eastbaycyber

How do I write an incident response plan?

FAQs 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Short answer

Write an incident response plan that explains who does what, when, and how during a security event. At minimum, it should cover roles, severity levels, escalation, communications, containment, evidence handling, recovery, and post-incident review. Then test it regularly.

If you need to know how to write an incident response plan, start by treating it as an operational guide, not a compliance document. A good incident response plan defines what counts as an incident, who is in charge, how escalation works, how evidence is preserved, how systems are contained and restored, and how the organization communicates under pressure.

The best plans are practical, short enough to use during a real event, and supported by more detailed playbooks for specific scenarios.

What an incident response plan is for

An incident response plan exists to reduce confusion during a security event. It should help your team answer five questions quickly:

  1. What counts as an incident?
  2. Who owns the response?
  3. How do we escalate and communicate?
  4. How do we contain, investigate, and recover?
  5. How do we document the event and improve afterward?

If the document cannot answer those questions during a stressful situation, it is not ready.

What to include in an incident response plan

Purpose and scope

Start by defining the purpose of the plan and what it covers.

Include:

  • Business units in scope
  • Systems, endpoints, cloud environments, and SaaS tools in scope
  • Third parties or service providers involved
  • Types of incidents covered
  • Definitions for terms like event, incident, and breach

Be clear about whether the plan covers ransomware, phishing, cloud account takeover, insider misuse, lost devices, denial of service, and third-party incidents.

Roles and responsibilities

This is one of the most important sections. During an incident, unclear ownership causes delay.

Common roles include:

  • Incident commander
  • Security operations or incident response lead
  • IT operations lead
  • Cloud or infrastructure owner
  • Legal counsel
  • Privacy or compliance lead
  • HR
  • Communications or PR
  • Executive sponsor
  • Outside responders, forensic firms, or MSSPs

For each role, document:

  • Primary responsibilities
  • Backup contacts
  • Approval authority
  • Escalation authority
  • Availability expectations

If nobody knows who can isolate a system, reset credentials, approve downtime, or notify outside counsel, your plan has a serious gap.

Incident classification and severity

Use a simple severity model so people know when to escalate.

A basic example:

  • Severity 1: Major outage, ransomware, confirmed data exfiltration, widespread compromise
  • Severity 2: Confirmed compromise with limited scope
  • Severity 3: Suspicious activity requiring investigation
  • Severity 4: Low-risk event or likely false positive

For each severity, define:

  • Required responders
  • Escalation path
  • Notification timeline
  • Decision thresholds
  • Executive involvement level

Consistency matters more than complexity.

Detection and triage

Document how a security signal becomes an incident.

Cover:

  • Alert sources such as SIEM, EDR, help desk, user reports, vendors, or law enforcement
  • Initial triage criteria
  • Who validates an incident
  • How cases are opened and tracked
  • What evidence is needed before escalation
  • When to involve legal, management, or external responders

Keep this simple. Overly detailed triage rules often fail in real situations.

Containment procedures

Containment is where the plan becomes operational.

Your plan should explain:

  • Which actions are pre-approved
  • Which actions require leadership approval
  • Who can isolate hosts, disable accounts, block domains, or segment networks
  • How to handle business-critical systems where downtime is sensitive
  • How to preserve evidence while containing damage

Common containment actions include:

  • Isolating endpoints
  • Disabling user or admin accounts
  • Revoking sessions and tokens
  • Blocking IPs, domains, or hashes
  • Disabling integrations
  • Taking systems offline
  • Restricting network access
  • Rotating keys or credentials

Containment decisions should balance speed with evidence preservation and business continuity.

Evidence preservation and documentation

Every response should create a usable record.

Document:

  • What logs and system data to preserve
  • How screenshots, notes, and timelines are captured
  • Who can access evidence
  • Where evidence is stored
  • Chain-of-custody expectations if legal review is possible
  • How volatile data is handled when relevant

Even small teams should maintain a central case record with timestamps, decisions, actions, and owners.

Communications

Many incidents get worse because communication is improvised.

