What Is Incident Response Plan – Complete Guide

This is an in-depth guide to what is Incident Response Plan with templates. Also, explore top Automation Tools for Incident Response Management:

With the growing complexity of organizations and their environment, organizations must be prepared at all times to respond to a cyber-attack or a security breach. Security specialists across the world have emphasized the level of preparation in terms of a concrete action plan to counter any event of serious cybersecurity incident.

In this article, we will discuss one of the best defenses against data breaches or cyber-attacks. This defense is called–Incident Response Plan. The response of the organization towards an incident is a key factor in deciding the ultimate impact of that incident.

Facing a cyber-attack could just be the tip of the iceberg. The problem may grow by leaps and bounds if the organization fails to take the necessary steps to mitigate the impact of the incident. The impact could range from loss of data to losing the trust of customers. In some cases, the insurance companies have rejected claims if the organization did not take any prior steps to avoid the incident.

Let us begin!!

What is Incident Response Plan

Incident Response Plan

The Incident Response Plan (IRP) refers to processes and tools an organization uses to detect, remove and remediate cybersecurity threats and attacks. This plan supports the organization and its team to ensure a quick response to counter any threats from the external environment.

An incident response plan also ensures that the process of responding to threats is effective. These effective plans also ensure the impact of the attack is mitigated. A comprehensive and efficient response plan can chalk out a plan of action for all incidents. The plan must clearly define the process to be followed in the event of an incident and specifically mention the teams who will take action to counter the incident.

The IRP is known to be the backbone of organizations. Any compromise with sensitive data of the organization can lead to long-term consequences, often difficult to manage.

The incident response plan is also called Incident Management Plan (IMP).

Suggested Reading =>> Top Incident Management Software Tools

Importance of Incident Management Plan

They are as follows:

  • An incident management plan helps to keep a check on the root cause of the incident and thereby reduces the occurrence of future incidents.
  • The time taken to resolve or remediate the impact of the incident is improved and quick. It is also called Mean Time To Resolution (MTTR).
  • Downtime may be reduced or eliminated when an incident management plan is followed.
  • The incident management plan ensures the trust of stakeholders (customers) is improved and maintained.
  • Most data compliance standards are met when an Incident Management Plan is in place.
  • The overall impact of incidents, in terms of damage, is mitigated when there is a quick response to the incident. It ensures the continued operation of services and systems as per the plan.
  • In the absence of an incident management plan, Service Level Agreements (SLA) are seriously impacted when an incident occurs, resulting in loss of data, lower or reduced productivity, or longer downtime.

While every organization’s incident management plan can be customized as per the identified business risk, however, all such plans must include information like the time of the incident, what actions were taken, who the people involved, etc. so that a plan to mediate the impact of the incident could be managed effectively.

Who is responsible for a response when an incident occurs? Is this the question in your mind?

Read further to get your answers.

Incident Management Plan Team

Incident Response plan team

For effective preparation and management of incidents, every organization must have a dedicated team called the incident response team. The primary role of this team is to scrutinize and analyze any event of security breach and take appropriate corrective actions.

The team is the first point of contact when a security incident occurs and their prime responsibility is to manage the incident and set clear communication with internal and external stakeholders.

Top management in every organization plays a very important role in the planning and executing of responses to incidents. The support from management is pivotal to procuring the required resources, funds, and personnel for effective incident management.

Apart from management, the other team members in the incident response team include:

  • The IT director of the organization usually acts as the manager and is responsible for supervising and appropriately sequencing actions when an incident is detected and analyzed. The responsibility also includes announcing any additional needs and requirements, especially with high severity incidents to the appropriate teams across the organization.
  • A team of security analysts supporting the manager and directly handling the network which is affected. The prime responsibility of this team is to analyze the location, time, and other details regarding the incident as quickly as possible. They also keep a close watch on any potential threats along with collecting evidence of the incident for effective investigation.
  • The team also consists of threat researchers who are experts in the field of threat intelligence. They use their expertise to scan the Internet to find out traces of any information which may have been leaked outside the organization. Trends and data from any previous incident records are combined with current data, thereby creating a database that can be used for intelligence purposes. This expertise can also be sourced externally if not available within the organization.
  • Apart from this, the team may also include members from the Human Resource team in case the investigations reveal any employee involvement. It is advisable to include members from the Audit and Risk management team who can assess the vulnerability of the organization and also ensure best practices are followed throughout the organization.
  • Legal advisors of the organization and public relations experts are also part of the team to assess any legal liability of the organization. Public relations experts ensure that the information shared with media and stakeholders is authentic.

