A free, customizable incident response plan template for organizations of all sizes. Based on the NIST SP 800-61 Computer Security Incident Handling Guide, this template provides a structured framework for preparing for, detecting, containing, eradicating, and recovering from cybersecurity incidents.
Maintained by Petronella Technology Group — A cybersecurity firm based in Raleigh, NC with 23+ years of experience helping organizations build and test incident response capabilities. For professional cybersecurity services, visit our Cyber Security page.
- Why You Need an Incident Response Plan
- Incident Response Frameworks
- Incident Response Plan Template
- Incident Response Playbooks
- Tabletop Exercise Scenarios
- Downloadable Templates
- Additional Resources
- About
Cybersecurity incidents are not a matter of if but when. An incident response plan is essential because:
- Regulatory compliance — Required by CMMC, HIPAA, PCI DSS, NIST 800-171, SOX, and many other frameworks
- Reduced impact — Organizations with tested IR plans contain breaches significantly faster and at lower cost
- Legal protection — Demonstrates due diligence and can reduce liability
- Insurance requirements — Most cyber insurance policies require a documented IR plan
- Business continuity — Enables faster recovery and reduces operational downtime
- Stakeholder confidence — Shows customers, partners, and regulators that you take security seriously
According to industry breach cost research, organizations without an incident response team and tested IR plan experience significantly higher costs and longer breach lifecycles compared to those with mature IR capabilities.
This template is based on the NIST SP 800-61 Rev. 2 framework, which defines six phases of incident response (PICERL):
| Phase | Description |
|---|---|
| Preparation | Build IR capability before an incident occurs |
| Identification | Detect and confirm that an incident has occurred |
| Containment | Limit the damage and prevent further spread |
| Eradication | Remove the threat from the environment |
| Recovery | Restore systems to normal operations |
| Lessons Learned | Document what happened and improve for next time |
This is also compatible with SANS incident response methodology and can be adapted for ISO 27035 or CISA incident response guidance.
Instructions: Copy this template, customize the bracketed fields
[ORGANIZATION NAME], and adapt each section to your environment. Remove this instruction block when done.
Document Title: [ORGANIZATION NAME] Incident Response Plan
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Document Owner: [CISO/IT DIRECTOR NAME AND TITLE]
Purpose: This Incident Response Plan (IRP) establishes the procedures, roles, and responsibilities for responding to cybersecurity incidents affecting [ORGANIZATION NAME] information systems, data, and operations. The plan ensures a coordinated, efficient, and effective response to minimize impact and restore normal operations.
Authority: This plan is authorized by [CEO/EXECUTIVE NAME AND TITLE] and applies to all employees, contractors, and third parties with access to [ORGANIZATION NAME] systems and data.
This plan applies to:
- All information systems owned or operated by
[ORGANIZATION NAME] - All data processed, stored, or transmitted by
[ORGANIZATION NAME], including:[Controlled Unclassified Information (CUI)][Protected Health Information (PHI)][Personally Identifiable Information (PII)][Payment Card Data][Intellectual Property][Other sensitive data types]
- All employees, contractors, and third-party users
- All facilities, including remote work locations
- Cloud services and third-party hosted environments
| Role | Name | Contact | Backup |
|---|---|---|---|
| Incident Response Lead | [Name] |
[Phone/Email] |
[Backup Name] |
| IT Security Analyst | [Name] |
[Phone/Email] |
[Backup Name] |
| System Administrator | [Name] |
[Phone/Email] |
[Backup Name] |
| Network Administrator | [Name] |
[Phone/Email] |
[Backup Name] |
| Legal Counsel | [Name] |
[Phone/Email] |
[Backup Name] |
| HR Representative | [Name] |
[Phone/Email] |
[Backup Name] |
| Communications/PR | [Name] |
[Phone/Email] |
[Backup Name] |
| Executive Sponsor | [Name] |
[Phone/Email] |
[Backup Name] |
| Resource | Contact | Account/Contract # |
|---|---|---|
