Incident Response Policy and Plan

A policy exists to express management intent and confer authority. An IR policy tells staff, auditors, and regulators that the organisation has made a formal commitment to responding to security incidents, that specific people are empowered to act, and that resources have been allocated. Without this commitment documented at the board or executive level, an IR team can be overruled by business managers who want to avoid disruption, denied budget when incidents are active, or exposed to legal liability when they take containment actions that affect business operations.

The scope section is the most consequential part of any IR policy. It defines which information assets, systems, geographic locations, and third-party relationships fall within the programme. A cloud environment that is out of scope is an unmanaged risk. A subsidiary that is out of scope is a potential entry point for attackers. Scope decisions require legal input because they interact with contractual obligations, data protection law, and jurisdictional rules. India's Digital Personal Data Protection Act 2023, the EU's GDPR, and the UK's Data Protection Act 2018 all create specific obligations when personal data is involved in an incident. The policy should name the applicable regulatory frameworks and confirm that the programme covers incidents involving regulated data.

Authority is the other critical element. The policy should name the role (not the individual) that holds authority to: declare a major incident, authorise containment actions that affect business operations (such as isolating a production system), engage external parties such as law enforcement or forensic vendors, and approve external communications including regulatory notifications. Naming a role rather than a person means the authority survives personnel changes.

An IR plan must be specific enough that a competent person unfamiliar with the organisation could follow it during a stressful incident. Vague language ("notify relevant stakeholders") is not a procedure. The following sections are the minimum required in a plan that will satisfy major frameworks including NIST SP 800-61, ISO/IEC 27035, and the NCSC Cyber Incident Response guidance.

Appendices typically include: a current contact list for all CSIRT members and their alternates, a list of external contacts (law enforcement liaisons, forensic vendors, legal counsel, cyber insurance carrier), a tool and access inventory listing credentials or access methods needed during an incident, and a separate set of playbooks for the most common incident types (ransomware, data breach, insider threat, DDoS). Playbooks are not part of the base plan; they are referenced from it so they can be updated independently.

The scope section of an IR plan is more detailed than the equivalent section in the policy. The policy says what is in scope in general terms. The plan specifies precisely: which network segments, cloud accounts, and SaaS environments are covered; how incidents involving third-party systems are handled; and what happens when an incident crosses organisational or jurisdictional boundaries.

Authority in the plan is mapped to specific decisions and severity tiers. A Tier 1 (low severity) incident might be handled entirely by the SOC team lead without escalation. A Tier 3 (critical) incident requires CISO involvement, notification of the board, and potentially engagement with law enforcement or regulators. The plan should include a decision matrix that shows who has authority at each tier, what actions they are empowered to take, and who they must notify. This removes ambiguity under pressure.

Cross-border incidents require particular care. An organisation with operations in multiple jurisdictions may have different notification timelines in each: GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach; India's CERT-In Directions 2022 require notification within six hours; the US has a patchwork of state-level breach notification laws with varying timelines. The plan must list each applicable jurisdiction and its requirement so that the team is not reconstructing this under time pressure during a live incident.

Communication failures are among the most common causes of poor incident outcomes. The IR plan must establish communication channels before an incident, not during one. This includes both internal channels (from the SOC to the CISO, from the CISO to the board) and external channels (to regulators, law enforcement, affected customers, and the media). See Key Terms and Stakeholders in IR for a full breakdown of the stakeholder map.

The communication matrix in the plan maps severity tiers to mandatory recipients and timelines. At Tier 1, notification may be limited to the SOC team lead. At Tier 3, the matrix should specify: CISO notified within one hour, legal counsel engaged within two hours, board chair notified within four hours, affected customers notified within 24 hours, regulator notified within 72 hours (or six hours under CERT-In). These timelines must be achievable with the organisation's actual staffing and tool set; aspirational timelines that cannot be met make the plan unreliable.

Out-of-band communication is a frequently overlooked requirement. If an attacker has compromised the organisation's email server or internal messaging platform, the IR team cannot communicate through those channels. The plan must specify an out-of-band channel: a separate email domain, personal mobile numbers for key staff, a pre-arranged secure messaging application, or a physically separate communication system. This channel should be tested as part of annual exercises.

External notifications to regulators should be treated as legal obligations, not optional communications. In the EU, failure to notify under GDPR can result in fines up to four percent of annual global turnover. Under the UK's Data Protection Act 2018, the ICO can impose fines up to £17.5 million or four percent of global turnover. Under India's DPDPA 2023, penalties for failing to notify breaches can reach INR 250 crore. The IR plan should identify which legal counsel role is responsible for approving regulatory notifications and confirm that the timeline in the matrix is compatible with the legal deadline.

IR plans, business continuity plans, and disaster recovery plans address overlapping but distinct problems. An IR plan is focused on a security event: identifying it, limiting damage, preserving evidence, and restoring the affected system to a known-good state. A BCP is focused on operational continuity: keeping essential business functions running regardless of the type of disruption, whether a security incident, a natural disaster, or a key-person loss. A DRP is focused on IT system recovery: restoring systems and data after a major failure.

The handoff between an IR plan and a BCP is a specific, documented trigger. A ransomware attack that encrypts production databases may start as an IR incident but quickly reach a point where business operations are at risk. The IR plan should specify: at what point (defined by impact criteria, not elapsed time) the BCP is activated alongside the IR plan, who authorises BCP activation, and how the two teams coordinate. Both plans should reference each other so there is no gap in authority or confusion about who is in charge of which workstream.

DRP invocation criteria should appear in the IR plan's recovery section. Common triggers include: data loss that exceeds the organisation's Recovery Point Objective (RPO), system unavailability that exceeds the Recovery Time Objective (RTO), or evidence that systems cannot be restored from a clean backup without a full rebuild. The IR plan should name the role that authorises DRP invocation and confirm that the DRP's contact lists and resource assumptions are consistent with what the IR plan expects to be available.

An IR policy and plan that is not regularly reviewed and tested is a liability, not an asset. Plans that refer to tools the organisation no longer uses, contact lists with departed staff, or procedures that contradict current infrastructure are worse than no plan: they create false confidence and waste time during a real incident. The maintenance schedule should be embedded in the plan itself, not left to informal agreement.

Review triggers should include: a significant change in IT infrastructure or architecture, a major regulatory change (such as a new breach notification law), a significant incident in the organisation or a widely publicised incident in the same sector that reveals a gap, and the annual scheduled review. Each review should produce a dated, version-controlled document with a change log and a signature from the policy owner confirming approval.

Testing takes several forms. A tabletop exercise walks key personnel through a simulated scenario to test decision-making and communication flows without touching live systems. A functional exercise tests specific procedures such as activating the out-of-band communication channel or restoring a system from backup. A full-scale exercise tests end-to-end IR capability including external notifications. Regulators in several jurisdictions now expect evidence of testing: the US SEC's cybersecurity disclosure rules, DORA (Digital Operational Resilience Act) in the EU, and the UK FCA's operational resilience framework all include testing requirements.