Skip to content
Knowledge base Updated: February 5, 2026

How do you build an incident response plan and test it with funding from Cyber Secure Local Government?

You've invested in the best defense systems, trained your employees and feel your digital fortress is secure. But what if an attacker nevertheless finds a vulnerability and gets inside? Panic, chaos and ill-considered actions can do more damage than the attack itself. That's why you need a plan for

Marcin Godula Marcin Godula

There is one fundamental principle in cyber security that every mature organization must embrace: it is not a question of “if” but “when” a successful attack will occur. Even with the best, multi-layered security, with cybercriminals’ ever-evolving techniques and the ever-present human factor, we must assume that our defenses will be breached at some point. This is not pessimism. It’s realism, which is the starting point for building true resilience.

When that moment arrives - when a ransom demand appears on screens, when data disappears from a key server, when an office’s website is swiped - the organization has two roads ahead. It can act in chaos, improvising, making panicky and often contradictory decisions, wasting priceless time and deepening the crisis. Or it can launch a thoughtful, rehearsed and calm step-by-step process that will allow it to control the situation, minimize the damage and return to normal operations as soon as possible.

That process is the Incident Response Plan (IRP). This is not just another bureaucratic document to lie on a shelf. It’s a detailed “black hour” manual that turns chaos into order. The good news is that the “Cyber Secure Local Government” program allows you not only to fund the creation of such a plan, but also, crucially, to test it on a regular basis.

Shortcuts

Why will even the best preventive safeguards fail at some point?

Building prevention is absolutely fundamental. Firewalls, antivirus systems, strong passwords and employee training are essential elements that block 99% of daily threats. However, the cyberattack landscape is dynamic. New, previously unknown vulnerabilities (known as 0-day vulnerabilities) appear every day. Attackers are constantly refining their social engineering techniques, creating ever more convincing scams.

All it takes is one mistake, one moment of inattention, one software vulnerability not patched in time for an attacker to find a sticking point. The “castle and moat” philosophy, which assumes that we can build an impenetrable wall, is an illusion in today’s world. A mature approach to security, known as “assume breach,” accepts that compromise will eventually occur.

That’s why, in addition to investing in prevention (i.e., making sure an attack doesn’t happen), we need to invest in parallel in detection and response capabilities (i.e., what we do once an attack has begun). It is these two legs - prevention and response - that form the stable basis for real resilience.

📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać

What is an Incident Response Plan (IRP), and why is it a “black-box instruction”?

An Incident Response Plan is a formalized, written document that outlines precisely how your organization is to proceed in the event of a cyber security incident. It is a detailed roadmap that guides your team step-by-step through the chaos of a crisis, ensuring that the response is quick, consistent and effective.

The IRP answers fundamental questions that no one should have to ask themselves for the first time when attacked. Who is responsible for coordinating operations? Who should be notified and in what order? What are the first technical steps to be taken to stop the threat? How to communicate with management, employees and, if necessary, the media or law enforcement?

Having such a plan is like having evacuation instructions for a fire. The moment the alarm sounds, no one is running around in a panic, wondering where the emergency exits are. Everyone knows what to do because the procedure has been defined and rehearsed beforehand. The IRP plays exactly the same role in the digital world.

What is the difference between chaotic improvisation and organized response?

The difference is fundamental and often determines the extent of the damage. In an organization without a plan, the detection of an incident sets off an avalanche of chaos. The IT professional who first noticed the problem doesn’t know who to notify. He tries to “fix” the system on his own, often obliterating key traces. Decision makers find out about the problem late, and the information given to them is incomplete and contradictory. Decision-making paralysis reigns.

In an organization that owns and has practiced its IRP, the situation is quite different. Detection of an incident triggers a defined escalation chain. The relevant people are immediately informed. An Incident Response Team (CSIRT) is established and takes over coordination. Each member of the team knows his or her role and tasks.

Technical actions are taken in accordance with the playbook prepared in advance. Communication with management is regular and fact-based. Decisions are made quickly and in an informed manner. Instead of chaos and panic, there is an organized, professional operation aimed at controlling the crisis as quickly as possible and restoring normal operations.

Of what key steps, from preparation to applications, does a professional IRP consist?

A professional IRP is built on a proven cyclic model that follows international standards (e.g., NIST). It consists of several logical phases:

  • Preparation: This is the most important phase, carried out “in peacetime.” It includes the creation of a plan, the appointment and training of a team, the preparation of tools, and regular exercises.

  • Identification: In this phase, we detect and verify the incident. We analyze alerts and data to confirm that we are dealing with a real threat and not a false alarm.

  • Containment: The goal is to limit the spread of the attack as quickly as possible and minimize the damage, for example by isolating infected systems.

  • Elimination (Eradication): Once the situation is brought under control, the root cause of the incident - the malware and all traces left by the attacker - are removed from the network.

  • Restoration (Recovery): Systems are restored to normal, safe operation from clean backups.

  • Lessons Learned: Once the crisis is over, the team analyzes the incident and response to identify weaknesses and improve the plan for the future.

Who should be part of the Incident Response Team (CSIRT) in a local government?

An effective Computer Security Incident Response Team (CSIRT) must be a cross-functional structure. An IT team alone is not enough. After all, a cyber security incident in an office has not only technical, but also legal, communication and operational implications.

The core of the team is, of course, the technical staff - system administrators, network specialists and, if possible, security specialists. They are the ones who will perform operational activities. However, the team must also include:

  • A representative of the management (e.g., the Secretary of the Municipality), who acts as the leader of the team, makes key decisions and is the liaison to the management of the TSU.

  • Data Protection Officer (DPO), who assesses whether the incident violates the provisions of the RODO and requires notification to the DPA.

  • Legal Counsel to evaluate other legal and contractual implications.