| Managed Security Provider | [Provider Name, Phone] |
[Contract #] |
| Cyber Insurance Carrier | [Carrier Name, Phone] |
[Policy #] |
| Forensics Firm (retainer) | [Firm Name, Phone] |
[Retainer #] |
| Legal Counsel (external) | [Firm Name, Phone] |
[Matter #] |
| Law Enforcement (FBI) | [Local Field Office Phone] |
|
| CISA | 1-888-282-0870 |
| Severity | Description | Examples | Response Time | Escalation |
|---|---|---|---|---|
| Critical (S1) | Active compromise with significant data exposure or operational impact | Active ransomware, confirmed data exfiltration, complete system outage | Immediate (within 15 min) | Executive team, legal, insurance, potentially law enforcement |
| High (S2) | Confirmed incident with potential for significant impact | Compromised admin account, malware on multiple systems, partial outage | Within 1 hour | IR Lead, management, MSP |
| Medium (S3) | Confirmed incident with limited scope | Single compromised workstation, successful phishing (no data access), policy violation | Within 4 hours | IR Lead, IT security |
| Low (S4) | Suspicious activity requiring investigation | Failed login attempts, suspicious email reported, minor policy violation | Within 24 hours | IT security analyst |
| Category | Description |
|---|---|
| Malware/Ransomware | Malicious software including ransomware, trojans, worms, viruses |
| Phishing/Social Engineering | Email or voice-based attacks targeting employees |
| Unauthorized Access | Unauthorized access to systems, networks, or data |
| Data Breach/Exfiltration | Confirmed or suspected loss or theft of sensitive data |
| Denial of Service | Attacks disrupting availability of systems or services |
| Insider Threat | Malicious or negligent actions by employees or contractors |
| Business Email Compromise | Email account takeover for fraud or data theft |
| Physical Security | Unauthorized physical access, stolen devices, tailgating |
| Supply Chain | Compromise through third-party vendors or software |
| Web Application Attack | SQL injection, XSS, or other attacks on web applications |
Objective: Ensure the organization is ready to respond to incidents.
- Maintain this incident response plan and review at least annually
- Conduct security awareness training for all employees
- Deploy and maintain security monitoring tools (SIEM, EDR, IDS/IPS)
- Establish and test backup and recovery procedures
- Maintain incident response toolkit and forensic tools
- Conduct tabletop exercises at least annually
- Maintain current contact lists and escalation procedures
- Review and test communication channels (out-of-band if primary is compromised)
- Ensure legal review of notification obligations
- Maintain cyber insurance policy and understand coverage
Objective: Detect, validate, and classify the incident.
Detection Sources:
- Security Information and Event Management (SIEM) alerts
- Endpoint Detection and Response (EDR) alerts
- Intrusion Detection/Prevention System (IDS/IPS) alerts
- User reports (phishing, suspicious activity)
- Third-party notifications (vendors, partners, law enforcement)
- Threat intelligence feeds
- External vulnerability scanning
Initial Triage Checklist:
- Date and time of detection
- Source of detection (who/what identified it)
- Description of the event
- Systems, networks, and data affected
- Current status (ongoing, contained, resolved)
- Initial severity classification
- Assign incident tracking number
- Begin incident log documentation
- Notify IR Lead if severity warrants
Objective: Limit the scope and impact of the incident.
Short-Term Containment (immediate actions):
- Isolate affected systems from the network (do NOT power off if forensics needed)
- Block malicious IPs, domains, or email addresses
- Disable compromised user accounts
- Change credentials for affected accounts
- Preserve evidence (memory dumps, disk images, logs)
- Activate out-of-band communications if primary channels compromised
- Document all containment actions taken
Long-Term Containment (temporary fixes):
- Apply temporary security controls
- Implement network segmentation changes
- Set up enhanced monitoring of affected areas
- Coordinate with third-party providers as needed
- Brief management on containment status
Objective: Remove the threat and close the attack vector.
