Building and Optimising Incident Response Playbooks

Cyber Crisis Incident Planning and Response Workshops

We have trained over 250 organizations including:

"Only 10% of organisations have an Incident Response Plan" - GCHQ

Create actionable, scenario-based playbooks

Cyber Crisis Management

Templates and Collateral

Data Breach Planning & Response: Playbooks Session


“We have an incident response handbook” OR “Yes, we have carried out a BCP exercise and can recover from a disaster” OR “We have a 200-page major incident handling guide.”

Companies repeat these and other statements every time they are asked if they are prepared for a cyber-attack or data breach. The truth is that most businesses only discover how ineffective their plans are when they are hit by a cyber-attack.

You may be prepared for a traditional crisis, like a flooding of the data centre or your office building not being available due to an incident.

However, a cyber-crisis is often invisible and near impossible to detect in the early stages. In many cyber-attacks, by the time a business detects the attack, it is often too late. The data has been stolen , the newspapers know about your attack and your customers are worried about their personal data being in the hands of criminals.

Cyber Management Alliance’s Building and Optimising Incident Response Playbooks one-day workshop equips you with the necessary knowledge to ensure your business has the actionable response mechanisms, checklists and procedures to respond to a variety of simple and complex cyber-attacks and data breaches.

In this workshop, you will learn:

  • The basic building blocks of a good and effective playbook.
  • How NOT to respond to incidents, attacks and data breaches; pitfalls to avoid when creating playbooks.
  • Triage - What it is and what's its role in incident management.
  • How to use playbooks to aid in Triage.
  • Definition of a breach - Why you need this and how to roll this out in your organisation.
  • Creating Scenarios - Deep-dive into creating effective scenarios.
  • Creating playbooks - Starting from basic to complex playbooks - Multiple interactive sessions.
  • Management playbooks - How to build and engage management to use playbooks.
  • Running internal workshops - How to ensure maximum participation and effective results.
  • Understanding the technology stack required to deliver automation.
  • Understanding the role of SOAR (Security Orchestration and Response) and the tools that you can use.
  • Organisational capability and the role of playbooks in increasing staff skills and retention.

Key Benefits :

  • Applicable knowledge to create and use actionable playbooks.
  • Useful templates and collateral that you can deploy in your organisation.
  • Understanding SOAR, other technologies and automation to help in the "heavy lifting" of manual tasks.
  • Avoid the common pitfalls of incident response plans and playbooks.

Learning Objectives:

  • List key benefits of playbooks and recognise their significance in enabling an organisation’s cyber resilience.
  • Understand the basics of creating playbooks and describe the key components required to create them.
  • Communication strategies during a data breach.
  • Create organisation-specific attack scenarios.
  • Analyse and assess the scenario and select the appropriate playbook.
  • Construct simple and complex playbooks.


Target audience:

  • IT Technicians
  • Level 1, level 2, IT support
  • Network engineers
  • Windows, Unix and Max engineers
  • SOC Analysts (all levels)
  • IT Managers, Network Managers
  • Change Managers
  • Service Managers
  • BCP Managers
  • CISOs / Heads of IT security
  • Risk Managers
  • Heads of IT


The playbooks training course was a good 'part-2' to the CIPR and went into greater depth in a number of areas. The day was fun and Amar kept us moving along at a good pace.
Kevin Hayes
CISO, Cyber Risk Associates

Enjoyed the course. Good mix of attendees and plenty of lively conversation. Amar steered us through it all admirably.

Russ Smith

Overall the course was very good. I would strongly recommend this training to anyone who is involved in Cyber Security or has control of information assets.

Kim Rose
Information Governance Officer, Wye Valley NHS Trust

It was a great workshop with a lot of interesting people and a great learning experience.

Philipp Scheiwiler
System Engineer
This was a very helpful day and opportunity to speak with a number of operational incident responders to discuss what really works in practice and not just in theory. I gained a great deal from the day, particularly around the construction of bespoke playbooks and also a variety of useful resources to inform my learning. A really good day.
Andrew Lock
Information Security Consultant
The Foundations & Concepts

Condensed version of the GCHQ-Cyber Incident Planning and Response training to ensure all core stakeholders are base-lined and understand the key concepts.

Strategies for Data Breach Communication
  • Defining breach parameters for critical systems.
  • Implementing a standardised communication principle during the Golden Hour and beyond.
Golden Hour and Triage
  • The role of Triage in Playbooks.
  • The concept of alerts and dependency on Triage.
  • Creating tangible useful alerts and linking them to playbooks.
Scenario Definition & Planning
  • Identify and build top attack scenarios – impact on critical assets and business objectives.
  • Build high-level attack tree.
  • Review existing use cases.
  • Review the scenarios and create/review specific response and recover procedures per scenario.
  • Create a Scenario.
  • Create a Playbook.
  • Playbook Worksheets.

Meet the Trainer 

Amar Singh has a long history and experience in data privacy and information security. Amar has served as CISO for various companies, including News International (now News UK), SABMiller, Gala Coral, Euromoney and Elsevier. Amongst various other activities, Amar is a Global Chief Information Security Officer and Trusted Advisor to a number of organisations including a FTSE100 firm, and is chair of the ISACA UK Security Advisory Group. He also founded the not-for-profit cybersecurity service for charities, Give01Day.

Amar_Singh_CISO (1).jpg

Amar has the highest integrity and is trusted by FTSE100 companies with some of the most sensitive commercial information. He has been involved with highly sensitive forensic investigations.

He has the ability to deal with both technically-astute, board-level executives and lead an organisation's information security direction. Apart from his experience and abilities, Amar holds a number of industry-recognised certifications, such as ISO 27001 Certified ISMS Lead Implementer, MoR, CRISC and CISSP certification.

Amar is an industry-acknowledged expert and public speaker and is regularly invited to speak and share his insights by some of the largest and most respected organisations in the world including The BBC, The Economist’s Intelligence Unit, The Financial Times, SC Magazine, InfoSec Magazine, Computer Weekly, The Register and the AlJazeera English Channel.


All trademarks, service marks, trade names, product names, service names and logos appearing on the site, or on printed or digital material are the property of their respective owners, including in Cyber Management Alliance Ltd. Any rights not expressly granted herein are reserved.

Building and Optimising Incident Response Playbooks

Find out more about our one day public courses or internal workshops, please complete the form below. 

  • callOr call us on:
  • +44 (0) 203 189 1422