If Part 1 helped you lay the groundwork for an effective incident response strategy, this next phase is all about making it work in the real world. Because when things go wrong, it’s not enough to have a policy written down. You need to know exactly what to do — and have confidence that your team does too.
In this second part of our Incident Response series, we’ll walk you through the practical steps to bring your plan to life. From creating fast, focused playbooks to running tests, learning from incidents, and understanding when to involve regulators — this is where your strategy becomes action.
Let’s get planning!
Use Playbooks to Make Response Easier For A Cyber Incident Response Plan
When a cyber incident hits, no one wants to be making it up as they go along. That’s where incident response playbooks come in.
What Is a Playbook?
Unlike a general incident response plan, playbooks are focused and scenario-specific. They break down exactly what to do, who to call, and how to contain a particular type of incident.
What Should a Playbook Include For Your Incident Response Plan?
According to the National Cyber Security Centre (NCSC), every playbook should include simple but critical guidance for the first few hours of response. As a minimum, each playbook should cover:
- Who to contact – technical teams, key suppliers, senior management, and when to involve Legal, HR, or PR
- How to triage the incident – specifics on how to assess and categorise the incident based on type (e.g. ransomware vs phishing)
- Containment actions – clear instructions on how to reduce impact or prevent the incident from spreading further
- Evidence retention – advice on preserving logs, emails, or other data that may be needed for internal reviews or regulatory reporting
You can enhance these playbooks over time with additional detail on recovery, close-down procedures, or links to external guidance and internal policies.
Where to Start:
Start by creating 3 to 5 core playbooks based on your most likely or highest-risk scenarios. This should be informed by:
- Past incidents in your business
- Current threat trends in your sector
- High-profile global threats like ransomware
We recommend starting with:
- Malware Infection – unusual system behaviour or known malware activity
- Ransomware – encryption of files, ransom notes, business disruption
- Data Breach – lost/stolen devices, unauthorised access to sensitive data
- Unauthorised Access – suspicious logins, compromised user accounts, insider activity
Keep It Simple
Your playbooks don’t need to be polished documents with diagrams and legal language. What matters is that they’re practical, accurate, and easy to follow under pressure.
Over time, you can expand your playbooks to include recovery steps, lessons learned, and engagement points for PR or compliance teams. If you’re using an incident response platform or orchestration tool, these playbooks can also be embedded directly into your workflows.
But even a simple PDF or printout is enough to improve your response time, reduce impact, and give your team confidence when it counts.
Testing the Plan: Why You Have to Practice For An Incident Response in Cyber Security
So, you’ve got an incident response plan in place. That’s a great start — but let’s be clear: a plan that sits untouched on a shared drive won’t help you when a real incident hits.
Just like fire drills, Cyber Security plans need to be tested before the emergency.
Why Testing Matters For Your Cyber Security Incident Response
Testing your incident response plan helps you identify gaps, clarify roles, and fix weaknesses before they turn into major issues. It also helps build team confidence and ensures that when something goes wrong, the response is smooth, not panicked.
The National Cyber Security Centre (NCSC) puts it plainly:
Regular testing allows you to:
- Discover miscommunications or blind spots in your response
- Validate the effectiveness of your escalation process
- Check whether your contact lists and backups are up to date
- Confirm that all departments understand their role — not just IT
Protect your business and prove resilience to your board, regulators, and customers.
Post-Incident Review: What Did You Learn From Your Cyber Security Incident Response Plan?
You’ve contained the threat, restored systems, and breathed a collective sigh of relief. But before you move on, there’s one final — and crucial — step: the post-incident review.
This is your opportunity to step back and ask: What happened? What worked? What needs to change?
Because if you don’t learn from an incident, it’s only a matter of time before the same weaknesses come back to bite you.
Why Reviews Matter For A Data Breach Response Plan
- Fix the gaps in detection and response
- Improve your playbooks and escalation process
- Identify missing logs, tools, or data that made the response harder
- Capture evidence and document your decisions for future reference
- Support regulatory compliance — including with the ICO, if personal data was involved
The NCSC incident response advises that keeping a detailed, structured record of your incident response is essential — especially if you’re later required to present that information to a regulator or court.
What to Cover in a Post-Incident Review
Your review should look at two things:
1. The Incident Itself:
- Could it have been detected earlier?
- Were there missed warning signs or vulnerable systems?
- Are there tactical fixes you can make immediately (e.g. patching or configuration changes)?
- Are there bigger governance issues to address (e.g. a lack of visibility over assets or suppliers)?
The NCSC recommends looking for both short-term improvements and longer-term strategic fixes, especially if the same issue has cropped up more than once.
2. The Response Process:
- Did everyone understand their role?
- Were decisions made at the right time?
- Were communications clear and timely?
- Was important data — like logs — missing or overwritten too soon?
“Was there any information which would have significantly helped your response but which was difficult or impossible to obtain? Make a plan to gather this data ahead of any future attacks.”
Even something as simple as unclear documentation or outdated contact lists can delay response time and increase impact. This is your chance to identify and fix those issues while the details are still fresh.
Make It Actionable
A review isn’t just a meeting. Document it. Assign actions. Update your playbooks. And make sure your leadership team is aware of the lessons — particularly if they impact future resourcing, training, or investment.
The best organisations treat incident response as a living process — not a one-off event. Each incident is a chance to improve your posture and sharpen your strategy.
Regulatory Responsibilities: Know When to Escalate
When an incident involves personal data, your response isn’t just about technical containment — it’s also about meeting your legal obligations.
Under UK GDPR, you must report certain types of personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of them. That deadline includes weekends and bank holidays — so speed really does matter.
You don’t need to be a legal expert to meet this requirement. You just need to know:
- When to escalate internally
- What information to gather (what happened, when it happened, what data was involved, and what you’re doing about it)
Who is responsible for submitting the report
It’s good practice to prepare in advance by:
- Identifying who in your team is responsible for reporting
- Storing a link to the ICO’s data breach reporting form
- Having a template ready to capture the key information you’ll need
- Ensuring your logs and incident notes are structured and easy to access
The ICO’s guidance is clear and practical. You can find it here:
This step is often overlooked in the heat of an incident — but failing to report when you should, or providing incomplete information, can lead to reputational and regulatory consequences.
Having this process baked into your incident response plan ensures you’re not scrambling when the clock is ticking.
You’ve Got the Foundations. Now Build Confidence.
Cyber incidents don’t wait until you’re ready. But with a strong plan, tested processes, and a team that knows what to do, your business won’t be caught off guard.
Whether you’re just starting to shape your response strategy or refining what’s already in place, now’s the time to move from planning to execution. Testing, reviewing, and strengthening your approach will pay off when it matters most — and help you meet your obligations with confidence.
We work with businesses of all sizes to build, test, and improve incident response capabilities that actually work in the real world.
Speak to our team today at enquiries@equilibrium-security.co.uk or call us on 0121 663 0055. Let’s make sure your next response is calm, clear, and completely under control.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
