Incident response (IR) plan: How to create and test?

Every company regularly conducts test fire alarms. No one assumes that the building will burn down tomorrow, but everyone knows that when the siren wails, it is necessary to act quickly, calmly and according to a predetermined procedure. Everyone knows their roles, evacuation routes and assembly point. This rehearsed scheme saves lives and minimizes chaos. In the digital world, such a trial by fire is testing the Incident Response Plan (IR Plan). Because a ransomware attack, paralyzing an entire company, is a fire that is not only possible, but likely these days.

The worst possible time to think about what to do in the event of a cyber attack is right in the middle of it. Adrenaline, panic and time pressure are the worst advisors. Companies that don’t have a rehearsed plan make chaotic, often contradictory and wrong decisions – restoring systems from infected backups too soon, destroying key digital evidence, or communicating in ways that only worsen the image crisis. An incident response plan is your roadmap for a crisis. It’s a document that allows you to turn panic into methodical action and gives you a real chance to contain the situation before it turns into a disaster.

What is an incident response (IR) plan and why is it an insurance policy for your company?

An Incident Response Plan (IR Plan) is a formal, structured and documented set of procedures that an organization must take in the event of a cyber security incident. It is a detailed step-by-step guide that defines who is responsible for what, what actions need to be taken and in what order to effectively identify, contain and remediate the effects of an attack, and then restore normal business operations.

An IR plan is much more than a technical document for the IT department. It is a key business document that can be compared to an insurance policy. Just as a policy doesn’t prevent an accident, but minimizes its financial impact, an IR plan won’t prevent the attack itself, but will drastically minimize its impact on business operations, financial losses and image damage.

Having a well-prepared and tested IR plan is also a legal and regulatory requirement today. The NIS2 Directive and the amendment to the National Cyber Security System Act directly require thousands of companies to have incident management capabilities. Having an IR plan is key evidence of compliance with this requirement and due diligence.

What are the key phases of the incident life cycle according to standards such as NIST?

Most mature incident response plans are built on internationally recognized, battle-tested methodologies. One of the most popular and practical is the incident lifecycle as defined by the US National Institute of Standards and Technology (NIST) in its SP 800-61 publication. This model divides the entire process into six logical, consecutive phases.

Preparation (Preparation): This is the most important phase that takes place before an incident. It includes creating and maintaining an IR plan, appointing and training a team, and implementing the necessary tools.
Detection & Analysis: The phase in which an incident is identified (e.g., through an alert from the SIEM) and initially analyzed to confirm its authenticity and determine its priority.
Containment: A key phase that aims to limit the spread of the attack as quickly as possible and minimize damage.
Eradication: The phase in which all threat components (malware, backdoors) are removed from infected systems.
Restoration (Recovery): The phase in which systems are safely restored to normal production operation.
Post-Incident Activity: The phase of analyzing, learning lessons and improving processes and safeguards to prevent similar incidents in the future.

What roles and responsibilities should the Incident Response Team (CSIRT) define?

An incident response plan is not just about procedures, but first and foremost about people. A key element of the preparation phase is the formal establishment and definition of the Computer Security Incident Response Team (CSIRT). This is an interdisciplinary group of people who, at the time of a crisis, take command and coordinate all activities.

An effective CSIRT cannot be composed solely of IT specialists. It must include representatives from key business areas to ensure comprehensive crisis management. A typical team composition is:

Team Leader (Incident Commander): The decision maker (often the CISO or IT head) who manages the entire process and has the final say.
Security Analysts: The technical core of the team, responsible for analyzing, containing and removing the threat.
Legal Department Representative: Advises on legal, regulatory and law enforcement contacts.
Communications/PR Representative: Responsible for internal communication (to employees) and external communication (to customers, media).
Representatives of key business departments: Individuals who understand business processes and can assess the impact of an incident on operations.
Management representative: Provides top-level support and makes strategic business decisions (e.g., about paying the ransom).

