id-im-4 critical Identify / Improvement

Incident response plans and cybersecurity plans are established, maintained, and improved

An incident response plan that exists only as a document nobody has read is not an incident response capability. The plan needs to reflect your current environment, be tested regularly, and be updated based on real incidents and exercises. Organizations without a tested IR plan consistently take longer to contain breaches and incur higher costs than those with one.

Estimated effort: 8h

incident-responseir-planplaybooktabletopbcdr

Implementation steps

1

Write an incident response plan covering the full lifecycle

Document the full incident response process: preparation, detection and analysis, containment, eradication, recovery, and post-incident activity. Include specific playbooks for the highest-probability incident types: ransomware, data breach, account compromise, DDoS. Each playbook should describe who does what, in what order, using what tools. Keep the language concrete enough that someone can follow it under stress.

confluencenotiongoogle-docs
2

Test the plan through tabletop exercises at least annually

Run a tabletop exercise once a year minimum, using a realistic scenario relevant to your business. Walk through the plan from detection through recovery. Identify gaps: Who has the authority to take the system offline? Do we have the right contact for the cloud provider? Where are the decryption keys stored if our admin is unavailable? Capture and fix the gaps.
3

Update the plan after every major incident or exercise

After any significant incident or tabletop exercise, hold a post-incident review and update the IR plan to reflect lessons learned. Track changes with version numbers and dates. Ensure the most current version is accessible to all responders, including in an offline location in case the incident affects your documentation systems.

confluencenotiongoogle-docs