How to Develop an Incident Response Plan 

By Microserve
Incident Response Plan Banner

An incident response plan is a detailed, step-by-step plan that is essential to mitigate cybersecurity risks and threats. It defines how your organization detects incidents and communicates detailed incident response procedures. An incident response plan strengthens security posture and engages key stakeholders in cybersecurity strategies. Incident response plans should address incident detection, threat containment, threat elimination, and system restoration.

Why do you need an incident response plan?

Creating a detailed incident response plan takes time, strategy, and communication, but it helps your organization prepare for security breaches and other incidents. It not only mitigates the risk of cyber threats but also helps prevent data breaches that can damage your business reputation, expose customer data, and lead to legal ramifications.

An incident response plan is useful for many reasons:

  • It can be printed and referenced in the event of a cyber incident or natural disaster that causes systems to be unavailable.
  • It can reduce downtime, cost, and exposure in the event of a security incident.
  • It builds strong communication by proactively engaging the key members needed to resolve incidents.
  • It is often required to obtain cyber insurance, which is highly recommended to reduce the cost of incidents.
  • In this article, we’ll discuss how to develop a detailed incident response plan to strengthen your readiness.

In this article, we’ll discuss how to develop a detailed incident response plan to strengthen your readiness. 

Create an inventory of assets

The first step to develop an incident response plan is to take inventory of the assets you are protecting. You can do so with a directory or identify and access management tool like Microsoft’s Microsoft Entra ID (formerly Azure Active Directory). This tool takes inventory of your assets, but also includes ID protection and governance to help further strengthen your security posture.

At a minimum, you should gather the following device information:

  • User and username
  • Device make and model
  • User’s location
  • Warranty information
  • Device OS

In addition to creating an inventory of your assets, these assets should also be classified according to risk. For example, assets that are connected to the web may be classified as high risk, while the same asset that is not exposed to the internet could be considered a medium risk.

Run a cybersecurity risk assessment

The next step in developing your incident response plan is to assess your cybersecurity risks and potential threats. Understanding exactly what poses a cybersecurity risk, as well as any potential threats to your business, is vital to strengthen your security posture.

Common cybersecurity risks and incidents include:

  • Malware and ransomware: These attacks involve malicious software (such as viruses, spyware, and trojan horses) that intends to steal or delete data. Ransomware involves malicious actors who encrypt data and threaten to expose data if the target doesn’t pay a ransom.
  • Phishing attacks: These attacks, typically carried out by email, text message, or phone call, are a social engineering tactic that prays upon people’s trust. It uses psychological manipulation to impersonate a trusted person or brand to gain access to systems, passwords, or financial information.
  • Denial-of-service (DDoS) attacks: These attacks typically target larger organizations and aim to crash a system or network by exhausting resources with overwhelming traffic. The goal of these attacks is to shut down high-profile organizations, ultimately costing them money and time to restore systems
  • Unauthorized access: This type of attack aims to gain access to your systems by stealing the credentials of your authorized users. By gaining access, they can install malware, spyware, access sensitive data, and more.
  • Inappropriate usage of systems and data: This type of attack is often accidental. When an authorized user misuses systems or violates IT policies, it can introduce malware, cause a data breach, or cost the company money or resources.

While performing a cybersecurity assessment, you should also consider the intensity and severity of the incident and label each incident by criticality. For example, labels could be 0- Low, 1- Medium, 2- High, and 3-Extreme to help determine the type of response required for each incident.

Develop incident responses to identified risks

Once you’ve identified the risks and threats your business faces, the next step to develop your incident response plan is to create an action plan with response procedures. Firstly, each identified risk should include a detailed description of the risk in accordance with the results of your cybersecurity assessment and should be categorized by criticality.

Each risk should have a well-documented description of key stakeholders to engage with, a containment strategy, an eradication strategy, and a recovery strategy. Many organizations choose to follow the National Institute of Standards and Technology (NIST) Special Publication – 800-61, also known as the Computer Security Incident Handling Guide, which is outlined below.


To prepare for an incident, organizations must name and engage with key stakeholders who will be involved in the resolution of the incident. Security awareness training, incident response training, communication, and cybersecurity tabletop exercises are ways that the incident response team can prepare for incidents. The incident response team’s goal is to respond to incidents as quickly as possible and minimize the impact on networks, system, and the organization.

Your incident response plan should address the following:

Who should be involved, both inside and outside of the organization, in an incident? How can they be contacted during working hours? How can they be contacted outside working hours?

