Incident Response Plan Template: Complete Guide to Building a Cyber Incident Response Plan (2026)

An incident response plan is a documented set of procedures that defines how an organisation detects, contains, eradicates, and recovers from cybersecurity incidents, required under GDPR (72-hour notification), NIS2 (24-hour early warning), and DORA (4-hour initial report) to meet mandatory breach reporting timelines.

When a ransomware attack encrypts your production servers at 2 AM on a Saturday, the difference between a disciplined 4-hour containment and a chaotic 4-week crisis comes down to one thing: whether you had a tested incident response plan before the attack happened.

The statistics are sobering. Organisations with a tested incident response plan save an average of $2.66 million per breach compared to those without one (IBM Cost of a Data Breach Report 2025). Under the GDPR, you have 72 hours to notify the supervisory authority of a personal data breach. Under NIS2, it's 24 hours for an early warning. Under DORA, the initial notification window is 4 hours for major ICT incidents. These timelines leave zero room for figuring out your plan during the crisis.

This guide provides a complete, practical framework for building a cyber incident response plan that satisfies regulatory requirements, aligns with the NIST incident response framework, and — most importantly — actually works when you need it.

Quick Reference	Details
What is an incident response plan?	A documented set of procedures for detecting, containing, eradicating, and recovering from security incidents
Key framework	NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide)
GDPR notification deadline	72 hours to supervisory authority; "without undue delay" to data subjects (if high risk)
NIS2 notification deadline	24 hours (early warning), 72 hours (incident notification), 1 month (final report)
DORA notification deadline	4 hours (initial), 72 hours (intermediate), 1 month (final)
Key roles	Incident Commander, Technical Lead, Communications Lead, Legal Counsel, DPO
Testing frequency	Tabletop exercises: at least twice per year; Full simulation: annually
ISO 27001 requirement	Annex A.5.24–A.5.28 (Information security incident management)
Average cost saving	$2.66 million per breach with tested IR plan (IBM 2025)

Regulation	Requirement	Key Articles
GDPR	Notify supervisory authority within 72 hours of becoming aware of a personal data breach; notify data subjects without undue delay if high risk	Articles 33, 34
NIS2	Early warning within 24 hours; incident notification within 72 hours; final report within 1 month	Article 23
DORA	Initial notification within 4 hours of classification; intermediate report within 72 hours; final report within 1 month	Article 19
ISO 27001	Information security incident management procedures (detect, report, assess, respond, learn)	Annex A.5.24–A.5.28
SOC 2	Incident response procedures as part of Security common criteria	CC7.3–CC7.5
PCI DSS 4.0	Incident response plan that is tested annually	Requirement 12.10
HIPAA	Security incident procedures; breach notification within 60 days	§164.308(a)(6), §164.404
SEC Cybersecurity Rules	Material cybersecurity incident disclosure within 4 business days	Form 8-K, Item 1.05

Role	Responsibility	Who Fills It
Incident Commander (IC)	Overall leadership; makes escalation/de-escalation decisions; coordinates all workstreams	CISO, vCISO, or senior security leader
Technical Lead	Leads technical investigation, containment, eradication, and recovery	Senior security engineer or SOC lead
Communications Lead	Manages all internal and external communications	Head of Communications, PR, or marketing
Legal Counsel	Advises on regulatory obligations, notification requirements, privilege	General Counsel or external privacy/cyber law firm
Data Protection Officer (DPO)	Assesses personal data impact; advises on GDPR notification	DPO (internal or external)
Business Liaison	Represents affected business units; assesses business impact	Business unit head or operations manager
IT Operations	Provides infrastructure support; implements technical containment	IT team lead
HR Representative	Handles employee-related incidents (insider threat, affected employee data)	HR manager

Role	When Activated
External forensics firm	Major breach requiring forensic investigation; litigation anticipated
Cyber insurance broker	Any incident that may trigger insurance coverage
External legal counsel	Cross-border incidents; regulatory investigations; litigation risk
Crisis PR firm	Incidents likely to attract media attention
Law enforcement	Criminal activity (ransomware, insider theft, fraud)

