Building and Optimising Incident Response Playbooks

Cyber Crisis Incident Planning and Response Workshops

We have trained over 250 organizations including:

"Only 10% of organisations have an Incident Response Plan" - GCHQ

Create actionable scenario based playbooks

Cyber Crisis Management

Templates and Collateral

Data Breach Planning & Response: Playbooks Session


“We have an incident response handbook” OR “Yes, we have carried out a BCP exercise and can recover from a disaster” OR “we have 200 page major incident handling guide”

Companies repeat these and other statements every-time they are asked if they are prepared for a cyber-attack or data-breach. The truth is that most businesses only discover how ineffective their plans are when they are hit by a cyber attack.

You maybe prepared for a traditional crisis, like a flooding of the data centre OR your office building not being available due to an incident.

However, a cyber-crisis is often invisible and near impossible to detect in the early stages. In many cyber-attacks by the time a business detects the attack it is often too late. The data has been stolen , the newspapers know about your attack and your customers are worried about their personal data being in the hands of criminals.

CM-Alliance’s Building and Optimising Playbooks one day workshop equips you with the necessary knowledge to ensure your business has the actionable response mechanisms, checklists and procedures to respond to a variety of simple and complex cyber-attacks and data-breaches.

In this workshop you will learn:

  • The basic building blocks of a good and effective playbook
  • How NOT to respond to incidents, attacks and data-breaches: pitfalls to avoid when creating playbooks.
  • Triage, what it is, it’s role in incident management
  • How to use playbooks to aid in triage
  • Definition of a breach - why you need this and how to roll this out in your organisation.
  • Creating Scenarios - deep dive into creating effective scenarios.
  • Creating playbooks - starting from a basic to complex playbooks - Multiple interactive sessions
  • Management playbooks - how to build and engage management to use playbooks.
  • Running internal workshops - how to ensure maximum participation and effective results.
  • Understand the technology stack required to deliver automation.
  • Understand the role of SOAR (security orchestration and response) and the tools that you can use.
  • Organisational Capability and the role of playbooks in increasing staff skills and retention

Key Benefits :


  • Applicable knowledge to create and use actionable playbooks.
  • Useful templates and collateral you can deploy in your organisation.
  • Understanding SOAR and technologies and automation to help in the "heavy lifting" of manual tasks.
  • Avoid the common pitfalls of incident response plans and playbooks.

Learning Objectives:

  • List key benefits of playbooks and recognise their significance in enabling an organisation’s cyber resiliency.
  • Understand the basics of creating playbooks and describe the key components required to create them.
  • Communication strategies during a data breach.
  • Create organisation-specific attack scenarios.
  • Analyse and Assess the scenario and select the appropriate playbook.
  • Construct simple and complex playbooks.

Target audience:

  • IT Technicians
  • Level 1, level 2, IT support
  • Network engineer
  • Windows, Unix and Max engineers
  • SOC Analysts (all levels)
  • IT Manager, Network Manager
  • Change Managers
  • Service Managers
  • BCP Manager
  • CISO / Head of IT security
  • Risk Managers
  • Head of IT

The playbooks training course was a good 'part-2' to the CIPR and went into greater depth in a number of areas. The day was fun and Amar kept us moving along at a good pace.
Kevin Hayes
CISO, Cyber Risk Associates

Enjoyed the course. Good mix of attendees and plenty of lively conversation. Amar steered us through it all admirably.

Russ Smith

Overall the course was very good. I would strongly recommend this training to anyone who is involved in Cyber Security or has control of information assets.

Kim Rose
Information Governance Officer, Wye Valley NHS Trust

It was a great workshop with a lot of interesting people and a great learning experience.

Philipp Scheiwiler
System Engineer
This was a very helpful day and opportunity to speak with a number of operational incident responders to discuss what really works in practice and not just in theory. I gained a great deal from the day, particularly around the construction of bespoke playbooks and also a variety of useful resources to inform my learning. A really good day.
Andrew Lock
Information Security Consultant
The Foundations & Concepts

Condensed version of the GCHQ-Cyber Incident Planning and Response training to ensure all core stakeholders are baselined and understand the key concepts

Strategies for Data Breach Communication
  • Defining breach parameters for critical systems
  • Implementing a standardised communication principle during the golden hour and beyond
Golden Hour and Triage
  • The role of triage in Playbooks
  • The concept of alerts and dependency on triage
  • Creating tangible useful alerts and linking them to playbooks
Scenario Definition & Planning
  • Identify and build top attack scenarios – impact on critical assets and business objectives
  • Build high-level attack tree
  • Review existing use cases
  • Review the scenarios and create/review specific response and recover procedures per scenario
  • Creating a Scenario
  • Creating a Playbook
  • Playbook Worksheets

Meet the Trainer 

Amar Singh has a long history and experience in data privacy and information security. Amar has served as CISO for various companies, including News International (now News UK), SABMiller, Gala Coral, Euromoney and Elsevier. Amongst various other activities, Amar is a Global Chief Information Security Officer and Trusted Advisor to a number of organisations including a FTSE100 firm, and is chair of the ISACA UK Security Advisory Group. He also founded the not-for-profit cyber security service for charities, Give01Day.

Amar_Singh_CISO (1).jpg

Amar has the highest integrity and is trusted by FTSE100 companies with some of the most sensitive commercial information, and has been involved with highly sensitive forensic investigations.

He has the ability to deal with both the technically astute, board-level executives and lead an organisation's information security direction. Apart from his experience and abilities, Amar holds a number of industry-recognised certifications, such as ISO 27001 Certified ISMS Lead Implementer, MoR, CRISC and CISSP certification.

Amar is an industry-acknowledged expert and public speaker and is regularly invited to speak and share his insights by some of the largest and most respected organisations in the world including The BBC, The Economist’s Intelligence Unit, The Financial Times, SC Magazine, InfoSec Magazine, Computer Weekly, The Register and the AlJazeera English Channel.


All trademarks, service marks, trade names, product names, service names and logos appearing on the site, or on printed or digital material are the property of their respective owners, including in Cyber Management Alliance Ltd. Any rights not expressly granted herein are reserved.

Building and Optimising Incident Response Playbooks

Find out more about our one day public courses or internal workshops, please complete the form below. 

  • callOr call us on:
  • +44 (0) 203 189 1422