How to Create a Cyber Security Incident Response Plan

With organisations facing the constant threat of cyber attacks and data breaches, it’s essential that they have a plan for how to respond.

A rapid response could be the difference between a minor disruption and potentially catastrophic damage. Research from IBM’s Cost of a Data Breach Report 2021 found that the key timeframe for incident response is 200 days. Organisations that can identify and contain an incident within this time reduce their cost by an average of $1.26 million (about £940,000).

This is where a cyber security incident response plan is essential. A well-designed strategy will help organisations identify breaches promptly, outline mitigation tactics and ensure that regulatory requirements are met.

What is a cyber incident?

The UK’s NCSC (National Cyber Security Centre) defines a ‘cyber incident’ as “a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems”.

Broadly speaking, these definitions translate to four types of incident:

  1. Attempts to gain unauthorised access to a system and/or data.
  2. Unauthorised use of systems for storing or processing data (such as data exfiltration).
  3. Unauthorised changes to a system’s firmware, hardware or software.
  4. Malicious disruption and/or a denial of service.

For the purposes of your incident response plan, you may want to come up with your own definition for a ‘cyber incident’ that better suits your organisation and business goals, but these definitions should provide a good starting point.

The 6 phases in a cyber incident response plan

An effective cyber incident response plan will contain these six stages:

1. Detect

Unless you know that an incident has happened (or may have happened), you will not be able to respond effectively, if at all.

How you detect an incident will vary depending on the nature of that incident – a stolen or lost laptop is quickest to discover via a staff report, for instance, while cyber attacks will likely require some form of security monitoring.

Where an anomaly is detected (multiple failed login attempts to a user account, for example), an alarm is raised for someone to manually investigate.

It is only possible for an anomaly to be detected if you know what ‘out of the ordinary’ looks like. Equally, staff will only report an incident if they know what constitutes one and are trained to report it to the appropriate person or team.

2. Triage

Triage, which normally involves a manual follow-up to a cyber security event, needs to occur as quickly as possible after the initial report. This process must establish whether you are dealing with a false alarm or a cyber incident and, if the latter, how to escalate it to your cyber incident response team.

It is important you document the process, showing how you reached your conclusions and providing information you may need later.

If it appears to be an actual incident, you need to assess the situation to determine what further steps you must take. What type of incident are you dealing with? What systems and/or data have been affected?

Understanding the nature of the incident will help direct your remediation activities – for instance, if you are dealing with ransomware, affected devices will need to be cleaned for malware and restored using backups.

Depending on the nature of the incident, you may also need to act quickly to contain the damage – for example, if you are aware of an attacker moving through your systems, you could force logout.

3. Report

Where applicable, you need to report the incident to relevant stakeholders, such as criminal fraud units, regulators, insurers, partners and customers. Criminal fraud units typically encourage victims or witnesses to report fraud or cyber crime.

Where you have regulatory reporting requirements, such as under the GDPR or the NIS Directive, you must submit separate reports to the relevant authorities. For example, under the GDPR, personal data breaches likely to result in a risk to the rights and freedoms of natural persons must be reported within 72 hours of becoming aware of the breach to your supervisory authority.

In addition, where there is likely a high risk to data subjects’ rights and freedoms, the GDPR mandates you notify those subjects directly.

Supervisory authorities typically also encourage you to offer advice about steps data subjects can take to mitigate the risks they may face. This can include, for example, a warning to be wary of phishing emails that fraudulently claim to represent your organisation, and a recommendation to change their passwords as soon as possible.

If the breach is significant enough that you need to inform your data subjects (whether they are partners, customers or otherwise), you may also have to issue a public statement and/or provide comment to the press.

4. Remediate

Now that you understand what you are dealing with, it is time to remediate the situation and repair the damage. If you are dealing with malware, for example, you need to eliminate every trace of it, and likely harden and patch your systems before recovering them.

5. Recover

Recovery is all about getting back to business as usual. At this stage, any trace of malware or other cyber threats should be eradicated, meaning that systems and backups can be safely restored (although it is sensible to test impacted systems before connecting and using them as normal again).

It is also a good idea to include information on how to inform users that everything is up and running again.

It’s worth reiterating how important it is to think ahead: your response plans, prepared in advance, must outline what steps to take, and you must also ensure the right technical measures have been implemented to make the execution of those plans possible. Restoring backups, for instance, is only useful if you ran regular backups before the incident happened.

6. Review

After you have fully recovered from the incident, you should review your response plans, procedures and other measures to identify scope for improvement. This could be to prevent a future occurrence of the same incident, or to improve your responses in general.

However you implement the lessons learned, make sure you do review your actions. There is no better way to improve, and gradually become a more secure and resilient organisation with time.

Cyber incident response with GRCI Law


If your organisation suffers a security disaster and doesn’t have a cyber incident response plan, help is at hand.

GRCI Law has a range of cyber incident response services, including our Tabletop Exercises, which will ensure your organisation is ready to deal with any incident by taking action to mitigate deficiencies and protect against future incidents.

Get started