How To Guide
How to Create Incident Response Plans
A plan means controlled recovery instead of costly chaos.
Overview
Essential for every business handling data.
Step 1: Preparation
Build capability.
1
Team
- Incident lead
- IT lead
- Communications
- Legal
- External contacts
2
Procedures
- Define incident severity levels
- Map procedures per level
- Include escalation contacts
- Store plan digitally AND printed
Step 2: Response
During an incident.
1
Detect
- Log how detected
- Record timeline
- Identify affected systems
- Assess severity
2
Contain
- Isolate affected systems
- Preserve evidence
- Identify attack vector
- Remove threats
Step 3: Recovery
Restore and learn.
1
Review
- Lessons learned within 2 weeks
- Update plan based on findings
- Address root causes
- Share without blame
3
Communication Plans
- Pre-draft internal communication templates for different incident severity levels
- Define who communicates externally: Designate a single spokesperson
- Prepare customer notification templates that comply with GDPR requirements
- Establish communication channels that work even if email is compromised
- Create a contact tree: Who calls whom and in what order
- Include your cyber insurance provider's claims hotline in the plan
- Brief senior management on their role during a significant incident
4
Evidence Preservation
- Define what evidence to collect: Logs, disk images, memory dumps, network captures
- Document chain of custody procedures for digital evidence
- Never modify or access systems without documenting what you did and when
- Take photographs of physical evidence: Screens, devices, notes
- Preserve email headers and full message sources for phishing incidents
- Ensure logging is configured BEFORE an incident — you cannot collect logs retroactively
- Know when to involve law enforcement and how to report to Action Fraud
Warning:
If you suspect a criminal offence, preserve evidence carefully. Improper handling can make evidence inadmissible. Consult your legal team before wiping or rebuilding compromised systems.
5
Regular Testing
- Conduct tabletop exercises at least twice per year
- Simulate different scenarios: Ransomware, data breach, insider threat, DDoS
- Include non-IT staff in exercises: Management, legal, HR, communications
- Time your response: How long does it take to detect, contain, and recover?
- Document gaps identified during each exercise
- Update the plan after every exercise and every real incident
- Compare your response times against industry benchmarks and your own SLAs
Need Professional Help?
Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.