Incident Response Plan:
What Every Business Needs
An incident response plan is a documented set of procedures that tells your organisation exactly what to do when a cyberattack or security breach occurs. Without one, teams improvise under pressure — and improvisation during an incident is how small breaches become catastrophic ones.
Why most incident response plans fail
Most organisations that have an incident response plan have one that does not work. Common failures: the plan was written by IT without input from legal, HR, or communications; it was never tested; contact numbers are out of date; it assumes systems are available that may themselves be compromised; and it does not account for out-of-hours incidents.
A plan that has never been exercised is not a plan — it is a document. An incident is not the time to discover that your IR contact list has three wrong phone numbers and your backup procedure requires a system that is encrypted.
The six phases of incident response
Preparation
Building the capabilities, processes, and tools needed to respond before an incident occurs. Includes writing the plan, defining roles, establishing out-of-band communication channels, and ensuring backups are tested.
Identification
Detecting that an incident has occurred and determining its scope. What systems are affected? Is the attack ongoing? What type of incident is it — ransomware, data breach, insider threat, DDoS?
Containment
Stopping the attack from spreading. Short-term containment (isolating affected systems) and long-term containment (patching the vulnerability, changing credentials) both need to be planned in advance.
Eradication
Removing the attacker from your environment — malware, backdoors, compromised accounts, persistence mechanisms. This cannot be done safely without first understanding how the attacker got in.
Recovery
Restoring systems and operations to normal. This includes validating backups, rebuilding clean systems, restoring data from pre-incident backups, and monitoring for signs of re-infection.
Lessons learned
Documenting what happened, what worked, what did not, and what permanently changes. Every incident should improve your security posture — not just restore the status quo.
What your incident response plan must include
- →Roles and responsibilities — who does what, with deputies named for each role
- →Out-of-band contact list — phone numbers and personal emails for all key personnel, accessible without corporate systems
- →Escalation matrix — who gets notified at each severity level, including executives, legal, and the board
- →External IR contact — your incident response provider's emergency contact details
- →Regulatory notification obligations — ICO 72-hour notification requirement, sector-specific requirements
- →Playbooks for common scenarios — ransomware, data breach, business email compromise, DDoS
- →Evidence preservation procedures — what to capture and what not to do
- →Communication templates — internal, customer-facing, and regulatory
- →Recovery procedures — backup restoration process, system rebuild process
- →Plan review schedule — at minimum annual review, plus after any incident
How to test your incident response plan
A plan is only as good as its last test. Three methods, in increasing order of rigour:
Tabletop exercise
A facilitated discussion where key stakeholders walk through a simulated incident scenario. Identifies gaps in the plan and builds team familiarity without touching live systems. Can be done in half a day.
Simulation exercise
A more realistic test where teams respond to a simulated incident with inject points — escalating events that require real decisions. Tests communication, escalation, and decision-making under pressure.
Red team / purple team exercise
A live technical exercise where an offensive team simulates a real attack while the defensive team practices detection and response. The most realistic test, but also the most resource-intensive.
Does your team know what to do when it happens?
Tristarnex can review your existing plan, build one from scratch, or run a tabletop exercise to test it. Book a free briefing to discuss.
Book a free briefing →