Essential Components of a Cyber Incident Response Plan Template
Date: 22 May 2020
We have created an optimised cyber incident response plan template for you to download along with some guidance on how to fill it in and how to make it personal to your organisation.
Before you download our cyber incident response plan template, please take a moment and read our guidance on the components of an effective cyber response plan. Why? We are specialists in cyber incident response and crisis management and are creators of the leading Cyber Incident Planning & Response training certified by the UK-Government's NCSC. The advice in this blog is from the years of experience in training, providing consultancy and mastery in cyber incident management.
Read this before downloading our cyber incident response plan template
To condense all the years' experience in a few sentences - Most cyber incident response plans and cyber incident response plan templates are simply UNFIT for purpose and are:
- Not Specific: Many, if not the majority of templates are not written for any specific organisation or sector. They are chock-full of unnecessary and pointless jargon and images of boxes and circles to impress you with their comprehensiveness. They don't address your organisation-specific systems, processes and procedures.
- Complex: From our client reviews and experience we can safely say that most cyber incident response plans are too lengthy and complex and too much attention is given to acronyms, appendixes and other useless artefacts. Complex processes and procedures are baked into the plan or the cyber incident response template and little attention is actually given to the cyber-attack scenarios that will impact the business. (We cover scenarios and how to create scenarios in our UK Government NCSC-Certified Cyber Incident Planning & Response training).
- Ineffective: Following on from the observations above, we propose that many cyber incident response plans and/or cyber incident response plan templates are ineffective and unfit-for-purpose. These documents are of little or no use when you are in the crosshairs of a cyber criminal and under fire from multiple sides. Trust us, a 100-page document with numbered images, labelled tables and complex looking-to-impress process workflows are practically useless when you are in the eye of the storm.
Simplify your Cyber Incident Response Plans
So what is the solution if most response plans and cyber response templates are inadequate? Put simply, follow the KIS principle (we avoid saying KISS for obvious reasons!)
“Any darn fool can make something complex; it takes a genius to make something simple.” ― Pete Seeger
At Cyber Management Alliance Ltd, we pride ourselves in making the complex topic of cybersecurity simple. When it comes to cyber incident management, we work with our clients on multiple fronts including advising and helping them produce a series of documents on cyber resiliency strategies, cyber crisis plans and cyber incident response plans.
So, keep it simple. Here are some things we keep in mind when creating plans for cyber incident response. We suggest you do the same.
- Scenarios: First and foremost, focus on the scenario(s) that will cause the biggest impact to your business. We cover this in our Cyber Incident Planning & Response and Building & Optimising Incident Response Playbooks training and workshops.
- Ditch the length: Your cybersecurity incident response plan does not have to be 50 or 100 pages in length. Please repeat this sentence again and again. Repetition is key to education. A 5-page plan could be sufficient.
- The Wrong Moniker: We will be upfront with you. The word plan is, in our opinion, the wrong word. Words are important otherwise humans wouldn’t need to speak verbally. Plan is the wrong word.
- Playbooks: Instead of creating one single cyber incident response plan (or trying to take a short-cut by using a cyber incident response plan template) we prefer to create incident response playbooks. Before you do that, work on creating organisation-specific scenarios.
- Processes and procedures: This is where it gets interesting. We must make it clear that we are not advocating that you don't create any documents. To the contrary, in fact, we insist that you must focus on having a solid set of processes and procedures for activities including but not limited to (1) backing up and restoring critical systems (2) rebuilding critical servers and (3) completely rebuilding your active directory (also known as the heart of the digital business).