NIST Incident Response Plan Steps & Template

Date: 26 April 2022

Featured Image

The National Institute of Standards and Technology, popularly known as NIST, details its recommendations on Cybersecurity Incident Management and Response in the ‘Computer Security Incident Handling Guide’ - also referred to as SP 800-61 Rev. 2

The guide provides direction on how a cyber security incident response plan should be formulated and what steps a disaster recovery plan should contain.

In this blog, we explore these recommendations in some detail and share what a good cybersecurity incident response plan template must look like.  

NIST Incident Response Plan 

Computer Security Incident Response has become a critical business activity today, given the growing complexity and number of cyber attacks, ransomware attacks and data breaches across the globe. It is now imperative to view cybersecurity from the point of view of response and recovery rather than prevention. 

The NIST’s Cybersecurity Incident Handling Guide seeks to empower businesses to bolster their security posture and incident response capabilities through adequate preparation, cybersecurity training, planning and optimal resource allocation.

It also lays emphasis on improving post-incident activity and analysing data so as to enhance the lessons learned and create the opportunity for better detection and response the next time. 

The resounding message of the guide in a gist is that every business is going to be attacked in its lifetime. Consequently, the best way to bolster your security and resilience posture is to ensure that your security teams are well-trained, your management understands cybersecurity and incident response and all key stakeholders are aware of their roles and responsibilities.   

One of the first requirements that the guide spells out for establishing an incident response capability is “Creating an incident response policy and plan”. To help you with this, our security experts have created a free Security Incident Response Plan Template that you can put to use immediately. Give it a try and share your experience and thoughts. 

New call-to-action

What is a Cyber Security Incident Response Plan?  

A Cyber Incident Response plan is a roadmap for security teams on how to handle an incident. It gives out basic direction to the incident response team on what to do immediately after a cybersecurity incident. 

This plan should be customised to the organisational nature, scale, size and objectives. However, some of the key requirements in this plan remain constant across industries and geographies. 

Our Information Security Incident Response Plan Template, created on the basis of NIST guidance, can be used by businesses looking to build their formal incident response capabilities in the long term. It encompasses the various recommended elements that the cyber security emergency response plan should have. It also provides guidance on how the template should be used for best results. 

New call-to-action 

NIST Cybersecurity Incident Response Plan Steps 

Different Cyber Incident Response Plan Templates usually define the phases or steps of good incident response in varying ways. 

We have detailed blogs on the 6 Phases of Incident Response and on 7 Phases of Incident Response which you can read for more information. However, in this blog, we’re going to stay focussed on the 4 Phases of the Incident Response Lifecycle as defined by NIST. 

As per NIST, the major phases of the Cybersecurity Incident Response Process include:

  • Preparation
  • Detection & Analysis 
  • Containment, Eradication & Recovery 
  • Post-Incident Activity 

We can now explore in detail what each of these phases or steps in the Incident Response Lifecycle entail. 

  • Preparation: As the name suggests, this phase is all about getting the organisation ready for a cyber-attack. It involves establishing and training a security incident response team as well as implementing tools and resources that could actually limit security incidents in the first place. Prevention of incidents does end up falling into the category of Preparation, although strictly speaking the incident response team is not responsible for securing resources. 

    NIST, however, recommends that they act as advocates of good cybersecurity practices and behaviour in the Preparation stage. Clearly, limiting the number of incidents is critical to the success of any Cybersecurity Incident Response endeavour. 

    The NIST Computer Security Incident Handling Guide also details some practices that can help analyse risk and secure networks, applications and systems in the Preparation phase of the Lifecycle.

  • Detection & Analysis:  While it’s impossible for organisations to be prepared for every possible future attack, it is wise to have a plan in place to respond to the most common attack vectors. 

    The other thing that makes the stage of Detection very important is that many times businesses aren’t able to tell if they’ve actually been attacked in reality or not. Timely detection is of essence so the security incident response team should be able to quickly validate an incident and then analyse its scope - what was the attack methodology and what assets have been impacted. 

    Communicating the fact that the organisation has been attacked accurately and to the right stakeholders is also a crucial part of this phase of the Incident Response Lifecycle.

  • Containment, Eradication & Recovery: It is imperative to contain an incident before it causes widespread damage and exhausts resources. NIST highlights that good decision-making is a big part of Containment. Obviously, containment becomes easier and more effective if predetermined strategies are in place to handle and contain the incident correctly - further underlining the importance of good cybersecurity practices and incident response training in the UK and globally. 

    After containing the incident, eradication may be necessary to remediate all affected hosts. Eradication usually involves steps like eliminating the malware or deleting breached accounts.

    Recovery is the next logical step after eradication. It involves restoring affected systems, changing passwords, tightening the network, replacing compromised systems and files. 


  • Post-Incident Activity: This phase lays emphasis on lessons learned from the cyber incident. The NIST document recommends holding a ‘lessons learned’ meeting with key stakeholders after a major incident so that the organisation can collectively evolve into being better at handling similar incidents in the future.

    Proper post-incident activity can shed light on key questions around an incident pertaining to what exactly happened and how well the staff handle the incident. These meetings can also be the perfect vehicle for deliberating on the organisational incident response strategy and its effectiveness.

    Ideally, ‘lessons learned’ meetings should be followed up with formal reports that detail everything discussed in the meeting. These reports can be useful in identifying gaps in existing policies and procedures as well as training new staff members who may subsequently become part of the IT security team. 

New call-to-action

The above are some critical incident response steps as highlighted by NIST. Including these major steps in your Cyber Security Incident Response Plan is one of the most important leaps you can take today towards becoming a cyber resilient organisation.

You may also want to find out more about our NCSC-Certified Cyber Incident Planning & Response training. As the human element is often the weakest link in a digital environment, training your non-technical staff in Incident Response can be the ultimate differentiator of a cyber-resilient organisation. The training can also help you to implement NIST's Incident Response Lifecycle & Meet ISO 27001:2013's Annexe A.16.1. 

cta Free incident response checklist


Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422