The IR plan must clearly define each person’s role, responsibilities and contact information (private phone numbers), available 24/7.

What key information and procedures must an effective IR plan include?

A good incident response plan is a practical and “combat” document. It should be written in simple, concise language and structured in the form of a checklist, not a long, theoretical essay. It must provide answers to the key questions the team will ask itself in a stressful situation.

The essential elements of an effective IR plan are:

The plan’s mission, strategy and goals.
Definition and classification of incidents: Clear criteria to distinguish a minor incident from a major incident requiring full mobilization.
Composition, roles and responsibilities of the CSIRT team with contact information.
Communication procedures: Who communicates, when and to whom? What does communication with management, employees, customers and regulators look like?
Detailed procedures (playbooks) for each phase of the incident life cycle: Described step-by-step what to do in the detection, containment, etc. phase.
Procedures for specific scenarios: Dedicated playbooks for the most dangerous and likely attacks, such as ransomware, data leakage and DDoS attack.
List of key resources: Inventory of key systems, contact information for third-party vendors and partners (including the IR services company).

Six phases of an effective incident response (according to NIST)
Phase	Main objective	Examples of activities
Preparation (Preparation)	Build the ability to respond effectively before an attack occurs.	Create IR plan, appoint and train CSIRT team, implement tools (SIEM, EDR).
Detection & Analysis	Identify the incident as soon as possible and understand its nature.	Monitor alerts, analyze logs, verify indicators of compromise (IoC), determine priority.
Restraint (Containment)	Limit the spread of the attack and minimize damage.	Isolate infected systems from the network, block attacker IP addresses, change compromised passwords.
Eradication	Complete removal of all hazard elements from the infrastructure.	Removing malware, eliminating backdoors, patching exploited vulnerabilities.
Restoration (Recovery)	Safely restore systems and data to normal operation.	Restore systems from clean backups, monitoring for reinfection.
Post-Incident Activity.	Learning lessons and improving defenses to prevent a repeat of the incident.	Creating a “lessons learned” report, updating the IR plan, implementing new safeguards.

How do you regularly test and update your incident response plan?

Having an incident response plan lying untouched in a binder is almost as bad as not having one at all. The effectiveness of the plan depends on whether it is regularly tested and the team is familiar with it. Testing identifies gaps, inaccuracies and misconceptions in a safe, controlled environment.

There are several levels of IR plan testing:

Review and update (checklist review): The simplest form, involving a periodic (e.g., quarterly) review of the plan and verification that all information (e.g., contact information) is up to date.
“Dry” testing (walk-through): The CSIRT team meets to discuss together, step-by-step, a theoretical incident scenario and their response as planned.
Table-top simulation exercises: The most valuable form of testing. This is a workshop in which an external facilitator (or internal leader) presents a realistic, evolving attack scenario (e.g., ransomware) to the team, and the team must “live” make decisions and react.
Full simulations: The most advanced form, in which the Red Team carries out a real, controlled attack on the company’s systems, and the Blue Team (CSIRT) must detect and stop it.

Regardless of the form, each exercise should end with a “lessons learned” session and an update of the plan based on lessons learned.

How does nFlo help create, test and implement incident response plans?

At nFlo, we understand that in a moment of crisis, it’s all about calm, experience and precise action. That’s why our Incident Response (IR) services are designed to comprehensively prepare your organization for worst-case scenarios, and stand shoulder-to-shoulder with you in the fight if necessary.

Our approach is two-pronged. First, we work proactively. We help organizations create from scratch or improve existing incident response plans. Based on NIST standards and our years of experience, we create practical, “tailor-made” plans that realistically work. Most importantly, we specialize in conducting and facilitating “table-top” simulation exercises. Our team of experts prepares realistic scenarios and conducts workshops for your CSIRT team, helping to test procedures, identify weaknesses and build “muscle memory” for times of crisis.