Response Plan

Incident Response Plan Template

A comprehensive incident response plan template to help your organization effectively detect, respond to, and recover from security incidents. Minimize damage and reduce recovery time.

Download Complete Plan (Word) View More Resources

Incident Response Lifecycle

Preparation

Ongoing

Detection & Analysis

0-4 hours

Containment

2-8 hours

Eradication

8-24 hours

Recovery

1-7 days

Lessons Learned

7-14 days

Incident Severity Classification

Critical

Response SLA: 15 min
Escalation: Immediate

Examples:

  • • Data breach
  • • Ransomware
  • • Complete outage

High

Response SLA: 1 hour
Escalation: Within 2 hours

Examples:

  • • Account compromise
  • • Malware infection
  • • Service degradation

Medium

Response SLA: 4 hours
Escalation: Within 8 hours

Examples:

  • • Suspicious activity
  • • Policy violation
  • • Minor breach

Low

Response SLA: 24 hours
Escalation: Next business day

Examples:

  • • Failed login attempts
  • • Spam increase
  • • Minor anomaly

Incident Response Team RACI Matrix

Activity Security Team IT Team Management Legal/HR External PR
Initial Detection R C I - -
Severity Assessment A R C I -
Containment Actions R R A I -
External Communication C - A C R
R Responsible A Accountable C Consulted I Informed

Communication Escalation Path

1

First Responder

Detects incident → Logs details → Notifies Security Team Lead

0-15 min
2

Security Team Lead

Assesses severity → Activates response team → Notifies IT Manager

15-30 min
3

IT Manager

Reviews impact → Approves containment → Notifies Executive Team

30-60 min
4

Executive Team

Makes strategic decisions → Approves external communications → Notifies Board if needed

1-2 hours

Phase-by-Phase Response Checklist

Preparation

Detection & Analysis

Containment

Eradication

Recovery

Lessons Learned

Evidence Collection & Documentation

What to Collect:

  • System logs (auth, application, network)
  • Screenshots of suspicious activity
  • Network traffic captures
  • Memory dumps if malware suspected
  • Timeline of events with timestamps

Chain of Custody:

  • Document who collected evidence
  • Record collection date/time
  • Use write-once media when possible
  • Create cryptographic hashes
  • Secure storage with limited access

Be Prepared for Any Incident

Download the complete incident response plan template with detailed playbooks, communication templates, and step-by-step procedures for common incident types.

Download Complete Plan (Word) Get Expert Help

Stay Updated

Subscribe to our newsletter for cybersecurity news and updates
Subscribe

We respect your privacy. Unsubscribe at any time.