Top 8 Incident Response Plan Templates

Components of an Incident Response Plan Template

Most incident response plan templates follow a common framework with similar elements. In general, most incident response programs cover the following elements, all of which must be represented in the incident response plan.

Related content: Read our guide to incident response planning

Purpose and Scope

Determining the ultimate goals of an incident response strategy, including specific recovery goals, will help you focus your efforts on better addressing imminent threats. This may include specific statements about the scope of the program, including its limitations. For example, if you have multiple offices, your incident response plan might only focus on one geographic location, while others will have different plans.

Threat Scenarios

In many cases, organizations develop multiple incident response plans to address significant threats. While this specificity can be helpful, a single document referenced in an emergency increases the likelihood that the individual responding to the incident will take appropriate action.

The best approach is to create a single master plan, and consider supporting documents with special considerations for critical scenarios. Here are several possible scenarios that might justify a separate incident response plan and process:

• Zero-day attack on critical systems

• Loss of data communication due to attacks on IT networks

• Data loss due to ransomware, malware or theft

• Loss of intellectual property

Roles and Responsibilities

If your network is under cyber attack, it must be clear who will put the response plan into action. Determining the response team's key roles in advance and practicing the incident response process will help teams work faster and with more confidence during an attack.

The incident response plan template should include the individuals responsible for carrying out incident response, specifying their title and contact information, to minimize uncertainty about who does what.

Incident Response Process

This section is the heart of your incident response plan. It is the actual sequence of events that should be followed by the team in response to an active cyber threat. Keep in mind that the process will not be a match for every situation, so it should have enough flexibility to allow teams to decide which steps are most appropriate to the threat at hand.

Related content: Read our guide to incident response process

Incident Response Template Examples

1. NIST

Created by: National Institute of Standards and Technology

Pages: 79

Main sections:

• Organizing a Computer Security Incident Response Capability

• Handling an Incident

• Coordination and Information Sharing

• Incident Handling Scenarios

• Incident-Related Data Elements

Download PDF file

2. NASA

Created by: NASA

Pages: 59

Main sections:

• Incident management lifecycle overview

• Incident management roles and responsibilities

• Incident management lifecycle

• Incident management framework

Download PDF file

3. Berkeley University

Created by: Berkeley University

Pages: 7

Main sections:

• System overview

• Definitions

• System contacts

• Incident response procedures

Download .DOC file

4. IltaNet

Created by: International Legal Technology Association

Pages: 5

Main sections:

• The incident response team

• Notifications

• Employee responsibilities

• Incident types

• Security breach definition

• Incident classification procedures

• Response procedures

• Recovery procedures

• Regular testing and remediation efforts

Download .ASHX file

5. California Government Department of Technology

Created by: California Government Department of Technology

Pages: 4

Contents: 17-step basic incident response procedure, with references to more detailed, specialized response plans for different incident types, including system failure, malware, and intrusion.

Download .DOC file

6. State of Michigan

Created by: State of Michigan

Pages: 14

Main sections:

• Definitions

• Preparation

• Incident detection and analysis

• Threat containment, eradication, and recovery

• Post-incident activities

• The incident response team

• The incident response process tree

Download PDF file

7. Government of Victoria, Australia

Created by: Victorian Government

Pages: 24

Main sections:

• Definitions

• Common cyber incidents and responses

• Roles and responsibilities

• Incident response process

• Situation update

• Incident log

• Resolution action plan

• Evidence register

• Assets and key contacts

Download .DOC file

8. TechTarget

Created by: Paul Kirvan

Pages: 14

Main sections:

• Plan overview, scope, exclusions and planning scenarios

• Local sequence of events, local incident response teams and activities

• Notification, escalation and declaration process

• Incident response checklists: contact lists, initial IR checklist, local incident management team checklist, manager task checklist, EOC command staff checklist

• Incident management forms

Download .DOC file

Best Practices for Designing an Incident Response Plan

When designing an incident response plan based on the template, keep the following in mind:

• The response plan should provide guidance for incidents based on their severity and impact.

• The plan should separate incidents of different types—for example, a ransomware attack requires a different response than a SQL injection attack.

• Define a required response and resolution time based on the incident severity level.

• The plan should include a clear process for incident escalation.

• Incident response often requires contacting members of the team outside business hours. The plan should clearly state who is the first point of contact and provide backup contacts in case the first responder is not available.

• The plan should also be clear on communication paths, what should be communicated and to whom, and include specific contact details.

• It is important that the plan be reviewed at least quarterly to update it according to lessons learned from actual incidents and new threats.