- Identify root cause and attack vector
- Remove malware from all affected systems
- Close exploited vulnerabilities (patch, configuration change)
- Reset all potentially compromised credentials
- Review and update firewall/IDS rules
- Scan all systems for additional compromise (lateral movement)
- Verify eradication through re-scanning and monitoring
- Document eradication activities
Objective: Restore systems to normal operations securely.
- Develop a recovery plan with prioritized system restoration order
- Restore systems from known-good backups (verify backup integrity)
- Rebuild compromised systems from clean images if necessary
- Re-enable disabled services and accounts
- Implement enhanced monitoring during recovery period
- Validate system functionality and data integrity
- Confirm with system owners that operations are restored
- Monitor for signs of re-compromise for at least 30 days
- Document recovery activities and timeline
Objective: Improve future incident response capabilities.
- Conduct post-incident review meeting within 2 weeks
- Document timeline of events, actions taken, and outcomes
- Identify what worked well and what needs improvement
- Update incident response plan based on findings
- Update detection rules and monitoring based on attack indicators
- Implement preventive measures to address root cause
- Share anonymized lessons learned with relevant teams
- Update training materials if human factors contributed
- Archive incident documentation per retention policy
| Audience | When to Notify | Method | Responsible |
|---|---|---|---|
| Executive team | S1 within 30 min; S2 within 4 hours | Phone, then email | IR Lead |
| IT department | All severities, immediately | Teams/Slack, phone | IT Security |
| Legal counsel | S1/S2 immediately; S3 within 24 hours | Phone | IR Lead |
| HR | If employee involved | Phone | IR Lead |
| Affected department heads | After initial assessment | Email or meeting | IR Lead |
| All employees | If awareness needed | Email from management | Communications |
| Audience | When to Notify | Method | Responsible |
|---|---|---|---|
| Cyber insurance carrier | S1/S2 within 24 hours | Phone | Legal/IR Lead |
| Law enforcement | If criminal activity suspected | Phone to FBI field office | Legal |
| Affected customers/individuals | Per regulatory requirements | Written notice | Legal/Communications |
| Regulatory bodies | Per applicable regulations | Official channels | Legal |
| Media | Only if necessary, after legal review | Press release/statement | Communications |
| Business partners | If partner data affected | Phone/email | IR Lead |
| Regulation | Trigger | Deadline | Report To |
|---|---|---|---|
| DFARS 252.204-7012 | Cyber incident affecting CUI | 72 hours | DIBNet |
| HIPAA | Breach of unsecured PHI | 60 days (individuals); annual (HHS if <500) | HHS OCR |
| PCI DSS | Cardholder data compromise | Immediately | Acquirer/card brands |
| State Breach Laws | PII exposure | Varies by state (typically 30-60 days) | State AG and/or affected individuals |
| SEC (public companies) | Material cybersecurity incident | 4 business days (Form 8-K) | SEC |
| GDPR | EU personal data breach | 72 hours | Supervisory authority |
| CISA | Critical infrastructure incidents | 72 hours (24 hours for ransom payments) | CISA |
Detailed playbooks for common incident types are provided below and in the playbooks/ directory.
- Complete incident report within 30 days of incident closure
- Present lessons learned to management
- Update risk assessment with new findings
- Modify security controls based on lessons learned
- Update training materials as needed
- Retain incident documentation for
[6 years / per retention policy]
| Activity | Frequency | Responsible |
|---|---|---|
| Full plan review and update | Annually | IR Lead |
| Contact list verification | Quarterly | IT Security |
| Tabletop exercise | Annually (minimum) | IR Lead |
| Technical exercise/drill | Semi-annually | IT Security |
| Post-incident plan updates | After each significant incident | IR Lead |
| Distribution to stakeholders | After each update | IR Lead |
Trigger: Ransomware detected or suspected on any system.
