Part of our Compliance & Regulation series
Read the complete guideIncident Response Plan Template: Prepare, Detect, Respond, Recover
IBM's Cost of a Data Breach Report reveals that organizations with incident response plans and teams reduce breach costs by an average of $2.66 million and identify breaches 54 days faster than those without. Yet 77 percent of organizations do not have a consistently applied incident response plan.
An incident response (IR) plan is not a document that sits on a shelf. It is a playbook that your team knows, has practiced, and can execute under pressure. This guide provides a complete, customizable IR plan template following the NIST framework.
Part 1: Plan Overview
Purpose
This Incident Response Plan establishes procedures for detecting, responding to, containing, and recovering from cybersecurity incidents. It ensures a coordinated, efficient response that minimizes damage and recovery time.
Scope
This plan covers all information systems, networks, data, and users within the organization, including:
- On-premise and cloud infrastructure
- Employee and contractor devices
- Third-party systems processing organizational data
- Physical security incidents affecting IT assets
Incident Classification
| Severity | Definition | Examples | Response Time |
|---|---|---|---|
| Critical (P1) | Active data breach, ransomware, system-wide outage | Data exfiltration, encryption of systems, DDoS | Immediate (within 15 minutes) |
| High (P2) | Confirmed compromise, significant disruption | Compromised admin account, malware spread, targeted attack | Within 1 hour |
| Medium (P3) | Suspicious activity, limited impact | Phishing attempt, unauthorized access attempt, policy violation | Within 4 hours |
| Low (P4) | Minor security event, no immediate threat | Failed login attempts, policy warnings, scan activity | Within 24 hours |
Part 2: Roles and Responsibilities
Incident Response Team
| Role | Responsibility | Primary Contact | Backup Contact |
|---|---|---|---|
| Incident Commander | Overall coordination, decision authority | [Name, Phone, Email] | [Name, Phone, Email] |
| Technical Lead | Technical investigation and containment | [Name, Phone, Email] | [Name, Phone, Email] |
| Communications Lead | Internal and external communications | [Name, Phone, Email] | [Name, Phone, Email] |
| Legal Counsel | Regulatory obligations, legal guidance | [Name, Phone, Email] | [Name, Phone, Email] |
| Business Liaison | Business impact assessment, stakeholder updates | [Name, Phone, Email] | [Name, Phone, Email] |
| Executive Sponsor | Escalation authority, resource allocation | [Name, Phone, Email] | [Name, Phone, Email] |
RACI Matrix
| Activity | Commander | Tech Lead | Comms | Legal | Business | Executive |
|---|---|---|---|---|---|---|
| Initial triage | A | R | I | I | I | I |
| Containment decisions | A | R | I | C | C | I |
| Technical investigation | I | A/R | I | I | I | I |
| Internal communication | I | C | A/R | C | R | I |
| External communication | A | C | R | R | C | A |
| Recovery decisions | A | R | I | C | R | A |
| Post-incident review | A | R | R | R | R | I |
R = Responsible, A = Accountable, C = Consulted, I = Informed
Part 3: The Six Phases of Incident Response
Phase 1: Preparation
Preparation happens before any incident occurs.
Technical preparation:
- Security monitoring tools deployed and configured (SIEM, EDR, IDS/IPS)
- Log collection from all critical systems centralized
- Backup systems tested (restore verified within the last 30 days)
- Network diagrams current and accessible offline
- Asset inventory current (all systems, applications, data stores)
- Forensic toolkit assembled (imaging tools, write blockers, chain of custody forms)
Organizational preparation:
- IR team members identified and trained
- Contact list current (including after-hours and weekend numbers)
- Communication templates drafted (customer, regulator, media, employee)
- Legal obligations documented (notification requirements by jurisdiction)
- Tabletop exercise conducted within the last 6 months
- Third-party IR retainer in place (forensics firm, legal firm)
- Cyber insurance policy reviewed and current
Phase 2: Detection and Analysis
Detection sources:
| Source | Type of Alert | Priority |
|---|---|---|
| SIEM | Correlated events, anomaly detection | High |
| EDR | Malware detection, suspicious behavior | High |
| User report | Phishing, suspicious email, unusual behavior | Medium |
| Third-party notification | Vendor, partner, or researcher reports compromise | High |
| Dark web monitoring | Credentials or data found on dark web | High |
| Automated scanning | Vulnerability discovered, misconfiguration | Medium |
Initial triage questions:
- What happened? (What was detected, by whom, when?)