Severity	Name	Criteria	Response Level	Examples
SEV-1	Critical	Business-critical systems down; large-scale data breach confirmed; ransomware across infrastructure	Full team activation; executive notification; potential regulator notification	Ransomware encrypting production; confirmed breach of >10K records; complete service outage
SEV-2	High	Significant security incident; limited data exposure confirmed; important systems affected	Core team activation; management notification	Phishing compromise of admin account; limited data breach (under 10K records); targeted attack detected
SEV-3	Medium	Security incident contained to limited scope; no confirmed data exposure	Technical team response; incident commander notified	Malware on single endpoint; suspicious activity on non-critical system; failed attack attempt
SEV-4	Low	Minor security event; no business impact; easily remedied	Technical team handles; logged for tracking	Phishing email reported (no click); vulnerability scan finding; minor policy violation

Trigger	Escalation Action
Data breach confirmed (any personal data)	Escalate to SEV-2 minimum; activate DPO and Legal
Ransomware detected	Escalate to SEV-1 immediately
Incident involves customer data	Escalate to SEV-2 minimum; activate Communications Lead
Media enquiry about the incident	Activate Crisis PR; escalate to SEV-1
Law enforcement contact	Activate Legal Counsel immediately
Incident spreads to additional systems	Increase severity by one level
Unable to contain within 4 hours	Increase severity by one level

#	Activity	Deliverable
1	Define and document the incident response plan	Written IRP (this document)
2	Establish the incident response team with named individuals and alternates	Team roster with contact details (24/7)
3	Define severity classification criteria	Severity matrix (above)
4	Create escalation procedures	Escalation flowchart
5	Prepare communication templates (internal, regulator, customer, media)	Template library
6	Deploy detection tools (SIEM, EDR, IDS/IPS, DLP)	Monitoring infrastructure operational
7	Establish logging and evidence preservation procedures	Log retention policy; forensic imaging procedures
8	Conduct tabletop exercises (minimum twice per year)	Exercise reports with lessons learned
9	Train all employees on incident reporting	Awareness training records
10	Establish relationships with external parties (forensics firm, legal, insurance, law enforcement)	Retainer agreements; contact details
11	Define regulatory notification workflows per regulation (GDPR, NIS2, DORA)	Notification decision trees
12	Create a secure communication channel for incident response (not on potentially compromised infrastructure)	Out-of-band communication channel (e.g., separate messaging platform, phone bridge)

Source	What It Detects	Response
SIEM alerts	Anomalous patterns, correlation of events	Triage by SOC; investigate if confirmed
EDR/XDR alerts	Endpoint compromise, malware, suspicious processes	Automated containment + analyst review
IDS/IPS	Network intrusion attempts	Block + investigate
User reports	Phishing emails, suspicious activity, social engineering	Report to security team; triage
Threat intelligence	IOCs matching your environment, industry-specific threats	Proactive hunt; check for exposure
Vendor notifications	Vendor breach affecting your data	Assess impact; activate vendor incident procedures
External notifications	Regulatory contact, law enforcement, researcher disclosure	Immediate escalation to IC and Legal
Dark web monitoring	Stolen credentials, data for sale	Investigate scope; reset affected accounts

Step	Activity	Output
1	Triage — Is this a real incident or a false positive?	Confirmed or dismissed
2	Classify — What type of incident is this? (malware, phishing, breach, DoS, insider)	Incident type
3	Assess severity — Apply the severity classification matrix	Severity level (SEV-1 to SEV-4)
4	Scope — What systems, data, and users are affected?	Scope assessment
5	Determine impact — Business impact, data exposure, regulatory implications	Impact assessment
6	Preserve evidence — Begin logging and evidence collection; create forensic images if needed	Evidence log
7	Notify — Alert the appropriate team members per severity level	Notification records

Containment Type	When to Use	Examples
Short-term containment	Immediately; stop active threat	Isolate affected system from network; disable compromised account; block malicious IP
Long-term containment	After initial analysis; maintain business continuity	Move to clean systems; implement temporary network segmentation; apply emergency patches

Activity	Details
Remove malware	Clean affected systems using EDR/AV tools or reimage from known-good baseline
Close attack vector	Patch the vulnerability that was exploited; disable the compromised credential
Reset credentials	All credentials that may have been compromised; consider broad password reset for SEV-1
Verify removal	Scan all potentially affected systems; verify no persistence mechanisms remain
Update defences	Add IOCs to blocklists; update detection rules

Step	Activity	Verification
1	Restore from clean backups (verify backup integrity first)	System operational; data integrity verified
2	Rebuild compromised systems from known-good images	Security baseline confirmed
3	Re-enable network connectivity gradually	Monitor for recurrence
4	Verify all patches and security controls are in place	Vulnerability scan clean
5	Monitor closely for 48–72 hours post-recovery	No signs of re-infection or continued attack
6	Return to normal operations	Incident Commander declares incident closed