  • **Communications representative/press officer **, which manages external communications if the incident becomes public.

What are “playbooks,” or ready-made scenarios for the most common attacks, like ransomware?

An IRP plan is a strategic document that describes a general framework for action. However, for specific, most common types of attacks, it is useful to create much more detailed instructions, called playbooks or response scenarios.

A playbook is a de facto step-by-step checklist for the technical team. For example, a playbook on “Responding to a ransomware attack” could include the following points: 1. immediately isolate the infected machine from the network. 2. Identify the type of ransomware. 3. Secure evidence (logs, malware sample). 4. Check the status and integrity of backups. 5. do not pay the ransom. 6. Start the restoration procedure from the backup on clean hardware.

Having such ready-made scenarios for the 3-4 most common threats (ransomware, phishing leading to account compromise, data leakage) drastically reduces response time and minimizes the risk of making a mistake under stress.

Key Benefits of Having a Rehearsed Response Plan

BenefitDescription1. damage limitationA quick and coordinated response allows the attack to be stopped immediately before it spreads throughout the network, minimizing financial and operational losses.2. legal complianceHaving a plan in place and testing it demonstrates due diligence and allows you to meet the strict reporting deadlines required by NIS2.3. reputation protectionProfessional crisis management, including consistent communication, allows residents and partners to maintain trust even in a difficult situation.

Export to Sheets

Why is an untested plan just a collection of good intentions on paper?

Creating an Incident Response Plan and putting it in a binder is only 20% of the success. A document that has never been verified in practice is full of faulty assumptions, unclear procedures and outdated contact information. It gives a false sense of security that will burst like a soap bubble during the first real-world test.

Testing the plan is an absolutely key part of its life cycle. It is during controlled exercises that all its weaknesses come to light. It turns out that the procedure for isolating the system is unworkable, that key people don’t know what they are, and that crisis communication channels simply don’t work.

The purpose of testing is not to prove that the plan is perfect. On the contrary, the goal is to find as many holes and weaknesses in it as possible in a safe, controlled environment. Every mistake made during the exercise is one less mistake we will make during a real crisis.

How to safely test procedures with “tabletop” exercises?

In most local governments, conducting full, technical attack simulations is too complicated and risky. The ideal and 100% safe solution is a “tabletop” exercise. This is a form of workshop where the Incident Response Team sits around a table and a facilitator guides them through a realistic but hypothetical attack scenario.

The facilitator describes step-by-step developments (“You have detected ransomware activity on server X. What do you do?”), and the team’s task is, based on its IRP and playbooks, to discuss and agree on next steps. This is a simulation of the decision-making and communication process, not a test of the technology.

Tabletop exercises provide a safe way to verify that the plan is understood, that roles are clear and that procedures are logical. It’s also an unparalleled tool for building chemistry and trust within a team.

How can a “Cyber Secure Local Government” grant fund the creation and testing of your plan?

The “Cyber Secure Local Government” program explicitly provides for the possibility of funding all activities related to building incident response capabilities. This is one of the key eligible costs in the organizational area.

It can be used to cover 100% of the cost of consulting services related to the development of a complete Incident Response Plan and a set of dedicated playbooks from scratch. An experienced third-party partner will help you create documentation that follows best practices and is tailored to the specifics of your office.

Equally important, the grant will also fund the conduct of professional “tabletop” exercises. Both the cost of preparing the scenario and moderating the session itself by an experienced facilitator can be covered. This is a unique opportunity to not only create a plan, but also to build a viable, practiced team readiness - all at zero burden on the TSU budget.

How does having an IRP help you meet NIS2 reporting requirements?

The NIS2 directive, as we already know, imposes a very short, 24-hour window for “early warning” of a major incident. In practice, gathering the necessary information and preparing such a notification in such a short period of time, in the midst of a crisis, is impossible without advance preparation.

Having an IRP in place is key here. The plan should include a dedicated playbook, “Reporting an Incident to NASK CSIRT,” which describes step-by-step what information needs to be collected, who is responsible for collecting it, and who formally sends the notification. The plan also defines criteria to quickly assess whether an incident is “serious” and reportable.

This way, when an incident is detected, the team doesn’t waste time thinking about “what and how we should report,” but immediately launches a proven procedure. This is the only way to reproducibly and reliably meet this stringent legal requirement.

What are the first steps to building responsiveness in your office?

The first step is to formally establish an Incident Response Team (CSIRT). Even if it is initially a small team, it is crucial to formally define its composition, leader and mandate for action.

The second step is to hold a workshop and create a first, if only a simplified, version of the Incident Response Plan. It doesn’t have to be a perfect, 100-page document right away. The important thing is to write down the basic principles, roles and channels of communication.

The third, and most important step, is to plan the first, simple “tabletop” exercise. Nothing integrates a team and exposes weaknesses in a plan more than going through even the simplest scenario together. It is this practical test that is the real beginning of building a viable response capability.

Is your IT team ready for a real crisis, or just for day-to-day problems?

Most IT teams in local governments are perfectly capable of dealing with everyday challenges: hardware failures, software problems or requests from users. But responding to a cyberattack is a very different kind of challenge. It requires operating under tremendous pressure, in an environment of uncertainty and with the need to make decisions with huge consequences.

Daily experience does not prepare for such a situation. It’s like the difference between the work of a family doctor and that of an ER surgeon. Both are great specialists, but they work under completely different conditions.

That’s why it’s so important to build and test response capabilities in a deliberate and systematic way. Exercises and playbooks are a training ground where your team can safely learn how to operate in a crisis before they have to face it in the real world.

Learn key terms related to this article in our cybersecurity glossary:

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

See also:

Tags:

Incident Response Cybersecurity

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Sales Representative
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist