# Incident Response Plan

**Company:** [Company Name]
**Effective date:** [Date]
**Plan owner:** [Owner / Role]

## Purpose & Scope

This plan describes how [Company Name] detects, responds to, and recovers from security incidents — events that threaten the confidentiality, integrity, or availability of our systems or data. The goal is a calm, consistent response that limits harm and helps us learn.

It covers all company systems, data, staff, and contractors, and applies to suspected as well as confirmed incidents. When in doubt, treat it as an incident and escalate.

## Roles

| Role | Who | Responsibility |
|------|-----|----------------|
| Incident Lead | [Owner / Role] | Runs the response, makes decisions, keeps the timeline. |
| Communications | [e.g., Head of Comms] | Manages internal updates and any external/customer messaging. |
| Technical | [e.g., on-call engineer] | Investigates, contains, and restores affected systems. |
| Executive sponsor | [e.g., CTO/CEO] | Approves major decisions (e.g., taking systems offline, notifications). |

One person may hold more than one role in a small team, but the Incident Lead should not also be deep in technical work — they coordinate.

## Severity Levels

| Level | Description | Examples | Response expectation |
|-------|-------------|----------|----------------------|
| SEV1 | Critical: major outage or confirmed breach of sensitive data. | Customer data exfiltrated; core service down; ransomware spreading. | Immediate response, all hands, exec sponsor engaged, continuous updates. |
| SEV2 | High: significant impact, contained or limited. | Single system compromised; partial outage; credential theft caught early. | Respond within [e.g., 1 hour]; dedicated team; regular updates. |
| SEV3 | Medium: limited impact, no confirmed data loss. | Malware on one laptop; suspicious login blocked by MFA. | Respond within [e.g., 1 business day]; handled by on-call. |
| SEV4 | Low: minor or informational. | Phishing email reported, no clicks; policy near-miss. | Log and address during normal work; review for patterns. |

Severity can change as you learn more — re-rate as needed.

## The Response Flow

1. **Detect** — Notice the event (alert, report, monitoring) and open an incident record with a timestamp and initial details.
2. **Triage** — Assign an Incident Lead, set a severity, and pull in the right people. Confirm whether it is real and what is affected.
3. **Contain** — Stop the spread: isolate systems, disable accounts, block addresses. Prefer containment that preserves evidence.
4. **Eradicate** — Remove the root cause: malware, unauthorized access, the exploited weakness.
5. **Recover** — Restore systems from clean sources, verify they are healthy, and monitor closely before declaring normal.
6. **Review** — Run a blameless post-incident review and capture follow-up actions (see below).

## Communication

**Internal:** Use a single agreed channel [e.g., a dedicated chat room] for live coordination and send periodic written updates to leadership. Keep one factual running timeline.

**External / customer:** The Communications role and exec sponsor decide what to say and when. Consider:

- Legal and regulatory notification duties (these vary by region and data type — confirm with counsel).
- What affected customers need to know to protect themselves.
- Consistent, honest messaging; do not speculate publicly before facts are confirmed.

## Evidence & Logging

- Preserve logs, snapshots, and affected media before wiping or rebuilding where practical.
- Record who did what and when, in a timeline that survives the incident.
- Limit access to evidence and store it securely; treat it as Confidential or higher.

## Post-Incident Review (Blameless)

Within [e.g., 5 business days] of closing the incident, hold a review focused on **systems and process, not blame**. Cover:

- What happened and the timeline.
- What worked and what slowed us down.
- Root cause(s).
- Concrete, owned, dated follow-up actions to prevent recurrence.

## Contacts

| Need | Name | Contact | Notes |
|------|------|---------|-------|
| Incident Lead | [Name] | [phone/email] | |
| Exec sponsor | [Name] | [phone/email] | |
| IT / hosting provider | [Name] | [phone/email] | |
| Legal / counsel | [Name] | [phone/email] | |
| Cyber insurance | [Name] | [phone/email] | Policy # [____] |

## Version History

| Version | Date | Author | Summary of changes |
|---------|------|--------|--------------------|
| 1.0 | [Date] | [Owner / Role] | Initial version. |
| | | | |

*Template by Cipherwire (cipherwire.biz). An original starting point, not legal advice — adapt it to your environment and have it reviewed before you rely on it.*