Automation Tools for Incident Management

Now that we have been talking about the automation of incident response, it is very important to keep a few points in mind before choosing appropriate tools for the process of automation.

  • The first point to consider while choosing an automated incident response tool is to be sure of which part of the incident response is to be automated. While there are several automation tools available, however, these tools are meant for a specific purpose.
  • Few of these tools are helpful when data has to be gathered and analyzed, while some other tools take care of automating the entire process of response. Some tools are extremely helpful in a comprehensive forensic investigation process of incidents.
  • The tools available for free cater to only one part of the entire incident response and are usually used in combination with other tools.
  • The next point to consider is the existing skills of the security team and ensuring they possess the skills to use these tools effectively as quickly as possible. There are a few tools, for instance, SANS SIFT, which is an extremely powerful tool but also needs in-depth knowledge of the principles of forensics. There are some simple tools, like Cyphon which can easily be used for complicated incidents as well.
  • Finally, it is also important to consider a few points regarding the deployment of these tools. Some of these points could include discussions on whether to install the tool on a server or a particular machine and if there is a need for any additional tools to be deployed. These key considerations directly influence the cost of the entire solution.

Below is a list of some popular automation tools that are commonly used.

#1) Salesforce

Salesforce Logo

There is hardly a better tool out there that does incident tracking and management as well as Salesforce. The platform is capable of proactively seeking out a problem and presenting agents with the ability to resolve it before the issue worsens. The fact that it can integrate with platforms like Slack also makes incident handling and escalation quicker and considerably more efficient.


  • Proactive Incident Detection.
  • Streamline operations with real-time collaboration.
  • Keep customers updated via multiple digital channels.
  • Automate business processes using AI.
  • Integrate with external systems for quick problem resolution.

#2) TheHive


TheHive is a popular tool for the automation of incident responses. With the help of this tool, numerous SOC and CERT analysts can simultaneously work together on carrying out investigations on security incidents and run quality and timely checks on the collected data.

Each process of search relates to one situation, which can be divided into sub-situations. Security analysts pick up tasks at the same time for the purpose of investigation.

Website: TheHive

#3) AlienVault OSSIM

This tool is an open-source Security Information and Event Management system (SIEM). This tool integrates with the IT infrastructure and security tools in a given organization and begins the process of collecting security data. This data can be used by security teams while identifying security incidents.

Website: AlienVault OSSIM

#4) GRR Rapid Response

This tool is developed by Google and primarily assists in tasks related to the collection of data. Some of these tasks include memory evaluation, registry research, etc. This tool has features of automation that can be used for scheduling repeated tasks. The IPython console supports integrated scripting. This tool has the capacity to be deployed for multiple nodes.

Website: GRR Rapid Response

#5) Cyphon

Cyphon is yet another popular automation tool. This tool is also an open-source tool and assists the security teams with the collection of data, processing of data, and analyzing it to detect incidents from a pile of raw incidents.

The use of APIs, logs, and emails allows security analysts to decide the level of exposure to data they want for investigation. The features also include trackers to check the work of security analysts, create customized alerts and detect the severity level of the incident.

Website: Cyphon

#6) SANS Investigate Forensic Toolkit (SIFT)

SANS Investigate Forensics Toolkit

This tool includes a variety of other tools which are used for executing forensic investigations. This toolkit is an Ubuntu live CD. Some of the interesting features of this tool include the capacity to plot system logs on a timeline, carving files to pull out specific evidence, and analyzing the recycle bin as well for investigation of incidents.

This tool supports Linux as well as Windows.

Website: SANS Investigate Forensic Toolkit (SIFT)

#7) Volatility


This tool uses the concept of memory dumps from the system affected by a security incident and analyzes these dumps. It is a memory forensics platform. The data collected includes memory data and the tool is capable of analyzing activities on the network, process IDs and activities, etc.