Immediate Actions (First 15 Minutes):
- DO NOT pay the ransom without executive and legal approval
- DO NOT power off affected systems (preserve evidence in memory)
- Disconnect affected systems from the network (pull ethernet, disable WiFi)
- Alert the IR Lead and initiate S1 response
- Activate out-of-band communication (personal phones, separate email)
- Take photos of any ransom notes displayed on screens
Containment (First Hour):
- Identify the scope — how many systems are affected?
- Determine the ransomware variant (ransom note, file extension, IOCs)
- Check for available decryptors at No More Ransom Project
- Block known C2 (command and control) domains and IPs at the firewall
- Disable file sharing services (SMB, NFS)
- Isolate network segments containing affected systems
- Preserve at least one encrypted system for forensic analysis
Assessment:
- Determine the entry point (phishing, RDP, vulnerability, supply chain)
- Assess data exfiltration — check for double extortion indicators
- Evaluate backup integrity — are backups intact and uncompromised?
- Notify cyber insurance carrier
- Engage forensics firm if needed
Recovery:
- Rebuild affected systems from clean images
- Restore data from verified clean backups
- Reset all credentials (domain admin, service accounts, user accounts)
- Apply patches that address the entry point vulnerability
- Implement enhanced monitoring before reconnecting systems
- Monitor for re-infection for 90 days
Trigger: Employee reports a suspicious email or clicks a suspected phishing link.
If the user only received/reported (did not click):
- Thank the user for reporting
- Analyze the email headers, links, and attachments in a sandbox
- Block the sender domain/IP at the email gateway
- Search for the same email across all mailboxes
- Remove all instances of the phishing email
- Update email filtering rules
If the user clicked a link or opened an attachment:
- Immediately isolate the user's workstation from the network
- Have the user change their password from a different, clean device
- Check for credential harvesting — was a login page spoofed?
- If credentials were entered: force password reset, revoke active sessions, check for MFA bypass
- Run full endpoint scan on affected workstation
- Check email rules for unauthorized forwarding rules
- Review audit logs for the compromised account
Trigger: Confirmed or suspected unauthorized access to or exfiltration of sensitive data.
Immediate Actions:
- Classify the type and volume of data potentially exposed
- Identify affected individuals and data subjects
- Preserve all relevant logs and evidence
- Engage legal counsel for notification obligations
- Notify cyber insurance carrier
Investigation:
- Determine how access was gained
- Identify the full scope of data accessed or exfiltrated
- Determine if data was encrypted in transit/at rest
- Check network logs for data exfiltration indicators
- Assess whether data was actually viewed or just accessible
Notification (per legal guidance):
- Prepare notification letters for affected individuals
- File required regulatory notifications
- Establish a call center or FAQ page if large-scale breach
- Offer credit monitoring if PII was exposed
Trigger: Email account takeover, fraudulent wire transfer request, or vendor impersonation detected.
Immediate Actions:
- If a wire transfer was initiated: contact the bank immediately to halt/reverse the transfer
- Disable the compromised email account
- Check for email forwarding rules added by the attacker
- Review sent items for fraudulent messages
- Alert finance/accounting team of the compromise
Investigation:
- Determine how the account was compromised (credential theft, token theft, etc.)
- Review email access logs for unauthorized access from unusual IPs/locations
- Check for OAuth app consent grants
- Identify all contacts who received fraudulent emails
- Assess financial impact
Recovery:
- Reset the account password and revoke all active sessions
- Remove unauthorized forwarding rules and app permissions
- Notify recipients of fraudulent emails
- Review and strengthen MFA configuration
- Implement additional BEC protections (DMARC, impersonation protection)
Use these scenarios for annual tabletop exercises to test your IR plan:
On a Monday morning, multiple employees report that their files have been encrypted and a ransom note demands $500,000 in Bitcoin. IT discovers that the file server, domain controller, and 40% of workstations are affected. The attacker claims to have exfiltrated customer data and threatens to publish it.
