How to Build an Incident Response Plan for Your Business
Every business needs an incident response plan (IRP). Not because a breach is certain, but because the time to figure out what to do is before an incident — not during one.
What Is an Incident Response Plan?
An IRP is a documented set of procedures for detecting, responding to, and recovering from security incidents. It defines who does what, when, and how — so your team can act decisively under pressure instead of improvising.
The 6 Phases of Incident Response (NIST Framework):
Phase 1: Preparation
Build capabilities before an incident occurs: - Assign roles: Incident Commander, Communications Lead, IT Lead, Legal/Compliance Lead - Document emergency contacts: internal team, MSP/MSSP, legal counsel, cyber insurance carrier, law enforcement - Deploy tools: EDR, SIEM, backup systems, communication channels (out-of-band) - Conduct tabletop exercises at least annually
Phase 2: Detection & Analysis
Identify that an incident has occurred and assess scope: - Monitor alerts from EDR, firewall, email gateway, and cloud security tools - Establish severity levels (P1-Critical through P4-Low) - Document initial indicators: affected systems, timeline, attack vector - Make a containment decision: isolate immediately or gather more data first?
Phase 3: Containment
Stop the spread without destroying evidence: - Short-term: Isolate affected systems from network (disconnect, VLAN quarantine) - Long-term: Apply patches, change credentials, block attacker IPs/domains - Preserve forensic images before wiping or reimaging machines - Activate backup communication channels if email is compromised
Phase 4: Eradication
Remove the attacker's presence completely: - Identify root cause (how did they get in?) - Remove malware, backdoors, and compromised accounts - Reset credentials for all potentially affected accounts - Patch the vulnerability that allowed initial access
Phase 5: Recovery
Restore normal operations: - Restore systems from verified clean backups - Monitor closely for re-compromise (attackers often try to return) - Gradually restore network connectivity with validation at each step - Communicate status to stakeholders (employees, customers, partners)
Phase 6: Lessons Learned
Improve for next time: - Conduct a post-incident review within 2 weeks - Document what happened, what worked, what did not - Update the IRP based on lessons learned - Address root causes (training, tool gaps, process failures)
Incident Severity Levels:
| Level | Description | Response Time | Example | |-------|------------|---------------|---------| | P1 — Critical | Active breach with data exfiltration or ransomware | Immediate (within 15 min) | Ransomware encrypting servers | | P2 — High | Confirmed compromise without active data loss | Within 1 hour | Compromised admin account | | P3 — Medium | Suspicious activity requiring investigation | Within 4 hours | Unusual login patterns | | P4 — Low | Minor security event, no confirmed impact | Within 24 hours | Single failed login attempt |
Essential Contacts for Your IRP:
1. Internal Incident Commander (primary + backup)
2. Managed IT / MSSP provider (24/7 hotline)
3. Cyber insurance carrier (breach notification line)
4. Legal counsel (breach notification requirements)
5. Law enforcement (FBI IC3 for cyber, local PD for physical)
6. PR / communications (if public disclosure is needed)
7. Key vendors (Microsoft, cloud providers, critical SaaS)
Testing Your Plan:
An untested plan is a plan that will fail. Conduct these exercises: - Tabletop exercise (quarterly): Walk through a scenario verbally with your team - Functional exercise (annually): Simulate an incident and have teams execute their procedures - Full simulation (every 2 years): Unannounced test during business hours
Summit DNC helps businesses develop, document, and test incident response plans as part of our managed IT and security services. Contact us to schedule a security readiness assessment.
Related Services
Related Comparisons
Industries We Serve
Related Articles
Business Internet Redundancy: How to Avoid Costly Downtime
A single internet connection is a single point of failure. Learn how to design redundant internet for your business with automatic failover.
Cloud & InfrastructureBusiness Continuity Planning for IT: Beyond Backup and Disaster Recovery
Learn why business continuity planning goes beyond backups, and how to build a comprehensive BCP that keeps your business running through any disruption.
SecurityIP Camera System Design for Commercial Buildings: A Complete Guide
Learn how to design an IP surveillance system — camera selection, placement strategy, NVR sizing, and network requirements.
Need Help With Your Infrastructure Project?
Summit DNC designs and deploys the systems covered in this article. Contact us for a free consultation.