Back to Resources
Incident Response
Incident Response Plan (IRP) Template
A complete, step-by-step incident response playbook template to help organizations identify, contain, investigate, and recover from cybersecurity incidents.
Implementation Guide
An Incident Response Plan (IRP) is a critical document for compliance audits, cybersecurity insurance approvals, and operational resilience. When a breach occurs, having a pre-delegated chain of command and containment checklist prevents panic and reduces downtime.
Who is this for?
This template is designed for IT managers, operations directors, and compliance officers who need to establish a basic, framework-aligned incident response capability for a mid-market organization.
How to use this template:
- Review the roles and input specific titles or names for the Incident Commander and Technical Lead.
- Customize the escalation phone numbers and notification lists.
- Review containment guidelines with your IT staff to ensure they understand how to preserve forensic evidence (e.g. not powering down ransomware systems before RAM capture).
- Store copies of the finalized document both digitally and physically in case of network outages.
Template Preview
# INCIDENT RESPONSE PLAN
**Document Reference:** [Company Name] - IRP-01
**Version:** 1.0
**Effective Date:** [Date]
**Review Cycle:** Annual
---
## 1. OBJECTIVE & SCOPE
This Incident Response Plan (IRP) establishes a structured framework to detect, contain, investigate, and recover from cybersecurity incidents.
This plan applies to all information systems, networks, physical locations, and personnel (including employees, contractors, and third-party partners) associated with **[Company Name]**.
---
## 2. INCIDENT RESPONSE TEAM (IRT) ROLES
In the event of a suspected or active security incident, the Incident Response Team (IRT) is activated. The following roles define key responsibilities:
| Role | Responsibility | Primary Contact | Secondary Contact |
| :--- | :--- | :--- | :--- |
| **Incident Commander** | Coordinates the response, authorizes containment, and leads daily briefings. | [Name/Title] | [Name/Title] |
| **Technical Lead** | Directs forensic collection, log analysis, containment, and system recovery. | [Name/Title] | [Name/Title] |
| **Legal Counsel** | Advises on regulatory disclosure, data breach notification, and liability risk. | [Name/Title] | [Name/Title] |
| **Communications Lead**| Manages internal and external communications, media statements, and alerts. | [Name/Title] | [Name/Title] |
| **Executive Sponsor** | Authorizes critical business decisions (e.g. system shutdowns, insurance claims). | [Name/Title] | [Name/Title] |
---
## 3. INCIDENT CLASSIFICATION LEVELS
Security incidents are categorized to determine the level of response and escalation required:
* **Low (Level 3):** Isolated events with minimal operational or security impact (e.g., single adware infection, minor policy violation).
* *Response:* Handled by standard IT support tickets during business hours.
* **Medium (Level 2):** Incidents affecting multiple systems or sensitive data but contained (e.g., suspected phishing campaign, unauthorized logins, lost laptop).
* *Response:* Triggers IRT notification and technical investigation.
* **High (Level 1):** Critical events causing active operational disruption or massive data exposure (e.g. active ransomware, suspected database exfiltration, total DDoS).
* *Response:* Immediate emergency activation of the full IRT and external advisory contacts.
---
## 4. INCIDENT RESPONSE LIFECYCLE
### Step 1: Identification & Escalation
1. **Reporting:** Any employee or automated alert detecting suspicious activity reports it to **[Notification Email/Hotline]**.
2. **Triage:** Technical staff review log sources to verify the alert is a true incident.
3. **Escalation:** If verified, the Technical Lead notifies the Incident Commander to classify the event and activate the IRT.
### Step 2: Containment
1. **Network Isolation:** Disconnect compromised devices from local network and Wi-Fi. Do **not** power down devices if active malware/ransomware is suspected, as volatile RAM memory must be preserved.
2. **Access Control:** Revoke compromised user credentials and block malicious IP addresses at the firewall.
3. **Evidence Preservation:** Document all containment actions with exact timestamps. Ensure no logs or files are deleted.
### Step 3: Investigation (Forensics)
1. **Forensic Imaging:** Certified examiners make bit-stream clones of the affected drives using write-blockers.
2. **Log Audit:** Analyze setup logs, Setupapi histories, VPN logins, and cloud auditing records to determine root cause and timelines.
3. **Scope Analysis:** Identify what data was accessed, modified, or exfiltrated.
### Step 4: Eradication & Recovery
1. **Malware Removal:** Wipe affected drives and reinstall operating systems from clean gold-images.
2. **Credential Reset:** Force password resets and mandate new MFA matching values for all affected users.
3. **Restoration:** Methodically restore systems from offline, verified backups. Monitor network traffic for residual threat activity.
### Step 5: Post-Incident Review (Lessons Learned)
Within 10 business days of incident closure, the IRT holds a debriefing meeting:
* What went well, and what failed in the response?
* What vulnerabilities were exploited, and what controls must be implemented to prevent recurrence?
* Update the IRP documentation based on lessons learned.
---
## 5. EXTERNAL EMERGENCY CONTACTS
In a Level 1 (High) incident, coordinate with these external providers immediately:
* **Cyber Insurance Carrier:** [Provider Name / Policy # / Phone]
* **External Forensics / IR Firm:** [Provider Name / 24/7 Hotline]
* **Regulatory Authorities:** [Relevant State/Federal Agencies]
* **Law Enforcement (FBI Cyber Division):** [Local Office Contact]
Need a custom security program?
We write framework-aligned corporate WISPs and custom playbooks tailored to your team.