Incident Response

How to Create a Cybersecurity Incident Response Plan

The question is not if your business will face a cyber incident, but when. The difference between a minor disruption and a catastrophic breach often comes down to one thing: did you have a plan?

Why Every Business Needs an Incident Response Plan

Faster Response

Companies with an IRP contain breaches 54 days faster on average

Lower Costs

Incident response planning reduces breach costs by an average of $2.66 million

Compliance

Required by HIPAA, PCI DSS, SOC 2, ISO 27001, and most cyber insurance policies

The 6 Phases of Incident Response

Preparation

The work you do before an incident happens. This is the most important phase.

Identify your critical assets (what data and systems absolutely cannot go down)
Assign incident response roles (who does what during an incident)
Document your network topology, asset inventory, and vendor contacts
Set up monitoring and alerting tools
Establish relationships with legal counsel, cyber insurance, and forensics providers
Train your team with tabletop exercises at least twice per year

Identification

Detecting that an incident is occurring and understanding its scope.

Monitor alerts from security tools (SIEM, EDR, firewall logs)
Document when the incident was first detected and by whom
Classify the incident type (malware, data breach, unauthorized access, DDoS)
Assess the scope: how many systems, users, and data sets are affected
Determine the severity level (critical, high, medium, low)
Activate the incident response team based on severity

Containment

Stop the incident from spreading while preserving evidence.

Short-term: Isolate affected systems from the network immediately
Do not power off machines (forensic evidence may be in memory)
Block malicious IPs, disable compromised accounts
Preserve logs, memory dumps, and disk images for forensics
Long-term: Apply temporary fixes, change credentials, enhance monitoring
Document every action taken with timestamps

Eradication

Remove the threat completely from your environment.

Identify the root cause (how did the attacker get in?)
Remove malware, close backdoors, patch exploited vulnerabilities
Reset all potentially compromised credentials
Scan all systems to confirm the threat is completely removed
Update firewall rules and security policies to prevent re-entry
Verify that no persistence mechanisms remain (scheduled tasks, registry keys, cron jobs)

Recovery

Restore systems to normal operations and verify they are clean.

Restore systems from known-good backups (verify backup integrity first)
Bring systems online gradually, starting with the most critical
Monitor restored systems closely for 48-72 hours for any signs of reinfection
Verify data integrity: compare restored data against known-good checksums
Re-enable user access incrementally after confirming systems are clean
Communicate restoration status to stakeholders

Lessons Learned

Review what happened and improve your defenses. This phase is often skipped but is critical.

Hold a post-incident review within 1-2 weeks (memories fade quickly)
Document the complete incident timeline from detection to recovery
Identify what worked well and what failed
Update your incident response plan based on findings
Implement new controls to prevent similar incidents
Share lessons (appropriately) with the broader team

Key Roles and Responsibilities

Incident Commander: Coordinates the overall response, makes decisions, communicates with leadership

Technical Lead: Leads technical investigation, containment, and eradication efforts

Communications Lead: Handles internal and external communications, media, and customer notifications

Legal/Compliance: Advises on regulatory obligations, breach notification requirements, evidence preservation

Executive Sponsor: Authorizes spending, approves major decisions, interfaces with board and stakeholders

For small businesses, one person may fill multiple roles. The important thing is that every role is assigned before an incident occurs.

Communication Plan

Internal Communication

Who needs to be notified and in what order
Use out-of-band communication (phone, not company email if email is compromised)
Provide clear, factual updates at regular intervals
Restrict incident details to need-to-know basis

External Communication

Legal obligations: breach notification laws vary by state and industry
Customer notification: what to say, when, and through what channel
Law enforcement: when to involve FBI, CISA, or local authorities
Cyber insurance: notify your carrier within the policy timeframe

Test Your Plan

A plan that hasn't been tested is just a document. Schedule these exercises:

Quarterly

Tabletop exercise: walk through a scenario verbally with your team

Biannually

Functional exercise: simulate an incident with hands-on response activities

Annually

Full exercise: simulate a real incident end-to-end including communications

After every real incident

Lessons learned review and plan update

Need Help Building Your Incident Response Plan?

CyberITEX helps businesses create, test, and maintain incident response plans. We also provide managed security monitoring so you can detect incidents before they become breaches.

Cybersecurity

Get Security Insights Delivered

One email per month with our best articles. No spam.

The 6 Phases of Incident Response

Preparation

The work you do before an incident happens. This is the most important phase.