Discussion Questions:
- Who do we notify first?
- Do we have clean backups? How quickly can we restore?
- How do we determine if data was actually exfiltrated?
- What is our position on ransom payment?
- What are our notification obligations?
HR notifies you that a senior engineer submitted their resignation. The next day, the SIEM alerts that the engineer copied 50GB of files to a personal cloud storage account, including source code and customer databases, outside of normal working hours.
A critical software vendor announces that their update server was compromised and a malicious update was distributed to all customers over the past 30 days. Your organization deployed this update to all servers two weeks ago.
The CFO receives an urgent email from the CEO (who is traveling abroad) requesting an immediate wire transfer of $250,000 to a new vendor. The finance team processes the transfer. Two hours later, the real CEO calls in and denies sending the email.
incident-response-plan-template.md— Full IR plan in markdown (this document without the overview sections)incident-report-form.md— Individual incident documentation formplaybooks/ransomware.md— Standalone ransomware playbookplaybooks/phishing.md— Standalone phishing playbook
- NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
- CISA Incident Reporting — Report incidents to CISA
- FBI IC3 — Report internet crimes
- No More Ransom Project — Free ransomware decryption tools
- CMMC Compliance Checklist — CMMC Level 2 self-assessment
- HIPAA Security Risk Assessment Template — HIPAA SRA template
- Cybersecurity Awareness Training Materials — Free training resources
For organizations needing expert guidance on incident response planning and cybersecurity, Petronella Technology Group provides:
- Incident response planning and plan development
- Tabletop exercise facilitation with realistic scenarios
- Managed detection and response (MDR) services
- Digital forensics and incident response (DFIR) retainers
- Security Operations Center (SOC) services
- Vulnerability assessment and penetration testing
Visit petronellatech.com/cyber-security/ to learn more about our cybersecurity services.
Having a document on a shelf doesn't mean your organization can execute under pressure. The majority of organizations that suffer a breach discover gaps in their IR plan during the incident itself — when it's too late to fix them.
- No one knows their role — The plan names a team, but those people have never practiced their responsibilities
- Communication plans fail — Contact lists are outdated, notification templates don't exist, legal counsel isn't pre-engaged
- Containment decisions take too long — Without pre-authorized actions, every step requires executive approval while the attacker moves laterally
- Evidence is destroyed — Well-meaning IT staff reimage systems before forensic collection, eliminating the ability to determine scope
Organizations with a tested IR plan contain breaches 54% faster and save an average of $1.49M per incident (IBM Cost of a Data Breach Report).
This template gives you the document. We help you build the capability.
Petronella Technology Group provides incident response planning, tabletop exercises, and 24/7 breach response services.
| Service | What You Get |
|---|---|
| Free IR Readiness Assessment | 30-minute review of your current incident response capability |
| Tabletop Exercise | Facilitated scenario-based exercise with your team (ransomware, BEC, data breach) |
| IR Plan Development | Custom plan aligned to NIST 800-61 and your regulatory requirements |
| 24/7 Breach Response | On-call forensics team for active incidents (retainer or on-demand) |
→ Schedule a Free IR Assessment | Call (919) 422-8500
This incident response plan template is maintained by Petronella Technology Group, a cybersecurity and IT compliance firm headquartered in Raleigh, North Carolina. Founded in 2002, Petronella Technology Group has over 23 years of experience helping organizations prepare for, detect, and respond to cybersecurity incidents.
- CMMC Compliance Checklist
- HIPAA Security Risk Assessment Template
- NIST 800-171 Controls Matrix
- Cybersecurity Awareness Training Materials
This template is provided for informational purposes and should not be considered legal advice. Organizations should consult with qualified cybersecurity and legal professionals for their specific incident response needs.
Licensed under CC-BY-SA-4.0. Contributions welcome — see CONTRIBUTING.md.