Incident Response Plan Template: Prepare, Detect, Respond, Recover

IBM's Cost of a Data Breach Report reveals that organizations with incident response plans and teams reduce breach costs by an average of $2.66 million and identify breaches 54 days faster than those without. Yet 77 percent of organizations do not have a consistently applied incident response plan.

An incident response (IR) plan is not a document that sits on a shelf. It is a playbook that your team knows, has practiced, and can execute under pressure. This guide provides a complete, customizable IR plan template following the NIST framework.

---

Part 1: Plan Overview

Purpose

This Incident Response Plan establishes procedures for detecting, responding to, containing, and recovering from cybersecurity incidents. It ensures a coordinated, efficient response that minimizes damage and recovery time.

Scope

This plan covers all information systems, networks, data, and users within the organization, including:

• On-premise and cloud infrastructure
• Employee and contractor devices
• Third-party systems processing organizational data
• Physical security incidents affecting IT assets

Incident Classification

---

Part 2: Roles and Responsibilities

Incident Response Team

RACI Matrix

R = Responsible, A = Accountable, C = Consulted, I = Informed

---

Part 3: The Six Phases of Incident Response

Phase 1: Preparation

Preparation happens before any incident occurs.

Technical preparation:

• Security monitoring tools deployed and configured (SIEM, EDR, IDS/IPS)
• Log collection from all critical systems centralized
• Backup systems tested (restore verified within the last 30 days)
• Network diagrams current and accessible offline
• Asset inventory current (all systems, applications, data stores)
• Forensic toolkit assembled (imaging tools, write blockers, chain of custody forms)

Organizational preparation:

• IR team members identified and trained
• Contact list current (including after-hours and weekend numbers)
• Communication templates drafted (customer, regulator, media, employee)
• Legal obligations documented (notification requirements by jurisdiction)
• Tabletop exercise conducted within the last 6 months
• Third-party IR retainer in place (forensics firm, legal firm)
• Cyber insurance policy reviewed and current

Phase 2: Detection and Analysis

Detection sources:

Initial triage questions:

1. What happened? (What was detected, by whom, when?)
2. What systems are affected? (Scope assessment)
3. Is the incident still active? (Ongoing vs. historical)
4. What data may be at risk? (Classification level)
5. What is the business impact? (Operational disruption)
6. Does this trigger any regulatory notification requirements?

Documentation from the first minute:

Incident ID: INC-[YEAR]-[SEQUENTIAL]
Date/Time Detected: [YYYY-MM-DD HH:MM UTC]
Detected By: [Person/System]
Detection Method: [Alert/Report/Discovery]
Initial Classification: [P1/P2/P3/P4]
Affected Systems: [List]
Initial Description: [What is known]
Assigned To: [Incident Commander]

Phase 3: Containment

Short-term containment (stop the bleeding):

Long-term containment (while investigating):

Containment decision matrix:

Phase 4: Eradication

Remove the root cause of the incident.

Eradication checklist:

• Identify and remove all malware/backdoors
• Patch the vulnerability that was exploited
• Reset all compromised credentials (passwords, API keys, certificates)
• Review and harden configurations on affected systems
• Scan all systems for indicators of compromise (IoCs)
• Verify that attacker persistence mechanisms are removed
• Review logs to confirm no other systems were compromised

Phase 5: Recovery

Restore systems and operations to normal.

Recovery process:

1. Verify eradication is complete (rescan, review logs)
2. Restore systems from clean backups (if needed)
3. Validate system integrity before returning to production
4. Monitor recovered systems with heightened alerting for 30 days
5. Gradually restore normal operations (critical systems first)
6. Verify data integrity (compare to backups, check for modifications)
7. Confirm business operations are functioning normally

Phase 6: Post-Incident Review

Conduct within 5 business days of incident closure.

Review agenda:

1. Timeline reconstruction --- What happened, when, and in what sequence?
2. Detection effectiveness --- How was the incident detected? Could it have been detected earlier?
3. Response effectiveness --- What went well? What did not?
4. Root cause analysis --- What was the underlying cause? (Not just the technical vulnerability, but the process/policy gap)
5. Lessons learned --- What will we change as a result?
6. Action items --- Specific improvements with owners and deadlines

---

Part 4: Communication Templates

Internal Communication (Employee Notification)

Subject: Security Incident Update - [Date]

Team,

We have identified a security incident affecting [brief description].

What we know:
- [Factual summary of the situation]
- [Systems/data potentially affected]

What we are doing:
- [Response actions taken]
- [Timeline for resolution]

What you should do:
- [Specific employee actions, e.g., change passwords]
- [Who to contact with questions]

We will provide updates every [frequency].

[Incident Commander Name]

Customer Notification (if required)

Subject: Important Security Notice from [Company]

Dear [Customer],

We are writing to inform you of a security incident that may have
affected your data. We take the security of your information seriously
and want to be transparent about what occurred.

What happened: [Brief, factual description]
When: [Date range of the incident]
What information was involved: [Specific data types]
What we have done: [Response and remediation actions]
What you can do: [Recommended customer actions]

For questions, contact our dedicated response team at [contact info].

[Executive Name and Title]

---

Part 5: Testing the Plan

Tabletop Exercise Template

Scenario: "An employee clicks a link in a phishing email. Two hours later, the security team detects encrypted traffic to an unknown external IP from the employee's workstation."

Discussion questions at each phase:

1. Who is notified first? How?
2. What severity is this classified as?
3. What containment actions do we take immediately?
4. What evidence do we preserve?
5. Who communicates to the broader organization?
6. When do we involve legal counsel?
7. Does this trigger regulatory notification?

Conduct tabletop exercises quarterly. Full simulation exercises annually.

---

Related Resources

• Breach Notification and Incident Response --- Regulatory notification requirements
• Zero Trust Implementation Guide --- Preventing incidents
• Security Awareness Training --- Reducing human-caused incidents
• Penetration Testing Guide --- Finding vulnerabilities before attackers

---

An incident response plan is your organization's insurance policy against the inevitable. When a breach occurs, the difference between a controlled response and chaos is preparation. Contact ECOSIRE for incident response planning and security assessment services.