Website: Volatility

#8) CrowdStrike CrowdResponse

CrowdStrike CrowdResponse

CrowdRespone is a great tool that helps you collect information related to security incidents, which may include a directory, listing, process list, and list of jobs scheduled on the system.

This console application has the capability to verify signatures that are digitally related to the process of execution on a system and run a scan to identify malware or infectious documents using the integrated YARA signatures.

Website: CrowdStrike CrowdResponse

#9) Cyber Triage

Cyber Triage

This is a tool which is although a commercial tool but also has a free plan. It collaborates with SIEM and Intrusion Detection System to collect information and data which can be utilized for detecting security incidents. These incidents are scored automatically and the security team can successfully compare these security incidents against the data collected by the threat intelligence team.

Website: Cyber Triage

Incident Response Cycle

Incident Response Cycle

The image above shows the cycle of incident response. Let us now look at the steps for incident response.

Steps of Incident Management Plan

To manage a security incident effectively, the below-mentioned 6 steps have to be followed by the incident response team. An effective plan must include a detailed sequence of processes to be followed at each of these steps.

#1) Preparation: This is an important step that requires a thorough review of the security policies which are responsible for providing information to the incident response plan. This step provides a perfect stage to carry out risk assessments and figure out those assets which need critical security attention from the team.

It is essential to chalk out a clear plan for communication and a document that states clearly assigned roles and responsibilities in the event of a security incident.

All the above-mentioned steps of planning and preparation may be futile if recruitment for the incident response team- CSIRT (Computer Security Incident Response Team) is a miss or the members of the team do not have access to tools and systems which are needed in order to detect and respond to security incidents.

#2) Detection: This stage is crucial because this is the stage when the team must be able to detect any security breach or incident. The team must keep a close check on operations and capture any deviation that occurs in the usual operational cycle in the organization, which can be a potential security breach.

As soon as a potential incident is detected, the team must find more evidence that helps to understand the nature, type, and severity of the incident. The team must also document all the actions taken. The documentation must be detailed and contain clear information like the “who, when, where, why, and how” of the incident.

#3) Containment: As soon as the incident has been detected by the team, the next course of action is the containment of the incident so that any further damage can be prevented. Containment can either be short-term or long-term.

Short-term containment could be a simple step of isolation of one particular network where the attack occurred. Long-term containment may include using short-term fixes and applying them to the affected network to ensure production continuity while new and clean systems are built afresh.

#4) Eradication: The next step for the incident response team is to identify the root cause of the incident or threat and take immediate remedial actions to prevent any future occurrence. For instance, if the error happened owing to a weak process of authentication, the process of authentication needs to be made strong immediately.

#5) Recovery: As the name suggests, this is the time when the team takes steps to restore the affected systems and resume production with utmost care to prevent any reoccurrence of the incident. This stage also involves critical decisions to be taken regarding the suitable time for restoration of the operations, methods, and duration of monitoring the impacted system during production to ensure normalcy.

#6) Post-incident follow-up: This is a stage that must be completed within two weeks of the occurrence of the incident. This stage aims to patch any gaps in documentation that could not be completed earlier and conclude a 360-degree evaluation of the incident in terms of the reason for its occurrence, and actions taken to remediate contain and eradicate the incident.

The documentation also contains an evaluative analysis of actions taken to clearly define which actions were effective and ones that had a scope for improvement.

These 6 steps of incident management have been shown in the image below.

Post-incident follow up

Incident Response Plan Template

The above section of this article explains the importance of an incident response plan and how a structured well-defined plan helps to mitigate the impact of the incident. We now understand how imperative it is to quickly respond to an incident. With the aim of ensuring agility and preparedness in responding, organizations can also use incident response plan templates.

An incident response plan template is a framework that contains a comprehensive checklist enlisting the roles and responsibilities of incident response team members in case of an incident. It also has detailed steps and actions which are to be taken to gauge the impact of the security incident and ways to contain the damage.

These templates are totally customizable to suit an organization’s policies and structure. The main focus of these templates is to take into account many objectives and ensure that the daunting process of creating an incident plan becomes simple and easy.