Where can the incident response team physically meet? If a physical meet up is not possible, how can they meet online if systems are down?

Which devices and network should the incident response plan use in the event of an incident? Are spare workstations, networks, and systems available in the event of an incident?

How should the incident response team gather evidence and information related to the incident? Where should this information be stored?

Preparation also means ensuring that the right systems and measures are in place to prevent incidents altogether. Your cybersecurity strategy should address how to secure systems, networks, data, and devices with adequate tools, software, and controls.

Detection and analysis

Incidents can be detected in a variety of ways. Although some incidents may be detected manually when users report problems to the IT department, others are more likely to be detected through automated incident detection software. A tool like Arctic Wolf’s Managed Detection and Response involves 24/7 threat monitoring and advanced threat detection. These types of tools also help IT teams respond to incidents by investigating suspicious activity, managing event logs, and providing strategic guidance through a named security professional.

Detecting incidents requires trained professionals with knowledge of incident detection, often referred to as incident handlers. Security information and event management (SIEM) tools generate hundreds, if not thousands of alerts about potential incidents every day, many of which are false positives. However, each event can be a precursor to a larger security incident. Having an experienced incident handler is essential to dissect this information. For example, an alert might be triggered because a ping to a web server was unsuccessful, which could happen for many reasons and may not be a security incident. An incident handler also should document the incident and next steps and present this information to the relevant stakeholders such as the CIO, system owner, PR team, and legal department.

The analysis and evidence gathering required for security incidents are often the most expensive aspects of a data breach or security incident. While the IT team works on containing the issue, which we will discuss next, a forensic investigator analyzes the incident to determine the cause, gathers evidence to be used in legal proceedings, and attempts to identify the malicious actor. Collecting evidence is essential for compliance, insurance, and prosecution.

Containment, eradication, and recovery

Containment strategies differ for various types of incidents, and your incident response plan should detail the specific strategies that could be implemented in the event of a security incident. Trained decision making is important to contain security threats, as time is often of the essence. For example, a worm can start in one device and spread across your entire system within an hour, causing network shutdown.

To determine your containment and eradication strategy, consider the following:

  • The resources and time required to contain a threat.
  • What is being damaged or stolen, as well as the severity of the damage.
  • Whether the threat involves system availability of the network, devices, or servers.
  • How long it will take to contain and eradicate a threat.

Recovery from security incidents also varies depending on the type of incident. It may involve restoring backups, rebuilding systems, restoring networks, installing software patches, replacing compromised files, resetting firewalls, or changing passwords and access.

Post-incident activity

Post-incident activity involves reviewing the security incident, and it is one of the most important parts of the incident response plan. After an incident, you should refine your incident response plan to reduce negative outcomes of future security incidents.

To improve your incident response plan post-incident, host a meeting with the involved members of the incident response to discuss what went well and what could have gone better. During these meetings, review the cause of the incident, order of events, any challenges or issues, and damage of the incident. Understanding what corrective actions are required to ensure a similar incident does not occur is vital to maintaining your security posture.

Additionally, review the lessons learned, provide training to employees on security handling procedures, and remediate vulnerabilities to boost your security posture after an incident. One of the best ways to train your employees and ensure you are prepared for a security incident is to host tabletop exercises. These exercises gather your key stakeholders, critical communications staff, and all key members responsible for security handling. The purpose of a tabletop exercise is to provide real or fictitious security scenarios to participants, and to ask them probing questions to stress-test your organization’s incident response plan. This exercise helps participants learn and prepare for disasters; it encourages them to ask questions and work together to resolve cyber threats.

Revisit the incident response plan regularly

Cybersecurity threats are ever-evolving, so your incident response plan needs to be revisited regularly– even if an incident does not occur. Understanding and addressing new cybersecurity threats is vital to the success of your cybersecurity plan. For this reason, and due to the time and resources required to create and maintain an incident response plan, many organizations turn to managed IT service providers (MSPs) for help.

With over 35 years of experience, the expert cybersecurity team at Microserve can not only help you create an incident response plan but can help you ensure your team is ready to handle cybersecurity incidents. Your IT team can be incident-ready with the help of penetration testing, tabletop exercises, IT awareness training, industry-standard cybersecurity tooling, and more – and the team at Microserve is ready to assist you. Get in touch with the cybersecurity experts to be proactive in your cybersecurity approach, boost your security posture, and be ready to handle any cybersecurity incident that may arise.

You might also like