PIR Element	Questions to Answer
Timeline	What happened, in what order, and when?
Detection	How was the incident detected? How long did it take? Could we have detected it sooner?
Response	What worked well in our response? What didn't? Where did we lose time?
Communication	Were the right people notified at the right time? Were external communications effective?
Containment	Was containment effective? Did the incident spread after initial containment?
Root cause	What was the root cause? Was it a technical failure, process failure, or human factor?
Impact	What was the actual impact? (Data exposed, systems affected, cost, downtime)
Improvements	What specific changes to policies, procedures, controls, or training would prevent recurrence or improve response?

Deliverable	Description
Incident report	Complete timeline, analysis, impact assessment, root cause
Action items	Specific improvements with owners and deadlines
Metrics update	Update MTTD, MTTR, and other incident metrics
Plan update	Revise the incident response plan based on lessons learned
Training update	Identify and schedule additional training needs

Regulation	Initial Notification	Follow-Up	Final Report	Who to Notify
GDPR	72 hours (from awareness)	N/A	N/A (but cooperate with SA)	Supervisory authority; data subjects (if high risk)
NIS2	24 hours (early warning)	72 hours (incident notification)	1 month (final report)	CSIRT or competent authority
DORA	4 hours (from classification)	72 hours (intermediate report)	1 month (final report)	Competent financial authority
PCI DSS	"Immediately"	As required by card brands	As required	Acquirer, card brands, potentially cardholders
HIPAA	60 days (to HHS); "without unreasonable delay" to individuals	N/A	Annual log to HHS (for under 500 records)	HHS; affected individuals; media (if over 500 in a state)
SEC	4 business days (Form 8-K) for material incidents	Ongoing 10-K/10-Q disclosure	N/A	SEC; investors (public filing)

Section	Content
1. Purpose and Scope	What this plan covers; applicable regulations; scope (all incidents vs. specific types)
2. Definitions	Key terms: incident, breach, event, severity levels
3. Incident Response Team	Roles, named individuals, alternates, contact details (24/7)
4. Severity Classification	4-level severity matrix with criteria and examples
5. Detection and Reporting	How incidents are detected; how employees report; initial triage process
6. Escalation Procedures	Who to notify at each severity level; escalation triggers
7. Containment Procedures	Short-term and long-term containment by incident type
8. Eradication and Recovery	Steps to remove threat and restore operations
9. Evidence Handling	Chain of custody; forensic imaging; log preservation
10. Regulatory Notification	Decision trees and timelines for GDPR, NIS2, DORA; pre-drafted templates
11. Communication Procedures	Internal, customer, media, regulator communication templates and approvals
12. Post-Incident Review	PIR process, timeline, deliverables
13. Testing and Exercises	Tabletop exercise schedule; full simulation plan
14. Plan Maintenance	Review schedule; version control; change log
Appendix A	Contact list (all team members, external parties, regulators)
Appendix B	Communication templates (all types)
Appendix C	Incident log template
Appendix D	Evidence handling procedures

Phase	Duration	Activity
Introduction	10 minutes	Ground rules, objectives, scenario overview
Inject 1	20 minutes	Initial detection — how do you respond?
Inject 2	20 minutes	Escalation — incident is worse than initially thought
Inject 3	20 minutes	Regulatory and communication — notification decisions
Inject 4	15 minutes	Recovery — returning to normal operations
Debrief	30 minutes	What worked? What didn't? Action items

#	Scenario	Tests
1	Ransomware attack — Production servers encrypted on a Friday evening	Containment, backup recovery, executive communication, ransom payment decision
2	Data breach via vendor — Third-party SaaS provider notifies you of a breach affecting your customer data	Vendor incident management, GDPR notification, customer communication
3	Insider threat — Employee downloads large volumes of sensitive data before giving notice	Detection, HR coordination, legal considerations, evidence preservation
4	Business email compromise — CFO's email compromised; fraudulent wire transfer requested	Financial controls, account compromise response, fraud investigation
5	Zero-day exploit — Critical vulnerability actively exploited; no patch available	Emergency containment, compensating controls, regulatory notification