- What systems are affected? (Scope assessment)
- Is the incident still active? (Ongoing vs. historical)
- What data may be at risk? (Classification level)
- What is the business impact? (Operational disruption)
- Does this trigger any regulatory notification requirements?
Documentation from the first minute:
Incident ID: INC-[YEAR]-[SEQUENTIAL]
Date/Time Detected: [YYYY-MM-DD HH:MM UTC]
Detected By: [Person/System]
Detection Method: [Alert/Report/Discovery]
Initial Classification: [P1/P2/P3/P4]
Affected Systems: [List]
Initial Description: [What is known]
Assigned To: [Incident Commander]
Phase 3: Containment
Short-term containment (stop the bleeding):
| Action | When to Use | Risk |
|---|---|---|
| Isolate affected systems from network | Active data exfiltration | Disrupts business operations |
| Disable compromised user accounts | Credential compromise confirmed | User cannot work until resolved |
| Block malicious IP addresses/domains | Known C2 communication | May block legitimate traffic |
| Revoke compromised API keys/tokens | API credential leaked | Integration disruption |
| Enable additional logging | Need more visibility | Performance impact (minimal) |
Long-term containment (while investigating):
| Action | Purpose |
|---|---|
| Apply temporary security patches | Close the exploited vulnerability |
| Increase monitoring on affected segments | Detect any continued malicious activity |
| Implement additional access controls | Prevent reuse of attack vector |
| Set up clean systems for critical operations | Maintain business continuity |
Containment decision matrix:
| Situation | Contain Aggressively | Contain Cautiously |
|---|---|---|
| Active data theft | Immediately isolate | -- |
| Ransomware spreading | Immediately isolate | -- |
| Compromised admin account | Disable immediately | -- |
| Suspicious but unconfirmed | -- | Monitor first, then contain |
| Historical compromise (no active threat) | -- | Plan containment carefully |
Phase 4: Eradication
Remove the root cause of the incident.
Eradication checklist:
- Identify and remove all malware/backdoors
- Patch the vulnerability that was exploited
- Reset all compromised credentials (passwords, API keys, certificates)
- Review and harden configurations on affected systems
- Scan all systems for indicators of compromise (IoCs)
- Verify that attacker persistence mechanisms are removed
- Review logs to confirm no other systems were compromised
Phase 5: Recovery
Restore systems and operations to normal.
Recovery process:
- Verify eradication is complete (rescan, review logs)
- Restore systems from clean backups (if needed)
- Validate system integrity before returning to production
- Monitor recovered systems with heightened alerting for 30 days
- Gradually restore normal operations (critical systems first)
- Verify data integrity (compare to backups, check for modifications)
- Confirm business operations are functioning normally
Phase 6: Post-Incident Review
Conduct within 5 business days of incident closure.
Review agenda:
- Timeline reconstruction --- What happened, when, and in what sequence?
- Detection effectiveness --- How was the incident detected? Could it have been detected earlier?
- Response effectiveness --- What went well? What did not?
- Root cause analysis --- What was the underlying cause? (Not just the technical vulnerability, but the process/policy gap)
- Lessons learned --- What will we change as a result?
- Action items --- Specific improvements with owners and deadlines
Part 4: Communication Templates
Internal Communication (Employee Notification)
Subject: Security Incident Update - [Date]
Team,
We have identified a security incident affecting [brief description].
What we know:
- [Factual summary of the situation]
- [Systems/data potentially affected]
What we are doing:
- [Response actions taken]
- [Timeline for resolution]
What you should do:
- [Specific employee actions, e.g., change passwords]
- [Who to contact with questions]
We will provide updates every [frequency].
