01) Does your organisation have a documented Incident Response Plan?
Business Resilience Incident Response Plan
Written by Haydn Brooks
Created on March 18, 2019
Modified on September 3, 2020

Answer yes if your organisation has a documented Incident Response Plan that has been reviewed in the last year. Please provide the Incident Response Plan (as a PDF file) as evidence.

An Incident Response Plan (IRP) is a crucial document that outlines the operational steps that must be taken when an IT incident occurs. The plan can be invoked for both security and non-security incidents and should be an organic and operational document used to restore service and co-ordinate an effective response.

The IRP is a set of instructions to help IT staff detect, respond to, and recover from network security incidents, such as cybercrime, data loss, and service outages. Having a documented IRP with which your key resources are familiar will enable your business to respond to an incident quickly, helping to minimise losses, mitigate exploited vulnerabilities, restore services and processes and reduce the risks that future incidents pose.

It is important to keep a hard copy (print-off) of your incident response plan in an accessible location for staff to follow as during an incident your company’s communication channels may not be operating (e.g. emails, your intranet, or connectivity to the internet might not be working).

For larger organisations, best practice is to model your incident response plan after a gold-silver-bronze command structure. This allows your response to incidents to be flexible yet effective, and splits the strategic, tactical, and operational responsibilities accordingly.

How to implement the control:

To implement this control you will need to design and document an incident response plan. The plan will need to be tailored to your particular organisations process for identifying, responding to, and resolving incidents. It can be helpful to have a security consultancy support you in designing, implementing, and testing your incident response plan.

Various IRP templates can be found online. It is important that whichever template you choose that you tailor it to your specific requirements and process. This will require input from your technical resources and the plan should be thoroughly tested to ensure it’s effectiveness.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.