Your Incident Response Plan: The Document You'll Wish You Had at 2 a.m. (Free Outline)
Picture it: 2 a.m., systems are down, staff are messaging you in a panic, and nobody is sure who to call or what to do first. The businesses that get through that moment well almost always have one thing in common — they wrote a single document before it happened.
That document is an incident response plan. Here’s how to build one, with a free outline you can adapt today.
What an incident response plan actually is
Forget the image of a 100-page binder nobody reads. A useful incident response plan is a short, practical playbook that answers, in advance, the questions you won’t want to be working out under pressure: What’s happening? Who does what? Who do we call? What do we say?
The whole point is to move decisions out of the panic and into a calm moment beforehand.
The free outline
Here’s a structure that works for most small and mid-sized businesses. Keep each section short and concrete.
1. Roles and contacts. Who leads the response, who makes decisions, and who handles communications. Include external contacts too: your security provider, legal counsel, cyber-insurance provider, and bank.
2. What counts as an incident. A simple definition and a few severity levels, so a minor issue and a true crisis each get the right response.
3. Detection and reporting. How staff report something suspicious — and to whom. Make this dead simple; a reported issue is an early warning.
4. Containment. First steps to limit the damage — for example, isolating affected devices from the network without powering them off.
5. Eradication and recovery. Removing the threat and safely restoring systems from clean backups.
6. Communication. Who needs to be told and when — leadership, staff, customers, and regulators. In Canada, remember that PIPEDA may require you to report a breach to the Privacy Commissioner and to affected individuals.
7. Post-incident review. After the dust settles: what happened, how it got in, and what changes prevent a repeat.
Three rules that make the plan actually work
- Keep it short. A plan people can read in ten minutes is a plan people will use.
- Test it. Walk through a realistic scenario once or twice a year. A plan that’s never been tested is just a guess.
- Keep an offline copy. If your network is down, a plan saved only on that network is useless. Print it, or keep it somewhere you can always reach.
You don’t have to write it alone
The hardest part of an incident response plan isn’t the outline — it’s the experience to know what really happens during an incident and what you’ll actually need. That’s something a security partner brings to the table.
If you’d like help building or testing a plan that fits your business, get in touch — and if you’re facing an incident right now, go straight to our emergency response page.