Your plan should include:

  • Internal notification paths
  • Executive briefing procedures
  • Legal review requirements
  • Customer, partner, or vendor communication triggers
  • Media response ownership
  • Regulator or insurer contact steps
  • Backup channels if email or collaboration tools are affected

If your normal communication tools may be compromised, define alternatives in advance.

Eradication and recovery

Containment is not the end. Recovery needs structure too.

Your plan should address:

  • Root cause analysis
  • Malware removal or rebuild decisions
  • Credential resets
  • Vulnerability remediation
  • Validation before systems return to production
  • Recovery priorities by business criticality
  • Increased monitoring after restoration

Restoring systems without validation can lead to reinfection or repeated compromise.

Post-incident review

A good incident response process improves over time.

Document how you will conduct a review after the event, including:

  • What happened
  • What worked well
  • What failed
  • Which controls were missing or ineffective
  • Which decisions caused delay
  • What changes are needed
  • Who owns remediation and deadlines

This is how your program gets better instead of repeating the same mistakes.

Use playbooks to support the plan

A strong incident response plan should stay high level. It is the command structure, not the full tactical manual.

Detailed steps should live in supporting playbooks for incidents such as:

  • Ransomware
  • Business email compromise
  • Cloud account takeover
  • Lost or stolen device
  • Web application compromise
  • Insider threat
  • Third-party breach

For example, your plan may say who declares an incident and how escalation works, while a ransomware playbook explains exactly how to isolate endpoints, protect backups, and decide on rebuild priorities.

For related guidance, see What should be in an incident response playbook? and How to run a cybersecurity tabletop exercise.

A simple incident response plan structure

A practical outline often looks like this:

  1. Purpose
  2. Scope
  3. Definitions
  4. Roles and responsibilities
  5. Incident severity model
  6. Detection and triage workflow
  7. Containment guidance
  8. Evidence handling
  9. Communication and escalation
  10. Eradication and recovery
  11. Post-incident review
  12. Contact list and supporting references

That structure is usually enough for a usable first version.

Practical writing tips

Write for stressed readers

Use clear language, short sections, and checklists where possible. Avoid abstract phrases like “respond appropriately.”

Keep critical contact details current

List primary and backup contacts, including after-hours methods where needed.

Store the plan where it can still be accessed

Do not keep the only copy inside a system that may be unavailable during the incident.

Make sure reporting steps and evidence handling match legal, regulatory, contractual, and cyber insurance requirements.

Protect emergency accounts and credentials

Response sometimes depends on privileged access during an outage. If you need a secure way to store emergency credentials, Try 1Password → can be useful for small teams managing incident access, recovery notes, and credential rotation.

Test the plan

A plan that has never been tested is only a draft. Run tabletop exercises, validate contact lists, and confirm that containment approvals work in practice.

Common mistakes to avoid

Making the plan too long

If the document is so long that nobody can use it during a crisis, it will fail when it matters.

Writing only for audit purposes

Compliance language is not enough. The plan must support real operational decisions.

Leaving authority unclear

People must know who can declare an incident, approve downtime, contact legal, and notify customers.

Ignoring non-security teams

Legal, HR, communications, finance, and executive leadership often need to be involved. Incident response is rarely only a SOC problem.

Assuming backups solve incident response

Backups help with recovery, but they do not replace triage, evidence preservation, communication, or escalation.

Common misconceptions

“An incident response plan is mainly for compliance.”

Compliance may require one, but the real purpose is operational readiness.

“Only large organizations need one.”

False. Small organizations often need a clear plan even more because they have fewer people and less room for improvisation.

“Our tools are our plan.”

Tools help detect and contain incidents. They do not define authority, communications, or decision-making.

“Once the plan is written, we are done.”

No. The plan needs review after staffing changes, architecture changes, mergers, major incidents, and exercises.

Bottom line

If you are learning how to write an incident response plan, focus on usability. Define scope, roles, severity, containment, evidence handling, communication, recovery, and review. Keep it practical, keep it current, and support it with playbooks for common scenarios.

A good incident response plan does not predict every event. It gives your team a repeatable structure so they can act quickly, preserve evidence, reduce damage, and recover with less chaos.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.