts can help ensure your organisation is prepared for real-world cyber incidents.
FAQs on Cyber Incident Response Plan Examples
1. Can you provide a cyber incident response plan example?
A cyber incident response plan example includes preparation, identification, containment, eradication, recovery and lessons learned. It also defines roles, escalation procedures, communication plans and regulatory reporting requirements.
2. What should be included in a cyber incident response plan?
A cyber incident response plan should include incident response objectives, team roles, incident classification, escalation procedures, communication plans, technical response processes, regulatory reporting requirements, recovery procedures and lessons learned.
3. What are the six phases of a cyber incident response plan?
The six phases are Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned.
4. Who should be involved in an incident response team?
An incident response team typically includes cybersecurity professionals, IT operations, executive leadership, legal, compliance, communications, human resources and relevant business units.
5. How often should a cyber incident response plan be tested?
Most organisations should test their incident response plan at least annually, with more frequent tabletop exercises and simulations for high-risk or regulated environments.
6. What is the difference between an incident response plan and an incident response playbook?
An incident response plan provides the overall governance framework, while incident response playbooks contain detailed procedures for responding to specific cyber threats.
7. Why is incident response planning important for regulatory compliance?
Incident response planning helps organisations comply with standards and regulations such as ISO 27001, NIST, DORA and NIS2 by providing documented procedures for responding to cybersecurity incidents.
8. What are the biggest mistakes organisations make when creating an incident response plan?
Common mistakes include using generic templates, failing to define responsibilities, not testing the plan, overlooking communications and allowing the plan to become outdated.

