How to Build a Cybersecurity Incident Response Plan

Making it up as you go is the wrong way to handle security breaches. Prepare for the next attack with a cybersecurity incident response plan.
Troy Fine

by Troy Fine

September 02, 2022

Cyberattacks can happen to any company at any time. Getting caught flat-footed makes the situation worse as hackers exfiltrate more data and the PR firestorm spreads. Avoid this nightmare scenario by thinking ahead.

Here’s everything you need to know about building a cybersecurity incident response plan.

What is a Cybersecurity Incident Response Plan?

A cybersecurity incident response plan documents your organization’s policies and procedures during a security incident.

For each potential attack, your plan should:

  • Assign responsibilities for executing the response.

  • Specify steps taken to mitigate the attack.

  • Prepare internal and external communications.

  • Apply lessons learned to improve future responses.

Rather than starting from scratch, most organizations adopt a framework developed by the National Institute of Standards and Technology (NIST). These recommendations group the elements of an incident response plan into four phases:


Few organizations have the resources to plan for every possible attack—there are too many ways for cybercriminals to penetrate network defenses. However, you can prioritize your planning through regular risk assessments. Once you close the most severe security gaps, you can identify the attacks that could cause the most damage.

Next, build incident response teams across the organization. These teams are not limited to the IT department. They should also include human resources, public relations, legal, and other stakeholders. Define standard operating procedures (SOPs) for each attack. Conduct regular drills to ensure the response team understands what to do when an attack succeeds.

Detection and Analysis

Monitoring network activity establishes a baseline of typical behavior, making it easier to detect the signals of an attack. Credential stuffing and other precursor signals are signs of future attacks. Indicator signals such as antivirus alerts tell you that attacks are in progress. Once an attack is detected, the incident response team analyzes the situation to decide whether the attack is real, find its source, and understand its severity. 

Using pre-established criteria, the response team will notify organizational stakeholders. They may need to prepare external communications to law enforcement, regulators, and the public.

Containment, Eradication, and Recovery

Containing a breach may require shutting down or quarantining systems—with potential disruptions to the company’s operations. Having plans in place makes these decisions easier since you will have contingency plans ready. 

Affected systems may need to be rolled back to earlier states or replaced entirely. After eradicating the threat, your team can begin the recovery process. Besides restoring standard functionality, they can close the security gaps that exposed systems to the original attack.

Post-incident Activity

Incident response planning is not a linear activity but one of constant feedback and iteration. Implement systems that log network activity and record decisions during the response. Your post-incident analysis should find opportunities for improvement. Incorporating lessons learned in your SOPs and response training will institutionalize this knowledge and prepare your company for the next attack.

Why You Need an Incident Response Plan

An incident response plan is good business practice as it makes your security systems more robust and efficient. Going through the planning process gives you a better understanding of your company’s security risks. You will uncover gaps in your defenses and any misunderstandings about roles and responsibilities. Putting an incident response plan in place tightens up your security processes.

When cybercriminals strike, your plan enables faster, more coordinated responses. All the tools are in place. Everyone on the team already knows what to do. Most importantly, your leadership team has already vetted critical decisions, so incident response teams have the authority to make the right call right away.

For many companies, information security frameworks such as ISO 27001 and SOC 2 require incident response plans. Even for companies not subject to these standards, incident response plans may be more of a requirement than a best practice. Severe security breaches compromising credit card information and personal data expose companies to regulatory oversight and civil legal action. Not planning for security breaches could have significant financial costs.

How to Write a Cybersecurity Incident Response Plan 

Guidelines like those from the NIST can help you build your incident response plan. Three key steps include:

Build Your Response Teams

Your incident response teams will include the specific people assigned to coordinate and conduct the response. IT departments provide technical members who identify, contain, and eradicate threats.

However, incident response teams should draw from the entire organization:

  • Human resources staff handle internal communications should the attack compromise employee information.

  • Sales and service teams will discuss the breach with customers. 

  • Legal teams will be ready to communicate with law enforcement and regulators.

  • Public relations will be ready to draft releases and field press inquiries.

For the most severe attacks, you may bring in outside expertise. Security consultants can assess defenses, review plans, and help with recovery. PR firms specializing in crisis management can reduce the impact on the company’s brand. 

Assess and Prioritize Risks

Perform a thorough risk assessment that reveals the weaknesses in your security systems. This assessment will let you close gaps that expose the organization to attack. You will also understand which kinds of attacks pose significant risk. Prioritizing these attacks in your response plans ensures you can minimize their impact. 

Develop Responses for Each Kind of Incident

Create simple SOPs for dealing with each kind of incident. Keep in mind that some actions could impact business operations so make sure these impacts are well-understood by leadership and get preauthorization to avoid delays. 

Response plans should include criteria for internal and external communications. Response teams may report low-level incidents after the fact, while severe breaches may require notifications to law enforcement agencies.

Determine Breach Notification Requirements

Based on the nature of your organization, the data you manage, and where you conduct business, you’ll need to follow breach notification requirements from specific standards and regulations. 

For instance, GDPR requires 72-hour notification to supervisory authorities once a breach is confirmed. HIPAA has different guidelines based on the impact of a breach. If a breach affects 500 or more individuals, the Secretary must be notified without unreasonable delay and no later than 60 days after the breach. If a breach affects fewer than 500 individuals, the Secretary may be notified on an annual basis. 

Maintenance Best Practices

Your incident response plan is never complete. The threat landscape is constantly evolving, so your response plan must also evolve. You should evaluate your plans at least once a year—and whenever a significant change occurs.

In addition, incident response teams should conduct regular training sessions to keep them current on the various plans. Drills should test their ability to respond quickly and effectively to security breaches.

Make learning part of every step in your incident response plans. Each attack will test your systems in different ways and internalizing the lessons from these incidents will improve your response to the next attack.

Planning and practice are the foundations of cybersecurity. Preparing your organization for common incidents and severe breaches ensures a rapid response that mitigates potential damage. Drata’s compliance automation platform makes it easier to identify threats and collect evidence during your response. Contact Drata today to schedule a tour.

Trusted Newsletter
Resources for you

The No-nonsense CCPA Compliance Checklist

BLOG-ISO-27001 -How-to-Write-a-Statement-of-Applicability

ISO 27001: How to Write a Statement of Applicability

ISO 27001 checklist hero

ISO 27001 Checklist: 8 Easy Steps to Get Started

Troy Fine
Troy Fine
Troy Fine is a 10-year auditor. His area of expertise focuses on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources

The No-nonsense CCPA Compliance Checklist

BLOG-ISO-27001 -How-to-Write-a-Statement-of-Applicability

ISO 27001: How to Write a Statement of Applicability

ISO 27001 checklist hero

ISO 27001 Checklist: 8 Easy Steps to Get Started