Overview
An incident response plan is the operational backbone of any cybersecurity program. It defines how your organization detects, contains, eradicates, and recovers from security incidents while preserving evidence and maintaining communications. This template follows the NIST SP 800-61 lifecycle and can be adapted to any industry or regulatory environment.
Incident Response Lifecycle Phases
- Preparation — establish policies, train staff, and deploy detection tooling
- Detection and Analysis — monitor alerts, validate indicators, and classify severity
- Containment — isolate affected systems to prevent lateral movement
- Eradication — remove the root cause, patch vulnerabilities, and harden controls
- Recovery — restore services, verify system integrity, and monitor for recurrence
- Post-Incident Activity — conduct a lessons-learned review and update the plan
Severity Classification Matrix
| Severity | Description | Response SLA | Escalation |
|---|---|---|---|
| Critical (P1) | Active data exfiltration or ransomware impacting production | 15 minutes | CISO, Legal, CEO |
| High (P2) | Confirmed compromise with no active exfiltration | 1 hour | CISO, SOC Lead |
| Medium (P3) | Suspicious activity requiring investigation | 4 hours | SOC Lead, IR Team |
| Low (P4) | Policy violation or informational alert | 24 hours | SOC Analyst |
Roles and Responsibilities
Define an incident commander who owns decision-making authority during active incidents. Assign a communications lead responsible for internal updates and external notifications. The forensics lead manages evidence collection, chain of custody, and analysis. Each role must have a primary and backup to ensure 24/7 coverage. Document escalation paths and contact lists, and test them quarterly.
Communication and Notification Procedures
- Establish pre-approved notification templates for customers, regulators, and law enforcement
- Define internal communication channels separate from potentially compromised systems
- Set clear criteria for when to engage outside counsel and forensic vendors
- Maintain a stakeholder contact list with phone, email, and backup communication methods
- Document regulatory notification deadlines for each applicable framework
Evidence Preservation Guidelines
Preserve volatile data first — memory dumps, running processes, and network connections. Use write-blockers when imaging disks. Log all actions taken with timestamps and analyst names. Store evidence in a secure, access-controlled repository with documented chain of custody. Engage legal counsel early if litigation or law-enforcement involvement is anticipated.
Testing and Maintenance
Conduct at least two tabletop exercises per year, one focused on ransomware and one on data exfiltration. Run a full functional exercise annually that tests technical playbooks end to end. After every real incident and every exercise, update the plan with lessons learned. Review contact lists and escalation paths quarterly to ensure accuracy.
Frequently Asked Questions
How often should an incident response plan be tested?
At minimum twice a year through tabletop exercises, plus one annual functional exercise. Plans should also be reviewed and updated after every real incident.
What is the difference between containment and eradication?
Containment stops the bleeding by isolating affected systems. Eradication removes the threat actor, malware, and root cause from the environment. Both steps must happen before recovery.
Who should be on the incident response team?
At minimum the incident commander, SOC analysts, a forensics lead, a communications lead, IT operations, legal counsel, and HR. Executive sponsors should be available for escalation.
When should law enforcement be contacted?
Contact law enforcement when there is evidence of a criminal act such as ransomware, data theft for sale, or nation-state activity. Consult legal counsel first to understand implications for evidence sharing.
How long should incident evidence be retained?
Retain evidence for at least one year for internal purposes. If litigation or regulatory proceedings are possible, follow legal hold requirements which may extend retention indefinitely.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.