#	Mistake	Consequence	Prevention
1	No plan exists	Chaotic response; missed notifications; greater damage	Create and test the plan before you need it
2	Plan exists but never tested	Plan has gaps; team doesn't know their roles; process fails under pressure	Run tabletop exercises at least twice per year
3	No defined Incident Commander	Multiple people making conflicting decisions; nobody in charge	Designate IC with clear authority; train alternates
4	Slow or missed detection	Attackers have more time to cause damage; breach expands	Invest in detection tools (SIEM, EDR); monitor 24/7 or use MDR
5	Destroying evidence	Can't determine root cause; hampers investigation; legal issues	Train team on evidence preservation; forensic imaging before remediation
6	Missing regulatory notification deadlines	Fines, regulatory scrutiny, loss of trust	Pre-drafted templates; notification decision tree; assign DPO/Legal to monitor deadlines
7	Communicating too much or too little externally	Speculation causes panic; silence causes suspicion	Prepared templates; Legal/PR review before external communications
8	Skipping post-incident review	Same vulnerabilities exploited again; no improvement	Mandatory PIR within 10 business days; action items tracked to closure
9	Using compromised channels to coordinate response	Attacker observes your response; undermines containment	Establish out-of-band communication channel in advance
10	Not involving Legal early enough	Privileged communications not protected; regulatory missteps	Legal Counsel on the core team; activated from SEV-2 upwards

Level	Name	Characteristics
Level 1: Ad Hoc	No plan; react to incidents individually; no defined roles; no post-incident learning
Level 2: Planned	Written IRP exists; team defined; basic detection tools; limited testing
Level 3: Tested	Regular tabletop exercises; notification procedures tested; roles well understood; post-incident reviews conducted
Level 4: Measured	Metrics tracked (MTTD, MTTR); continuous improvement based on data; automated detection and containment; integrated with business continuity
Level 5: Optimised	Threat-intelligence-driven response; automated playbooks for common scenarios; proactive threat hunting; industry-leading response times; regular cross-functional exercises

Metric	Definition	Target
MTTD (Mean Time to Detect)	Time from incident occurrence to detection	Decrease over time
MTTR (Mean Time to Respond)	Time from detection to containment	Under 4 hours for SEV-1
MTTC (Mean Time to Contain)	Time from detection to full containment	Under 24 hours for SEV-1
Total incidents by severity	Volume and trend of incidents	Track trend
False positive rate	Percentage of alerts that are not real incidents	Decrease over time
Notification compliance	Percentage of incidents where notification deadlines were met	100%
PIR completion rate	Percentage of incidents with completed post-incident reviews	100% for SEV-1/2
Action item closure rate	Percentage of PIR action items closed on time	>90%

Incident Response Plan Template: Complete Guide to Building a Cyber Incident Response Plan (2026)

Share article

Need help with compliance?

Key Takeaways

Table of Contents

What Is an Incident Response Plan?

Why You Need One (Regulatory Requirements)

The NIST Incident Response Framework

Incident Response Team: Roles and Responsibilities

Core Team

Extended Team (Activated as Needed)

Incident Commander Model

Incident Severity Classification

Escalation Triggers

Phase 1: Preparation

Preparation Checklist

Phase 2: Detection and Analysis

Detection Sources

Analysis Steps

Phase 3: Containment, Eradication, and Recovery

Containment

Eradication

Recovery

Phase 4: Post-Incident Activity

Post-Incident Review (PIR)

PIR Deliverables

Regulatory Notification Requirements

Notification Decision Tree

Notification Timelines Comparison

Pre-Drafted Notification Content

Incident Response Plan Template

Document Structure

Communication Templates

Template 1: Internal Executive Notification

Template 2: Supervisory Authority Notification (GDPR Art. 33)

Tabletop Exercise Guide

What Is a Tabletop Exercise?

Exercise Structure

Sample Scenarios

Common Incident Response Mistakes

Incident Response Maturity Model

Frequently Asked Questions

How often should we test our incident response plan?

What's the difference between an incident and a breach?

Do we need 24/7 incident response capability?

Should we pay ransomware demands?

How do we handle incidents involving a vendor/third party?

What metrics should we track for incident response?

Do we need cyber insurance for incident response?

How does incident response relate to business continuity?

Related Resources

Related Articles

Conclusion

Related Articles

Incident Response Plan Template: Free GDPR & NIS2 Compliant (2026)

Information Security Policy Template: Free ISO 27001 & NIS2 Aligned (2026)

ISO 27001 Certification Cost: What to Expect (2026)