ReLoIT
Back to Resources
TemplateActionable Framework

Incident Response Plan Template

A practical incident response framework with defined roles, phases, and communication procedures. Target: contain incidents within 2 hours.

Build Your IR Plan
2 hrs
Containment target
277 days
Avg. breach detection
$1.2M
Savings with IR plan
72 hrs
GDPR notification deadline

Incident Response Phases

1

Preparation

Ongoing

Establish capabilities before incidents occur

  • Document incident response team roles and contact info
  • Establish communication channels (out-of-band)
  • Create incident classification criteria
  • Set up logging and monitoring infrastructure
  • Conduct tabletop exercises quarterly
  • Maintain relationships with IR vendors and legal counsel
  • Document critical systems and data locations
2

Detection & Analysis

0-2 hours

Identify and validate security incidents

  • Receive alert or report of potential incident
  • Validate the incident (false positive check)
  • Determine scope and affected systems
  • Classify severity level (Critical/High/Medium/Low)
  • Assign incident commander
  • Begin documentation and timeline
  • Notify stakeholders per classification
3

Containment

Target: 2 hours

Limit damage and prevent spread

  • Short-term: Isolate affected systems from network
  • Preserve evidence (disk images, memory dumps)
  • Block malicious IPs/domains at firewall
  • Reset compromised credentials
  • Disable affected user accounts if needed
  • Implement temporary access restrictions
  • Document all containment actions taken
4

Eradication

Varies

Remove threat from environment

  • Identify root cause and attack vector
  • Remove malware and attacker tools
  • Patch exploited vulnerabilities
  • Rebuild compromised systems from clean images
  • Verify removal with scanning and monitoring
  • Update security controls to prevent recurrence
5

Recovery

Varies

Restore normal operations

  • Restore systems from clean backups
  • Validate system integrity before reconnection
  • Monitor for signs of re-infection
  • Gradually restore services with enhanced monitoring
  • Verify business operations are functional
  • Communicate status to stakeholders
6

Post-Incident

Within 2 weeks

Learn and improve

  • Conduct lessons learned meeting
  • Document incident timeline and actions
  • Identify what worked and what didn't
  • Update IR plan based on findings
  • Implement security improvements
  • Brief leadership and board if required
  • File regulatory notifications if required

Response Team Roles

Define these roles before an incident occurs. Each role should have a primary and backup person assigned.

Incident Commander

  • Overall incident leadership and decision-making
  • Coordinates all response activities
  • Authorizes major containment decisions
  • Primary point of contact for executives

Technical Lead

  • Leads technical investigation and analysis
  • Directs containment and eradication efforts
  • Coordinates with IT operations
  • Validates technical remediation

Communications Lead

  • Manages internal and external communications
  • Coordinates with PR/Marketing
  • Prepares customer notifications
  • Documents communication timeline

Legal/Compliance Lead

  • Advises on regulatory requirements
  • Manages law enforcement coordination
  • Oversees breach notification obligations
  • Preserves legal privilege where applicable

Severity Classification

Critical
Criteria:

Active data breach, ransomware, system-wide outage

Response:

Immediate all-hands response

Notification:

CEO, Board, Legal within 1 hour

High
Criteria:

Confirmed compromise, significant data exposure risk

Response:

IR team activated, 24/7 response

Notification:

CISO, IT Director within 2 hours

Medium
Criteria:

Attempted attack, limited system impact

Response:

IR team notified, business hours response

Notification:

Security team within 4 hours

Low
Criteria:

Policy violation, minor security event

Response:

Standard investigation process

Notification:

Security team within 24 hours

Critical Contact List

Maintain this list in an accessible location (not just on potentially compromised systems):

RolePrimaryBackupContact Method
Incident Commander[Name][Name][Phone/Signal]
Technical Lead[Name][Name][Phone/Signal]
Legal Counsel[Firm/Name][Alt Contact][Phone]
Cyber Insurance[Carrier][Policy #][Claims Line]
IR Vendor/Retainer[Firm][Contract #][Emergency Line]
FBI Cyber (US)ic3.govLocal field office[Local #]

Communication Templates

Internal Notification (Initial)

Subject: Security Incident - [Severity Level] - [Date/Time]

A security incident has been declared. Here is what we know:

- Type of incident: [Description]

- Systems affected: [List]

- Current status: [Investigating/Contained/etc.]

- Incident Commander: [Name]

Next update in [X] hours. Direct questions to [Contact].

Customer Notification (if breach confirmed)

Subject: Important Security Notice from [Company]

We are writing to inform you of a security incident that may have affected your data.

What happened: [Brief description]

What information was involved: [Types of data]

What we are doing: [Actions taken]

What you can do: [Recommended actions]

For questions, contact [dedicated line/email].

Need Help Building Your IR Plan?

Our team can help you create, test, and maintain an incident response plan tailored to your organization.

Schedule Consultation