Incident Response

Incident response is the organised and planned approach to detecting, containing, eliminating and recovering from a cybersecurity incident. A well-documented and practised incident response plan significantly reduces the damage and recovery time following an attack.

Back to Dictionary

The incident response phases

NIST's incident response framework (SP 800-61) defines four phases:

Preparation: Establish plans, teams and tools before an incident occurs. This includes defining roles, creating playbooks and ensuring that logging and monitoring are in place.
Detection and analysis: Detect, identify and classify the incident's scope and severity using monitoring tools, threat intelligence and established indicators of compromise.
Containment, eradication and recovery: Limit the damage, remove the root cause and restore normal operations. This phase often involves isolating affected systems, removing malware and restoring from backups.
Post-incident activity: Conduct a thorough post-incident analysis, document lessons learnt and update procedures to prevent recurrence.

The incident response plan

An incident response plan (IRP) documents what the organisation does when a security incident occurs. It should contain:

Contact lists and escalation procedures for key personnel
Communication plans for both internal and external stakeholders
Clearly defined roles and responsibilities for the response team
Playbooks for specific incident types (ransomware, data breaches, phishing)
Criteria for determining incident severity levels
Legal and regulatory notification requirements

Test your plan: A plan that has never been exercised is not a plan. Regular tabletop exercises, where the team simulates an incident, reveal gaps and ensure that everyone knows their roles under pressure. Annual testing is a minimum; quarterly exercises are recommended for high-risk organisations.

CSIRT and incident response teams

A CSIRT (Computer Security Incident Response Team) is a dedicated group responsible for incident response. Even without a dedicated security team, clear roles should be assigned: who leads the response, who communicates with management, who contacts authorities and who is technically responsible.

Notification obligations

Certain incidents trigger statutory notification obligations. GDPR Article 33 requires notification to the supervisory authority within 72 hours for breaches posing a risk to data subjects. NIS2 requires initial notification within 24 hours. DORA has similar requirements for financial entities. The incident response plan must include a clear process for each type of notification.

Frequently Asked Questions about Incident Response

What is incident response?

Incident response is the organised and planned approach to detecting, containing, eliminating and recovering from a cybersecurity incident. It aims to minimise damage, reduce recovery time and prevent recurrence.

What are the four phases of incident response?

According to NIST SP 800-61, the four phases are: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity. Each phase has distinct objectives and activities.

What should an incident response plan contain?

An incident response plan should contain contact lists, escalation procedures, communication plans, roles and responsibilities, playbooks for specific incident types, severity classification criteria and legal notification requirements.

What is a CSIRT?

A CSIRT (Computer Security Incident Response Team) is a dedicated group responsible for handling cybersecurity incidents. It can be an internal team or an external service, and national CSIRTs coordinate incident response at country level.

How often should you test your incident response plan?

Annual testing is a minimum, but quarterly tabletop exercises are recommended for high-risk organisations. Testing reveals gaps in the plan and ensures that team members know their roles under pressure.