An incident response plan defines what your organization does when — not if — a security incident occurs. Organizations that have a plan before an incident happens respond faster, contain damage more effectively, and recover more quickly than organizations that are improvising under pressure. More practically: during an active incident, your email may be inaccessible, your leadership team may be in crisis mode, and your IT systems may be offline. A plan on paper — literally, in print, available without access to digital systems — is not optional; it is the prerequisite for any organized response.
What an Incident Response Plan Needs to Contain
A functional incident response plan requires these components:
Incident classification criteria — How does your organization define a security incident? Not every suspicious activity requires the same level of response. A classification framework helps your team determine quickly whether a situation is a potential incident (requires investigation) or a confirmed incident (requires immediate response action), and what severity level applies.
Response team roster and contact list — Who is responsible for incident response? Include names, titles, primary and backup phone numbers, and escalation sequence. This list must be maintained and updated when people change roles. A contact list with outdated phone numbers for former employees is not a response resource.
Notification procedures — Who is notified when, and by what means? Internal notifications (who within the organization is alerted, in what order, by what method if email is unavailable). External notifications (your cyber insurance carrier, your IT provider or MSP, your legal counsel, and as applicable: law enforcement, regulators, and affected individuals).
Step-by-step response procedures by incident type — Generic incident response steps are useful; specific procedures for your most likely incident types are more useful. The four incident types worth having specific procedures for:
- *Ransomware* — Isolation steps for affected systems, backup assessment, recovery sequencing, ransom decision framework - *Business email compromise / phishing account takeover* — Password reset procedures, email rule review, downstream notification - *Data breach / unauthorized data access* — Evidence preservation, scope assessment, breach notification obligation assessment - *Insider threat / unauthorized employee activity* — HR coordination, evidence preservation, access revocation sequence
Evidence preservation guidelines — What to do and what not to do to preserve forensic evidence. The most common evidence-destroying mistakes: shutting down infected systems (volatile memory evidence is lost), wiping and reinstalling before capturing forensic images, and deleting log files. The plan should include a "do not" list.
Documentation requirements — What needs to be documented during and after the incident. Timestamps are critical: when the incident was discovered, when each response action was taken, by whom. This documentation feeds breach notification obligations, insurance claims, and post-incident reviews.
Post-incident review process — After the incident is resolved: what happened, how it happened, what was done, and what changes should prevent recurrence. The post-incident review produces the most actionable security improvements of any security activity.
The Incident Categories to Plan For
Beyond the four detailed above, plan-level preparation for:
- *Denial of service attacks* — Affecting operational availability rather than data integrity - *Physical security incidents* — Theft of devices containing sensitive data, unauthorized facility access - *Vendor or supply chain incidents* — A critical vendor is compromised and the compromise affects your environment - *Lost or stolen devices* — Mobile devices, laptops, or portable media with organizational data
The Notification Obligations That Belong in the Plan
Breach notification obligations are time-sensitive and legally consequential. Include in the plan:
HIPAA Breach Notification Rule — Healthcare covered entities and business associates must notify affected individuals without unreasonable delay and within 60 days of discovering a breach of unsecured PHI. Notification to HHS is also required; for breaches affecting 500 or more individuals in a state, media notification is required. Document the analysis: was this a "breach" under HIPAA? Were there exceptions that apply?
Illinois Personal Information Protection Act (PIPA) — Illinois requires notification to affected Illinois residents "in the most expedient time possible and without unreasonable delay" when a breach of personal information occurs. The definition of personal information under Illinois PIPA is specific; the plan should include the definition and the notification procedure.
Cyber insurance carrier notification — Most cyber insurance policies have specific notification timeframes that must be met to preserve coverage. Know what your policy requires and include it in the plan.
Law enforcement reporting — For significant incidents, particularly ransomware, data theft, or critical infrastructure attacks, reporting to the FBI Cyber Division and/or CISA may be appropriate and in some cases required. The plan should include when and how to make that report.
Testing the Plan
A plan that has never been tested is a plan of unknown quality. The most practical testing format for most organizations:
Tabletop exercise — A facilitated scenario walk-through where the response team works through a simulated incident, making decisions and identifying gaps in the plan without actually doing anything in the live environment. A 2-hour tabletop exercise reveals more plan gaps than a year of reviewing the written document.
Annual plan review — People change, systems change, vendors change, and regulatory requirements change. Review and update the plan annually and after any significant organizational change.
Download the SecureNext Incident Response Plan Template as a starting point — or contact SecureNext to discuss developing a customized incident response plan for your organization.