Identify your critical assets (what data and systems absolutely cannot go down)
Assign incident response roles (who does what during an incident)
Document your network topology, asset inventory, and vendor contacts
Set up monitoring and alerting tools
Establish relationships with legal counsel, cyber insurance, and forensics providers
Train your team with tabletop exercises at least twice per year

Identification

Detecting that an incident is occurring and understanding its scope.

Monitor alerts from security tools (SIEM, EDR, firewall logs)
Document when the incident was first detected and by whom
Classify the incident type (malware, data breach, unauthorized access, DDoS)
Assess the scope: how many systems, users, and data sets are affected
Determine the severity level (critical, high, medium, low)
Activate the incident response team based on severity

Containment

Stop the incident from spreading while preserving evidence.

Short-term: Isolate affected systems from the network immediately
Do not power off machines (forensic evidence may be in memory)
Block malicious IPs, disable compromised accounts
Preserve logs, memory dumps, and disk images for forensics
Long-term: Apply temporary fixes, change credentials, enhance monitoring
Document every action taken with timestamps

Eradication

Remove the threat completely from your environment.

Identify the root cause (how did the attacker get in?)
Remove malware, close backdoors, patch exploited vulnerabilities
Reset all potentially compromised credentials
Scan all systems to confirm the threat is completely removed
Update firewall rules and security policies to prevent re-entry
Verify that no persistence mechanisms remain (scheduled tasks, registry keys, cron jobs)

Recovery

Restore systems to normal operations and verify they are clean.

Restore systems from known-good backups (verify backup integrity first)
Bring systems online gradually, starting with the most critical
Monitor restored systems closely for 48-72 hours for any signs of reinfection
Verify data integrity: compare restored data against known-good checksums
Re-enable user access incrementally after confirming systems are clean
Communicate restoration status to stakeholders

Lessons Learned

Review what happened and improve your defenses. This phase is often skipped but is critical.

Hold a post-incident review within 1-2 weeks (memories fade quickly)
Document the complete incident timeline from detection to recovery
Identify what worked well and what failed
Update your incident response plan based on findings
Implement new controls to prevent similar incidents
Share lessons (appropriately) with the broader team

Key Roles and Responsibilities

Incident Commander: Coordinates the overall response, makes decisions, communicates with leadership

Technical Lead: Leads technical investigation, containment, and eradication efforts

Communications Lead: Handles internal and external communications, media, and customer notifications

Legal/Compliance: Advises on regulatory obligations, breach notification requirements, evidence preservation

Executive Sponsor: Authorizes spending, approves major decisions, interfaces with board and stakeholders

For small businesses, one person may fill multiple roles. The important thing is that every role is assigned before an incident occurs.

Communication Plan

Internal Communication

Who needs to be notified and in what order
Use out-of-band communication (phone, not company email if email is compromised)
Provide clear, factual updates at regular intervals
Restrict incident details to need-to-know basis

External Communication

Legal obligations: breach notification laws vary by state and industry
Customer notification: what to say, when, and through what channel
Law enforcement: when to involve FBI, CISA, or local authorities
Cyber insurance: notify your carrier within the policy timeframe

Test Your Plan

A plan that hasn't been tested is just a document. Schedule these exercises:

Quarterly

Tabletop exercise: walk through a scenario verbally with your team

Biannually

Functional exercise: simulate an incident with hands-on response activities

Annually

Full exercise: simulate a real incident end-to-end including communications

After every real incident

Lessons learned review and plan update

How to Create a Cybersecurity Incident Response Plan

Why Every Business Needs an Incident Response Plan

Faster Response

Lower Costs

Compliance

The 6 Phases of Incident Response

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

Key Roles and Responsibilities

Communication Plan

Internal Communication

External Communication

Test Your Plan

Need Help Building Your Incident Response Plan?

Related Articles

The Complete Cybersecurity Checklist for Small Business

How MSSPs Protect Small Businesses (and Why You Need One)

Top 10 Cyber Threats Facing Small Businesses in 2026

Get Security Insights Delivered

How to Create a Cybersecurity Incident Response Plan

Why Every Business Needs an Incident Response Plan

Faster Response

Lower Costs

Compliance

The 6 Phases of Incident Response

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

Key Roles and Responsibilities

Communication Plan

Internal Communication

External Communication

Test Your Plan

Need Help Building Your Incident Response Plan?

Related Articles

The Complete Cybersecurity Checklist for Small Business

How MSSPs Protect Small Businesses (and Why You Need One)

Top 10 Cyber Threats Facing Small Businesses in 2026

Get Security Insights Delivered