Incident Response Plans: What They Are and How to Build One

Most cybersecurity experts will tell you it’s only a matter of time before every company experiences a data breach incident. When a cyber incident does occur, your business needs to be ready with an incident response plan (IRP) in order to reduce the damage done and ensure business continuity.

In order to make sure that your business has top-notch cybersecurity, we paired up with Ryan Barrett, Founder and CEO of ORAM Cybersecurity Advisors, a company that works to streamline businesses’ technology systems to help them grow. Barrett has spent the majority of his career consulting with organizations whose data is critical to their business, making him a cybersecurity expert. Learn what he has to say about Incident Response Plans.

What is an Incident Response Plan?

An IRP is a formal, written, step-by-step instructional plan for responding to any cyber incident your company may face. While many IRPs follow a similar formula, each IRP should be designed to address the unique needs of a given business. This allows companies to detect a problem as quickly as possible, respond swiftly, and recover rapidly in the event an incident does occur.

Because IRPs address issues ranging from malware and viruses to service outages and network breaches, most incident response plans center around technology. Whether the cause of an incident is a dark web hacker or a natural disaster, your organization’s IRP should be able to guide you efficiently and effectively through the incident. While technology is at the heart of an IRP, it should encompass all areas that may be impacted including customer service, finance, human relations, partners, clients, public relations, and more.

How Do I Begin Developing an IRP?

The SysAdmin, Audit, Network, and Security Institute (SANS), a private U.S. company that specializes in cybersecurity training, and the National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce, have each put together a list of general guidelines for responding to active cyber incidents. Those combined incident response steps include:

  • Preparation
  • Detection, Identification, and Analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activity and Lessons Learned


The first step in developing an IRP is preparation. This is where your organization acknowledges a cyber incident is a matter of “when” versus “if.” It is here you will document, outline, and explain the roles and responsibilities of your company’s incident response team. Who is in charge of doing what when an incident does occur? This may include an in-house IT team, a third-party cybersecurity vendor such as ORAM Cybersecurity Advisors, or a mix of both.

Additionally, this is where business assets are outlined. This includes everything from desktop computers and C-level laptops to servers, applications, and networks. Each item on your inventory should be listed in its order of importance so the incident response team knows what assets should be secured and restored first in order to ensure the least loss with the quickest, most effective recovery for your business. In preparation for a cyber incident, you’ll include traffic monitoring data so you have a baseline for later comparison as needed by the incident response team.

As part of the preparation stage, you’ll also create a communication plan that outlines who to contact, how, and when based on each type of possible incident (i.e. see those mentioned above). Ensure everyone on the incident response team knows the plan and their role in executing it. Once you determine a threshold for each type of cyber incident, you will create a sub-plan for each potential threat.

Detection, Identification, and Analysis

Once a cyber incident is detected and identified, research and analysis of the incident take place. Your incident response team will be called into action to learn everything they can about the issue. For example, what type of incident occurred and when did it happen? Once details are collected, analyze the information to determine the entry point and the breadth of the damage. Organizing and filtering all security tools to one location in advance can make this process simpler and faster when the time comes.

Containment, Eradication, and Recovery

The purpose of containment is to stop the incident as soon as possible to prevent further damage. This means patching the entry point where the threat began. Eradication means eliminating the threat entirely by cleansing all assets. This could be anything from removing malware to halting unauthorized access to business data. Recovery means reinstating systems, networks, and other assets to ensure they are fully operational whether they went down due to a power surge or a virus.

Post-Incident Activity and Lessons Learned

The final step of the IRP is the most critical and should not be overlooked. Time should be given for the incident response team to meet and discuss what was learned during the incident as a way to prevent and prepare for another incident in the future. Take the opportunity to look for areas of improvement and update your IRP to reflect what your team garnered from the incident.

Finally, your IRP should also include notification steps. It should outline who needs to be notified of a cyber incident including staff, clients, and vendors. Law enforcement may also need to be notified as well since there are state and federal laws as well as industry regulations that make this step mandatory.

To learn more about technology for your business and other scams to be aware of, read Ryan’s insights on ORAM Cybersecurity Advisors’ blog here: