Article November 4, 2021

How to build a comprehensive incident response plan

Having a CFC cyber policy is great protection from a cyber attack, but it's also imperative to have a solid incident response plan. So if an incident occurs, the rest of the company knows what to do.

Developing an effective Incident Response Plan (IRP) is a task that will take time and requires a great deal of consideration as there are many ways to approach it. Each stage must be tailored specifically to your business, based on what threats are most likely and most high-risk. For example, if your business handles or stores sensitive data, a data breach could be a devastating incident that needs to be accounted for. A good incident response plan will minimise the impact of an event and allow the team to respond in a clear and orderly manner. 

A very basic IRP should include 5 key points:

  1. Key contacts

    People that will need to be contacted should an incident occur for example, your IR team/provider, IT, senior management, legal teams, PR, HR, and insurance provider. Consider the risk of people being unavailable - include at least two contact methods and two or more people/groups.

  2. Escalation criteria

    To determine how serious the response to an incident should be. A severity matrix can be used to help define what would classify the incident as a critical, high, medium, or low severity event.

  3. A basic flowchart or process

    This should cover the incident response life cycle and how your business will respond at each stage of:

    - Preparation
    - Detection and analysis
    - Containment, eradication and recovery
    - Post-incident activity

  4. Contact number

    At least one conference number, available for urgent incident calls.

  5. Regulatory requirements

    Basic guidance on legal or regulatory requirements, such as when to engage legal support, HR, or when to follow evidence capture guidelines.

In addition to these 5 key points, you may also want to consider:

  • Checklists to use during an emergency, to ensure all necessary tasks have been carried out and as guidance to see what task needs to be done next.
  • Forms for documenting and tracking the incident and for the post-incident review.
  • Further details on the IR life cycle and technical guidance on each stage.
  • Playbooks/guidance on specific types of incidents to detail responses for common and high-risk incidents.

There are many IRP templates available online to help you build your own IRP. The following includes some IRP templates: You could also utilise existing frameworks from providers such as NIST and SANS.

Finally, CFC provides an IR template to all our cyber policyholders, which can be obtained by contacting with your policy number and a request for the template.