Cyber Security
 | 3 min read

Creating an Incident Response Plan

By  Kordia,
 14 June 2018

In any crisis, having a plan in place that addresses the ‘who, what, when, where, and why’ is essential – particularly in the event of a security breach..


If your business was to fall victim to a cyber-attack, the way in which you respond, and how fast, can make a huge difference in ensuring there is as little disruption to services, and damage to business reputation, assets, and client information, as possible.

For many businesses, the idea of creating an incident response plan can seem like somewhat of a daunting task but according to Barry Brailey, Principal VSO at Aura Information Security, getting a plan in place might not be as difficult as you think. Below he provides an insider take on what the process involves and what your business should expect to get out of it.

1. Cyber Readiness Workshop

The first thing your Virtual Security Officer (VSO) will do is set up a time for a workshop. The key objective of this session is to assess your existing readiness and response capability within your business; and assist you in identifying who needs to be involved in incident response and what their role will be.

Workshop attendees should include your CEO, your CISO, any managers of teams that may be involved in a potential response (such as your customer service team, as they’ll be the on the frontline liaising with customers), your head of communications; and of course, representatives from your IT department.

To get the most out of a cyber incident readiness workshop, it’s important for your VSO to facilitate the discussions; and ask the questions. They bring with them valuable experience, as well as an objective point of view.

What should the workshop cover?

Key questions your VSO might cover off during the workshop include:

  • Do you have an incident response plan in place already?
  • Have you had to activate your cyber incident response plan before? If yes, how effective was it, and were there any specific pain points or areas for improvement?
  • What is a ‘worst case scenario’ for your business?
  • What is your contingency plan should a breach occur? Who would you need to notify – e.g. customers, stakeholders, partners, third party suppliers etc. – who would notify them, and how would they do so?

2. Playbook Development

Once your workshop is complete, your VSO will then start planning what your incident response plan will look like. At this stage, businesses should also consider creating separate ‘playbooks’, or cyber incident response guides. These playbooks will detail proposed scenarios (likely incidents) and should clearly state which division or individuals form key components of the response. There are two types of playbooks:

General threat playbooks: Designed to address common types of threats – for example ransomware and DDoS attacks – and clearly outline who is responsible for what action, how it should be carried out and when. 

‘Worst case scenario’ playbooks: Having a worst case scenario playbook is important because unless you have identified what a worst case scenario looks like, you won’t have any idea when it is playing out in front of you. This playbook should be very detailed, with proposed scripts, media statements, customer advisories and more.

3. Simulation Exercises

The only way to truly test whether your incident response plan and any playbooks you have work is to test them. By running table top simulation exercise, your business can check whether there are any gaps in the plan and that everyone knows what they should be doing; and ultimately, assess how quickly your business is able to respond in the event of a cyber-attack.

Things you might also like to test at this point include:

  • How quickly could you get everyone dialled into an emergency response meeting after a ‘code red’ text / email is sent out to your response team?
  • Alternative means of communication, you may not be able to rely on your corporate VOIP system, email or instant messaging.

4. Ongoing Review

Due to the ever-evolving nature of business, and cyber-attacks, it’s important to ensure that carrying out regular reviews and testing of incident response becomes part of your business’ security policy. Depending on the nature of your business, your VSO can advise which timeframes you should work to – although the general advice is that it should be reviewed on an annual basis.