Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

Leadership

Meet the MetaCompliance Leadership Team

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

How to Write an Incident Response Plan

how to write an incident response plan

about the author

Share this post

Knowing how to write an incident response plan builds on the capabilities of people. If staff are fully aware and trained to report and manage an incident, that event will be handled efficiently.


Experiencing an information security incident is not something anyone wants to go through, but unfortunately dealing with a security incident is a case of when not if. Organisations that suffer a cyber security incident are certainly not alone. According to the World Economic Forum (WEF), cyber security is one of the topmost urgent risks to the global economy. The report, however, highlights the fact that through multilateral efforts, the impact of a cyber-attack can be mitigated.

Collaborative incident response and information-sharing efforts attempt to centralize cyber security capabilities to reduce the impact of cyberattacks.”

An Incident Response Plan is one such effort. Here is an overview of why you need one and what is involved in creating an Incident Response Plan.

Why Do We Need an Incident Response Plan?

The UK Government’s “Cyber Security Breaches Survey 2021” found that 27% of UK businesses have experienced a data breach and are attacked at least once a week, with 39% losing money and/or assets. Managing this onslaught of cyber threats needs the sharp focus of an Incident Response Plan. This plan provides a template of how to respond effectively when a security incident occurs, such as malware, ransomware and unauthorised access.

Data breaches are rarely realised suddenly: the IBM “Cost of a Data Breach 2020” report points out that in 2019 it took, on average, 207 days to identify a data breach and then 73 days to contain it; that’s an average “lifecycle” of 280 days to reduce the impact on the operations of a company.

Having an Incident Response Plan can help to minimise the time to the containment of a data breach and deal with the aftermath quickly and efficiently. Time is of the essence in terms of breach notification rules as a variety of regulations including DPA2018 and GDPR expect notice within 72 hours of a breach occurring. An Incident Response Plan will inform those in security and compliance roles on how to respond to the incident and offer the details needed to make a breach notification.

What is Included in an Incident Response Plan?

Creating an Incident Response Plan is a process that involves a logical approach that includes how to prepare, detect, respond, and recover from an incident. Having a clear and unambiguous view of what to do when the worst-case scenario happens, can be the difference between disastrous aftermath and a smooth road forward.

The playbook of an Incident Response Plan should cover:

Prepare

As all good DIYers know, preparation is the most important part of a job. The same is true when creating an Incident Response Plan. Preparation for the plan begins with people.

Roles and responsibilities: Who is responsible for what action when an incident happens? Identify an incident response team for incident handling. This should also map back to relevant security policy clauses your company has in place. Training staff is a vital part of preparedness and delivery in the Incident Response Plan.

Resource inventory: Create a list of assets across all departments.

Risk assessment: Identify risk areas along with location and classification of assets. Determine the risk levels of each depending on the likelihood of an attack vs. severity of an incident. Map to the ability to handle an attack against these assets.

Incident types: What type of incidents are likely and what constitutes an incident? If an incident occurs, who is responsible for starting the incident management process? Organisations should also outline the escalation criteria for different types of incidents.

Regulation mapping: Document which regulations are relevant and what requirements need to be met when an incident occurs. Create guidelines for the interaction with external authorities’, post-incident.

Incident log: Include a log to manage the incident response process. This may also be useful for regulatory compliance requirements.

Detect

This second stage of the incident response planning process is about monitoring, detecting, and alerting when an incident occurs.

Detection strategy: What tools and measures are used to detect an incident? This must include threats from known, unknown, and suspected threats. For example, do you deploy network scanning tools, Endpoint Detection and Response (EDR), etc.?

Alerts: What systems are used to alert to a possible breach?

Breach assessment: How will your organisation locate zero-day vulnerabilities or Advanced Persistent Threats (APTs)? A “Compromise Assessment” can be used to locate unknown security breaches and unauthorised account access.

Respond

How an organisation responds to a breach is the key to making sure data exposure is minimised and damage limited. Incident response covers several areas such as alert triage, an important aspect to prevent erroneous incident response attempts. The main aspect covered in the response part of an incident response process is to contain and remove the threat. The Incident Response Plan needs to cover the following areas:

Breach assessment: How to quantify the extent of the threat and if the threat is real. This includes how to triage alerts.

Containment exercises: Once a threat is identified, how will it be contained? This can include isolation of systems to protect against further infection/data leaks.

Assessment of breach metrics: What is the classification of the breached data? Was the data sensitive? Did the breach impact regulatory requirements?

Deal with any infection/vulnerability: What is the general process to remove the infected files and deal with any aftermath of an infection.

Preserve breach artefacts: How to produce a log of the incident and any forensic evidence. Include the who, what, why, and where of the event.

Prepare for breach notification: If necessary, how to prepare for any breach notification required. This should include public notices and may provide templates.

Liaise with legal and compliance (and possibly law enforcement): Details of who is responsible for dealing with legal and compliance and how this is handled.

Recover

Recovery is the last part of the process of incident response. The Incident Response Plan should show how the company moves on from an incident, lessons learned and what type of recovery exercises should be carried out:

Post-incident exercises: How to close off the gaps discovered during the incident response.

Remove the risk: Removing the risk and restoring the systems to a pre-incident state.

Report: Guidance on creating an incident response report to help prevent future incidents. But also, guidelines on continued forensic data gathering and monitoring to ensure continued security

Frameworks and Standards when writing an Incident Response Plan

When writing an Incident Response Plan, it can be helpful to have some guidance from recognised authorities.

ISO 27001 – Annex A.16: is an annex to the ISO 27001 international standard that gives useful advice on how to establish a protocol for dealing with the lifecycle management of a security incident.

NIST Incident Response Process: NIST (National Institute of Standards and Technology) is a U.S. government agency. NIST’s Incident Response Process details the four steps mentioned in this article.

Implementing An Incident Response Plan

Efficient handling of even devastating events will mitigate any present and future impact of an incident. Staff training, however, is a perennial challenge that is unique to the Incident Response Plan of an individual organisation. Every incident approach will be different; each organisation has its own set of threats and internal organisational structures.

Personalised training content can be used to reflect each organisation’s uniqueness and its approach to incident management. By creating a personalised Incident Response Plan that reflects your unique organisation structure, you can ensure that you mitigate against the various threats that a modern enterprise encounters.

Key Steps to Effective Data Breach Management

Other Articles on Cyber Security Awareness Training You Might Find Interesting