What makes a good Incident Response Plan?

Its all well and good having the latest security software but do you know how to react when the inevitable occurs?

CyberScore's Head of incident response Sachin Bhatt talks us through what should be in a good incident response plan.

An incident response plan should be considered a critical document and adequate resources should be invested in their production. Without a proper plan in place an organisation risks being tripped up when an incident occurs, making an already stressful and challenging situation worse.

Incident response planning is vital to inform personnel of their roles during an incident. Chaos can quickly set in as pressure mounts as the organisation attempts to restore order. A proper plan will set out the methodology for coping with such situations without hindering agility. From the CEO to the marketing team, all areas of the business need to know their roles during a crisis situation.   

Classify the severity of an incident

Not all incidents are severe, so your incident response plan needs to factor the risk to you organisation and what this means for you. Risk appetite will vary depending on the type of incident which is why your plan should be able to classify how severe it is in the context of your organisation. Think about confidentiality, integrity and availability (CIA) and which of these has greatest impact to your organisation during an incident.


Effective communication

One of the most crucial things to consider during an incident is communication, both external and internal and any plan needs to cover this. If the organisation isn’t speaking with one voice and in the same language internally, this is when things start to go wrong. Poor external communication is likely to result in frustrated customers and tarnished reputations which ultimately could lead to a negative long-term financial impact and loss of trust.

Who does what?

When creating your incident response plan, you need to take into account key members of staff. In the event of an incident, you need to take into consideration how the board should react and how the HR department will manage a full-blown crisis. Do you need to implement 24/7 working while the crisis is ongoing? What resources are available to the incident response team and is it necessary?

Seeking external support earlier rather than later is vital if you need to bring in knowledge to help understand the incident. Doing this later in the investigation can risk vital information on the incident being lost if digital evidence isn’t correctly preserved. A good plan will contain information about already established links and agreements – in short, make a list of contacts who you will call during a disaster.

Careful thought needs to be put into the lifecycle of an incident and how information will flow through to the relevant people. There needs to be a mapping that is understandable to your organisation and has a conclusion stage which might end in one of many ways.


Remediation and mitigation activities will form a crucial part of incident response plan. This could come in the form of a separate document, but there should be a way of drawing conclusions from an incident investigation and a method of implementing actions to mitigate the incident and return the organisation to normality.

Incident response plans can never be perfect and can always be improved upon. However, this can only occur if lessons are learnt and implemented into the planning. Whilst everyone may have been firefighting during an incident there should also a record being kept of what is taking place, what key decisions were made and what actions were implemented. This allows you to take a closer look at what happened after the dust settles and consider improvement can be made for the future.

You also need to consider whether the incident response plan is easily accessible and are people in the organisation aware of it. Printed copies of the plans should be accessible as you may not have access to electronic copies during an incident. More than one person needs to know what the plan contains and how to execute it. What happens if the sole bearer of the knowledge is away that day or unavailable?

The main thing, however, is that cybersecurity and incident response is an issue for not just the technical people in an organisation but something the entire organisation should be aware of and understand.

For further reading visit –




Want to learn more about how CyberScore can help secure your business? Visit our website at www.cyberscore.com and if you want to give yourself the very best protection against cyber security threats try out CyberScore for free now!

Follow us on FacebookTwitter and LinkedIn