Here are a few points to keep in mind while designing an incident response plan based on the template.

  • The response plan must segregate incidents depending on the level of severity of the incident and its capacity of impact.
  • Clear differentiation of incidents based on their nature must be included while designing an incident management plan. For instance, if the incident pertains to facilities, IT, or power.
  • The plan must accommodate an incident management committee for each category of the incident, which is separate from the core team and is informed about all the incidents.
  • Based on the incident response plan template, each incident must have a specific response and resolution time which is based on the severity level of the incident.
  • The plan must contain a well-structured process to tackle escalations for all types of incidents.
  • In the process of responding and managing an incident, there could be times when teams have to be contracted out of business hours. For any such instance, contact details of personnel and vendors who are the first point of contact must be included in the plan in the format mentioned in the template.
  • It is a must for a response plan to emphasize educating and upskilling the employees to prepare them to deal with disasters like earthquakes, fires, etc.
  • The plan must also stress the importance of clear communication between parties involved and impacted by the incident. The communication must be clear, regular, and based on the level of severity of the incident.
  • It is very important to review the incident review plan at least once a quarter so that information and details can be updated.
  • An incident plan must also include a well-structured process that needs to be followed to educate employees on emergency contact details. These processes have to be conducted at regular intervals.

Let us now look at some of the commonly used templates for incident response planning. A website link for downloading the template has also been included.

#1) California Government Department of Technology incident response plan

Pages: 4

Details: A detailed procedure of 17 steps to be used in case of specific security incidents like malware or failure of the system.

1. California Government Department of Technology incident response plan1

1. California Government Department of Technology incident response plan2

Website: California Government Department of Technology incident response plan

Note: This link will open a word document.

#2) Echo Technology Solutions-Cybersecurity Incident Plan Template

Pages: 3


  • Categories of incidents.
  • Information that is identifiable personally.
  • Details of the incident response team. This includes their contact numbers, name, role, and business title.
  • A detailed plan of action to be used in the event of an incident. The plan of action begins by notifying the incident response team, controlling the event, stabilizing data, and finally ensuring the impacted systems are back to normalcy.

2. Echo Technology solutions

Website: Echo Technology solutions

Current Trends: Incident Response Plan

By now, we understand that incident response templates and the plan and procedure based on these templates are extremely important. However, there is not sufficient combat to security incidents. Most organizations are facing an acute shortage of employees.

In this situation, it is not easy to keep a check on all security alerts and investigate and follow up on all incidents. Studies have proved that it takes more than 100 days to detect an incident and find a remedy for it.

To counter issues of this kind, there is a wave of automation that blows across the security industry. There has been a surge in the development of tools that can automatically respond to incidents. These automated tools are capable of detecting any potential security issues or threats and immediately executing a set of automated processes to contain and minimize the incident.

Replacing a manual incident response system with an automated response system has immensely helped to minimize the workload on security teams and make them more agile and efficient.

Some benefits of an automated incident response plan are as follows:

  • Quick identification of security incidents.
  • All the data for the purpose of investigation of the incident can be collected and compiled quickly.
  • Security playbooks can be used for the automation of incident response tasks and mitigation of the impact of the security incident.

Recommended Reading =>> Best Incident Response Services 

Frequently Asked Questions

Q #1) Which resource management task enables resource coordination throughout the incident? 

Answer: Track and report task is the task that enables resource coordination throughout the incident.

Q #2) What is the incident response life cycle?

Answer: Incident response life cycle begins with preparation and passes through stages of detection and analysis, containment, eradication, recovery, and post-incident follow-up.

Q #3) What are the two types of incident response teams?

Answer: Incident response team has members of IT staff who have some security-related skills and full-time security staff.

Q #4) What important questions should the security incident response form answer?

Answer: Some of the basic questions that are answered in a security response form are:

  • What is the evidence for the incident?
  • When were these pieces of evidence collected?
  • How were these pieces of evidence collected?
  • Where is the evidence stored?


In this article, we have discussed the incident response plan, which includes the entire process of detecting and handling any occurrence of security incidents. Every organisation has its own incident response policy and this must be kept in mind before a response plan is prepared.

We hope this article proves useful while combating any security breaches or incidents.