Incident Response Plan

An incident response plan is a documented plan for how your organisation detects, handles and recovers from a cyberattack or serious IT incident. Under NIS2, documented incident response plans and regular testing are a requirement for all essential and important entities.

Back to Dictionary

What is an incident response plan?

An incident response plan (also known as a cyber incident response plan or IT contingency plan) is a structured, pre-approved document that defines who does what, when a security incident occurs. The plan ensures that the organisation can react quickly, limit damage and restore normal operations as efficiently as possible.

Without a documented plan, incident response tends to be ad hoc, slow and error-prone — precisely when speed and clarity matter most. A well-tested plan is closely linked to business continuity management and forms part of the organisation’s overall resilience strategy.

NIS2 requirements for incident response plans

Under NIS2 Article 21, essential and important entities must implement measures for incident handling, business continuity and crisis management. This explicitly includes:

Documented procedures for detecting, analysing and classifying incidents.
Incident reporting to the relevant CSIRT or competent authority within the mandated timeframes (early warning within 24 hours, full notification within 72 hours).
Defined escalation procedures and communication channels.
Regular testing and revision of the plan (e.g. through tabletop exercises or simulations).

Testing is not optional: NIS2 expects organisations to test their incident response plans regularly. An untested plan provides a false sense of security. Tabletop exercises and simulated incident drills reveal gaps before a real incident does.

What should an incident response plan contain?

A comprehensive incident response plan typically covers the following phases:

Preparation: Defining the incident response team, roles and responsibilities, communication channels, and escalation thresholds.
Detection and analysis: How incidents are detected (monitoring, alerts, reports), how they are triaged and classified by severity.
Containment: Immediate actions to limit the spread and impact of the incident (e.g. isolating affected systems, blocking malicious traffic).
Eradication and recovery: Removing the root cause, restoring systems from backups, and verifying that the environment is clean before returning to normal operations.
Post-incident review: Documenting what happened, what worked, what did not, and what improvements should be made. Lessons learned should feed back into the plan.

Incident response plan and other frameworks

The incident response plan is not unique to NIS2. ISO 27001 addresses incident management through controls 5.24–5.28, and NIS2 security measures align closely with these requirements. The plan should also reference relevant CSIRT contact details and the organisation’s ICT continuity plan for recovery procedures.

Regardless of framework, the key success factor is the same: the plan must be known, accessible and regularly tested by the people who will need to execute it under pressure.

Frequently Asked Questions about Incident Response Plan

What is an incident response plan?

An incident response plan is a documented, pre-approved plan that defines how an organisation detects, handles and recovers from cyberattacks or serious IT incidents. It specifies roles, responsibilities, procedures and communication channels.

Does NIS2 require an incident response plan?

Yes. NIS2 Article 21 requires essential and important entities to implement measures for incident handling, business continuity and crisis management, which includes having a documented and regularly tested incident response plan.

How often should the incident response plan be tested?

NIS2 expects regular testing. Best practice is to conduct at least one major exercise (e.g. a tabletop exercise or full simulation) annually, supplemented by smaller drills. The plan should also be reviewed and updated after every real incident.

What are the main phases of incident response?

The standard phases are: (1) preparation, (2) detection and analysis, (3) containment, (4) eradication and recovery, and (5) post-incident review. Each phase has defined actions, responsibilities and documentation requirements.

What is the difference between an incident response plan and a business continuity plan?

An incident response plan focuses on detecting, containing and resolving a specific security incident. A business continuity plan is broader and covers how the organisation maintains or restores critical business functions during and after any type of disruption, not only cyber incidents.