When a cyber incident hits, very few people are sitting calmly flipping through a 60-page policy manual. Most are asking: “Who do I tell? What do I shut down? Are we going to lose data?”
The latest UK Cyber Breaches Survey shows most businesses act fast when something goes wrong , 76% report incidents to senior management. But when it comes to having a proper incident response plan? Many still don’t have one. And even fewer have tested theirs.
For those responsible for security, there’s a lot to stay on top of — and incident planning doesn’t always make it to the front of the queue. This blog isn’t here to judge; it’s here to offer clear, practical advice for leaders who want to strengthen their response.
In this first part of our Incident Response series, we’re focusing on the foundations: what an incident response plan is, why it matters, and what every plan should include. From defining incidents and assigning roles, to getting communication, triage and escalation right.
In Part 2, we’ll show you how to put that plan into action with practical tools like playbooks, testing drills, post-incident reviews, and compliance steps you can’t afford to miss.
Because the best response plan isn’t buried in a binder. It’s something you and your team can actually use, when it really matters.
What Incident Response In Cyber Security Really Means
Incident response is about knowing what to do when anything unexpected hits your systems. Whether it’s a phishing email that slips through, a rogue login at 2am, or a click that leads to a data leak.
At its core, an incident response plan gives you:
- Speed – to contain the threat and reduce the damage
- Proof – that you took the right steps, fast — which matters for your clients, and for compliance
The NCSC puts it perfectly:
And that preparation doesn’t just help limit impact, it supports your legal obligations, too.
If personal data is involved, GDPR requires you to notify the ICO within 72 hours. Regulators will want to know what happened, how you responded, and what evidence you have.
That’s why having a plan, even a basic one, can make the difference between a minor scare and a serious regulatory headache.
The Essentials: What Every Cyber Incident Response Plan Should Include
You don’t need a complex framework to get started. Just a practical plan that answers the key questions: Who does what? What do we count as an incident? How do we respond quickly and effectively?
Here’s the straightforward version of what every incident response plan should include:
The National Cyber Security Centre (NCSC) sets clear guidance on how to build this foundation. Here’s what your plan should include — and why each element matters.
1. Clear Roles and Responsibilities
When something goes wrong, clarity is critical. Everyone needs to know their role from the outset.
Typical roles include:
- Incident Coordinator – the central point of control. Oversees the entire response, keeps tasks aligned, and makes sure actions are taken.
- Decision-Maker – someone with the authority to escalate, shut systems down, or report to regulators.
- Technical Lead – analyses the issue, investigates the root cause, and implements fixes.
- Comms Contact – ensures timely updates are shared internally and externally, including with staff, stakeholders, or regulators.
Without this structure, confusion creeps in — and chaos follows.
2. Defining What Counts as an Incident
Not every blip is a breach, but many incidents start small. You need clear categories to trigger the right response.
The NCSC cyber incident response plan outlines the following common incident types:
- Malicious code – e.g. malware infections, ransomware
- Denial of Service (DoS) – service disruption from overwhelming traffic
- Phishing – deceptive emails with malicious links or attachments
- Unauthorised Access – access to systems or data without permission (internal or external)
- Insider Threats – accidental or deliberate action from within the organisation
- Data Breach – data loss or exposure (often linked to other incident types)
- Targeted Attack – deliberate, sophisticated attacks against your organisation
To simplify decision-making, create an incident category matrix with real-world examples of each type, tailored to your business.
3. Triage and Severity: Know What You’re Dealing With
Your team needs a quick way to decide how serious an incident is. This helps determine who needs to be involved and what should take priority.
Image taken from the NCSC Cyber Incident Response Plan
The NCSC incident response plan recommends using a severity matrix. Here’s a simplified version you can customise:
| Severity | Examples |
|---|---|
| Critical | Over 80% of staff unable to work, critical systems offline with no resolution, high-risk data breach, major financial/reputation impact |
| High | Half of staff affected, risk of personal data breach, systems impacted but fixable, potential serious reputation risk |
| Medium | Up to 20% affected, small data exposure, low risk to reputation, isolated system issues |
| Low | One or two users impacted, no data risk, minimal disruption |
Having this matrix in place helps you make fast, consistent decisions.
4. Communication Plan
Communication during an incident must be timely, clear, and controlled. Your plan should cover:
- Who needs to be informed – think technical teams, leadership, PR, legal, and in some cases customers or regulators
- How updates are shared – consider fallback options like secure messaging tools in case primary systems are compromised
- What’s logged – all key actions and decisions should be documented in real-time
Don’t assume email or phones will work — have a backup method ready.
5. Escalation Plan
You won’t always know how serious an incident is at first. That’s why your plan should include triggers for escalation:
- Involving senior management for high-impact decisions
- Alerting HR if an insider threat is suspected
- Engaging legal teams for regulatory and contractual advice
- Looping in PR or marketing if there’s potential for reputational damage
Escalation routes should be mapped clearly in your plan — no guesswork.
6. Backups and Data Restoration
Backups are your safety net — but only if they’re working and accessible.
Your plan should cover:
- Where backups are stored (and whether they’re isolated from live systems)
- Who can access and restore them
- How often they’re tested
Having clean, tested backups dramatically reduces recovery time and impact.
7. Containment Steps
Your first technical priority is to stop the spread of the threat. This often includes:
- Isolating affected machines or systems
- Disabling compromised user accounts
- Blocking malicious traffic
- Shutting down vulnerable services
The aim is to limit the blast radius while you investigate further.
8. Recovery and Remediation
Once things are stable, focus shifts to restoring services and fixing the root cause. Key steps include:
- Verifying and restoring backups
- Applying patches or fixes
- Changing passwords or credentials
This stage is where you return to business — but with stronger defences than before.
9. Documentation and Tracking
One of the most overlooked — but critical — areas of incident response.
As the NCSC explains, you need to track, document, assign, and correlate every part of the response:
- Keep a timeline of key events and decisions
- Record affected systems and data
- Note what actions were taken and why
This isn’t just useful for internal learning — it’s essential if you’re audited, investigated by regulators, or need to provide evidence in court.
Having this foundation in place won’t just make you feel more prepared — it will reduce damage, improve response time, and show clients and regulators that you take Cyber Security seriously.
Next Steps: Putting Your Plan into Practice
Now that you’ve covered the essential building blocks of an effective incident response plan — from assigning roles to defining incident types, managing communications, and preparing for recovery — the next step is turning that plan into something practical.
In Part 2, we’ll dive into how to bring your plan to life. We’ll explore the value of response playbooks, why regular testing is crucial, how to run effective post-incident reviews, and what your legal obligations look like in the aftermath of a breach.
If you’re looking to strengthen your Cyber Security strategy and want support building or refining your incident response plan, we’re here to help. Whether you need guidance on where to start or expert insight to validate what you already have, our team is ready to support you every step of the way.
Get in touch at enquiries@equilibrium-security.co.uk or give us a call on 0121 663 0055 — and let’s make sure your business is prepared for whatever comes next.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