[Incident Commander Name]
Customer Notification (if required)
Subject: Important Security Notice from [Company]
Dear [Customer],
We are writing to inform you of a security incident that may have
affected your data. We take the security of your information seriously
and want to be transparent about what occurred.
What happened: [Brief, factual description]
When: [Date range of the incident]
What information was involved: [Specific data types]
What we have done: [Response and remediation actions]
What you can do: [Recommended customer actions]
For questions, contact our dedicated response team at [contact info].
[Executive Name and Title]
Part 5: Testing the Plan
Tabletop Exercise Template
Scenario: "An employee clicks a link in a phishing email. Two hours later, the security team detects encrypted traffic to an unknown external IP from the employee's workstation."
Discussion questions at each phase:
- Who is notified first? How?
- What severity is this classified as?
- What containment actions do we take immediately?
- What evidence do we preserve?
- Who communicates to the broader organization?
- When do we involve legal counsel?
- Does this trigger regulatory notification?
Conduct tabletop exercises quarterly. Full simulation exercises annually.
Related Resources
- Breach Notification and Incident Response --- Regulatory notification requirements
- Zero Trust Implementation Guide --- Preventing incidents
- Security Awareness Training --- Reducing human-caused incidents
- Penetration Testing Guide --- Finding vulnerabilities before attackers
An incident response plan is your organization's insurance policy against the inevitable. When a breach occurs, the difference between a controlled response and chaos is preparation. Contact ECOSIRE for incident response planning and security assessment services.
Written by
ECOSIRE TeamTechnical Writing
The ECOSIRE technical writing team covers Odoo ERP, Shopify eCommerce, AI agents, Power BI analytics, GoHighLevel automation, and enterprise software best practices. Our guides help businesses make informed technology decisions.
ECOSIRE
Grow Your Business with ECOSIRE
Enterprise solutions across ERP, eCommerce, AI, analytics, and automation.
Related Articles
AI Fraud Detection for E-commerce: Protect Revenue Without Blocking Sales
Implement AI fraud detection that catches 95%+ of fraudulent transactions while keeping false positive rates under 2%. ML scoring, behavioral analysis, and ROI guide.
Cybersecurity for E-commerce: Protect Your Business in 2026
Complete ecommerce cybersecurity guide for 2026. PCI DSS 4.0, WAF setup, bot protection, payment fraud prevention, security headers, and incident response.
ERP for Chemical Industry: Safety, Compliance & Batch Processing
How ERP systems manage SDS documents, REACH and GHS compliance, batch processing, quality control, hazmat shipping, and formula management for chemical companies.
More from Compliance & Regulation
Cybersecurity for E-commerce: Protect Your Business in 2026
Complete ecommerce cybersecurity guide for 2026. PCI DSS 4.0, WAF setup, bot protection, payment fraud prevention, security headers, and incident response.
ERP for Chemical Industry: Safety, Compliance & Batch Processing
How ERP systems manage SDS documents, REACH and GHS compliance, batch processing, quality control, hazmat shipping, and formula management for chemical companies.
ERP for Import/Export Trading: Multi-Currency, Logistics & Compliance
How ERP systems handle letters of credit, customs documentation, incoterms, multi-currency P&L, container tracking, and duty calculation for trading companies.
Sustainability & ESG Reporting with ERP: Compliance Guide 2026
Navigate ESG reporting compliance in 2026 with ERP systems. Covers CSRD, GRI, SASB, Scope 1/2/3 emissions, carbon tracking, and Odoo sustainability.
Audit Preparation Checklist: Getting Your Books Ready
Complete audit preparation checklist covering financial statement readiness, supporting documentation, internal controls documentation, auditor PBC lists, and common audit findings.
Australian GST Guide for eCommerce Businesses
Complete Australian GST guide for eCommerce businesses covering ATO registration, the $75,000 threshold, low value imports, BAS lodgement, and GST for digital services.