🔒 Security Incident Response Plan (IRP) & Checklist

Incident Response Phases

A solid IR plan breaks the response into clear phases. You and your team run each phase like a relay: training and preparation first, then detection, containment, eradication, recovery, and post-incident. The typical phases are:

• Preparation: Before an incident even starts, we train the team and set things up. We define communication channels (Slack, phone, email, ticketing), maintain an up-to-date contact list of IT, legal, PR, executives, and vendors, and ensure our monitoring tools (SIEM, IDS, etc.) are running. This groundwork means we’re ready the moment a threat appears.
  
  

• Detection & Identification: Next, we spot trouble. That could be an alert from a monitoring tool or an employee reporting suspicious activity. We quickly verify if it’s a real incident, then classify its severity (is this a minor anomaly or a major breach?). Finally, we notify the IR team and any stakeholders who need to know about the situation.
  
  

• Containment: Now we try to stop any further damage. We isolate affected systems or networks, block malicious IPs/domains, and disable any compromised accounts. In one case, our team actually unplugged a server mid-incident to halt a ransomware spread. These containment actions limit the “blast radius” of the attack while we work on removing it.
  
  

• Eradication: With things contained, we hunt down the attackers and remove them. We delete malware and any backdoors, patch the exploited vulnerabilities, reset passwords, and clear out any traces of the intrusion. We double-check that no part of the threat remains. This is exactly what IR guidelines mean by “eradicating the threat”.
  
  

• Recovery: Now we bring systems back to life. We restore data and servers from known-clean backups, thoroughly test everything, and carefully bring services online. We monitor for any sign of the attacker returning. The goal is to resume normal business operations safely, with confidence that the breach is over.
  
  

• Lessons Learned: Finally, we review. The IR team conducts a post-incident meeting to document what happened and why. We note timelines, impacted systems, root causes, and steps taken. Then we update our playbooks, close any gaps in our processes, and share a summary with leadership. After all, an IR plan “is only as good as your last test”, so we treat this review as an opportunity to improve.

Each phase flows into the next, but real incidents can overlap them. The key is that your plan covers all these steps, so nothing important is missed.

Roles & Responsibilities

Clear roles are the backbone of any response. We make sure everyone knows exactly what to do when the alarm sounds. In our IR plan, the IR Lead coordinates the response, the Security Analyst investigates alerts and gathers evidence, IT Operations engineers handle containment and recovery, Legal/Compliance manages breach notification and compliance, Communications/PR crafts any external messaging, and an Executive Sponsor makes final decisions. Industry guidance even points out that you should assemble a dedicated IR team with technical, legal, communications, and management expertise, each with clearly defined responsibilities.

• IR Lead: Coordinates the overall incident response efforts.
  
  

• Security Analyst: Investigates alerts and evidence to determine the scope of the breach.
  
  

• IT Operations: Executes the technical containment and recovery procedures on affected systems.
  
  

• Legal/Compliance: Advises on regulatory reporting and ensures all legal requirements are met.
  
  

• Communications/PR: Prepares messaging for customers, media, and other external parties if needed.
  
  

• Executive Sponsor: Provides executive-level oversight and makes key decisions during the incident.

Incident Severity Levels

Not all incidents are created equal. Our plan defines several severity tiers so we respond with the right urgency. For example: a single phishing email blocked by our spam filter might be Low (handled by the IR Lead only), a malware infection on one computer is Medium (escalated to IT Ops), multiple systems hit by ransomware is High (alerting execs and legal), and a confirmed breach of sensitive personal data is Critical (mobilizing the full IR team and possibly outside regulators).

Incident Response Checklist

When chaos hits, a checklist can keep the team on track. Our IRP includes key steps for each part of the response, such as:

• Detection & Identification: Confirm the alert’s source (SIEM, IDS, user report); verify the incident; classify its severity; notify the IR team immediately.
  
  

• Containment: Disconnect or isolate affected devices from the network; block malicious domains and IPs; disable compromised user accounts.
  
  

• Eradication & Recovery: Remove malware and any persistence mechanisms; apply security patches to vulnerable systems; restore data and systems from verified clean backups; validate that systems are fully functional and secure.
  
  

• Post-Incident: Conduct a lessons-learned review; update incident documentation and any threat intelligence entries; improve monitoring and defenses; share a summary report with leadership.

Each item above aligns with best practices. For example, IR guidelines emphasize containing the threat and then eradicating it from all systems, followed by restoring operations with trusted backups. Ticking off these tasks as you go ensures a thorough, coordinated effort.

Communication Plan

Part of our plan specifies exactly how to alert everyone involved. For example, the IR team has a dedicated Slack channel and pager so they get notified immediately of critical alerts. IT Operations is notified via a rapid incident ticket or direct call. Legal and executives are only paged or emailed for high-severity incidents, to avoid unnecessary alarms. The PR lead stands by with pre-written statements and press contacts if external notification is needed. Best practices say to prepare clear internal channels and external messaging in advance.

Regulatory Requirements

Don’t overlook compliance. Depending on your data, you may have strict reporting rules. For instance, GDPR requires notifying authorities within 72 hours of a personal data breach, and HIPAA requires informing affected individuals within 60 days of discovering a breach. Various U.S. states also have breach-notification laws, and industry standards like PCI-DSS for payment data effectively require having a solid incident response plan in place.

Post-Incident Report

After the incident is contained, the last step is documentation. We create a post-mortem report covering what happened and when (timeline), which systems were affected, the root cause, actions taken (containment, eradication, recovery), business impact, and lessons learned. We attach all relevant logs and evidence (such as screenshots and log files) to make the story complete. In fact, one incident response guide emphasizes recording "what information you should report (like logs and screenshots)" to ensure a complete record.

Accelerate Response with an IRP Template

Having all this in a template makes life easier. Assemble offers a fully editable IRP template that includes all these sections. Once you open the template in Assemble, your team can start customizing it right away. You can share the document with everyone on your team in one click and even see who has viewed or edited it. Assemble provides a central hub with real-time collaboration, version history, and drag-and-drop editing, so your IR plan is always up to date.

Ready to get prepared? Sign up for Assemble and try out the Security Incident Response Plan template. With a customizable template at hand, your team can focus on the response, not on writing docs. When the next alert goes off, you’ll know exactly where to begin.