Free Incident Response Plan Template

When a cyberattack hits, every minute counts. Yet 45% of organizations still do not have a documented incident response plan, and only 30% of those with a plan test it regularly. The result? Organizations without a formal IR plan face 58% higher breach costs — an avoidable premium that can bankrupt a small business.

An incident response plan template gives your team a rehearsed playbook for the worst day of your business life. This guide provides a free, ready-to-use template aligned with NIST SP 800-61 Rev 3, the SANS 6-phase framework, and CISA best practices. Copy it, customize it, and test it — before the red alert sounds.

Quick Summary

45% of organizations lack a documented incident response plan (IBM/Ponemon).
Organizations with tested IR plans save $1.49 million per breach (IBM 2024).
58% higher breach costs for companies without a formal IR plan (IBM/Ponemon).
Mean time to identify and contain a breach: 241 days — a nine-year low (IBM 2025).
This guide includes a free 6-phase incident response plan template you can customize today.
The template aligns with NIST SP 800-61 Rev 3, SANS, CISA, and major compliance requirements (GDPR, HIPAA, PCI DSS, SOC 2).

Why Your Small Business Needs a Documented Incident Response Plan

The Cost of Being Unprepared

Statistic	Source
45% of organizations lack a documented IR plan	IBM/Ponemon
Only 30% of organizations regularly test their IR plans	IBM/Ponemon
Organizations with tested IR plans save $1.49 million per breach	IBM 2024 Cost of a Data Breach
58% higher breach costs without a formal IR plan	IBM/Ponemon
Organizations without an IR team incur $2.66 million more per breach	IBM/Ponemon
Breach lifecycle without IR plan: 258 days vs. 189 days with a plan	IBM/Ponemon
Mean time to identify and contain a breach: 241 days (2025)	IBM 2025
Breaches with lifecycles over 200 days cost $5.46 million on average	IBM 2024
Global average cost of a data breach: $4.88 million (2024)	IBM 2024

A cyberattack does not announce itself politely. A ransomware note appears on a Monday morning. An employee clicks a phishing link on Friday afternoon. Your cloud provider sends an alert at 2 AM that someone in a foreign country has admin access to your database.

Without a plan, people panic. They make mistakes that amplify the damage: rebooting infected machines (destroying evidence), emailing recovery strategies over compromised channels, or waiting days to notify regulators — violating GDPR's 72-hour rule or HIPAA's breach notification requirements.

A written, tested incident response plan eliminates the guesswork. It tells each person exactly what to do, in what order, and who to call.

Compliance Requirements Demand It

Multiple regulations now require a documented incident response plan:

Regulation	IR Plan Requirement
GDPR (Articles 33-34)	Notify supervisory authority within 72 hours; documented procedures required
HIPAA Security Rule	Documented incident response plan mandatory for covered entities
PCI DSS 4.0.1 (Req. 12.10)	Incident response plan required; must be tested annually
FTC Safeguards Rule	Written IR plan with designated coordinators and 72-hour notification
SOC 2	IR plan required under the Security Trust Services Criteria
DORA (EU)	ICT incident response and operational resilience mandatory for financial sector
NIS2 Directive (EU)	IR plan required for essential and important entities
SEC Cyber Disclosure	Material incidents must be disclosed on Form 8-K within 4 business days

Incident Response Plan Template — 6-Phase Framework

This template combines the NIST CSF 2.0 structure (Govern → Identify → Protect → Detect → Respond → Recover) with the SANS tactical phases. It is designed for small businesses with limited IT staff and can be customized to any industry.

Document Header

====================================================
INCIDENT RESPONSE PLAN — [YOUR COMPANY NAME]
====================================================
Version: 1.0
Last Updated: [DATE]
Document Owner: [NAME / TITLE]
Approved By: [CEO / CISO NAME]
Review Frequency: Quarterly (minimum)
Next Scheduled Review: [DATE]
Classification: CONFIDENTIAL — Internal Use Only

====================================================
DOCUMENT CONTROL
====================================================
Version | Date       | Author       | Change Summary
--------|------------|--------------|--------------------
1.0     | [DATE]     | [Name]       | Initial release
        |            |              |
====================================================

Section 1: Purpose and Scope

Purpose: This Incident Response Plan establishes procedures for detecting, responding to, containing, eradicating, and recovering from cybersecurity incidents affecting [Company Name]'s information systems, data, and operations.

Scope: This plan applies to:

All employees, contractors, and third-party vendors with access to company systems
All company-owned and managed IT assets (on-premises and cloud)
All data processed, stored, or transmitted by the organization
All locations and remote work environments

Objectives:

Minimize impact and duration of security incidents
Preserve evidence for forensic analysis and legal proceedings
Comply with regulatory notification requirements
Protect customer and employee data
Restore normal operations as quickly as possible
Identify root causes and prevent recurrence

Section 2: Incident Response Team — Roles and Responsibilities

Role	Responsibilities	Primary Contact	Backup Contact
Incident Response Lead	Overall incident coordination, decision authority, stakeholder updates	[Name / Phone / Email]	[Name / Phone / Email]
Technical Responder	Analysis, containment, forensics, system recovery	[Name / Phone / Email]	[Name / Phone / Email]
Legal / Compliance	Regulatory notification, legal review, breach assessment	[Name / Phone / Email]	[Name / Phone / Email]
Communications Lead	Internal/external messaging, media, customer notification	[Name / Phone / Email]	[Name / Phone / Email]
Executive Sponsor	Business decisions, resource approval, board communication	[Name / Phone / Email]	[Name / Phone / Email]
External IR Firm	Forensic investigation, advanced containment, expert support	[Name / Phone / Email]	N/A
Cyber Insurance	Policy activation, coverage verification, claims management	[Carrier / Phone / Policy #]	N/A

Escalation Note for Small Businesses: If you have fewer than 25 employees, the CEO or owner may fill the Executive Sponsor and Communications Lead roles. The critical minimum is having at least an IR Lead and an external IR firm on retainer.

Section 3: Incident Classification and Severity Levels

Severity	Definition	Examples	Response Time	Escalation
Critical (SEV-1)	Active data breach, ransomware, business operations halted	Ransomware encrypting systems, confirmed data exfiltration, full network compromise	Immediate (within 15 min)	IR Lead + Executive + Legal + External IR Firm
High (SEV-2)	Confirmed compromise, limited scope, operations partially affected	Compromised admin account, malware on multiple endpoints, suspected data theft	Within 1 hour	IR Lead + Technical + Legal
Medium (SEV-3)	Suspicious activity requiring investigation, no confirmed compromise	Unusual login patterns, phishing email with credentials submitted, suspicious outbound traffic	Within 4 hours	IR Lead + Technical
Low (SEV-4)	Policy violation or minor event, no compromise	Failed brute-force attempt (blocked), lost unencrypted USB, employee policy violation	Within 24 hours	Technical Responder

Section 4: The 6-Phase Response Procedure

Phase 1: Preparation (Ongoing)

Preparation is not a response to an incident — it is everything you do before one occurs.

Maintain and review this IRP quarterly
Conduct tabletop exercises at least twice per year
Maintain up-to-date asset inventory (hardware, software, data, cloud services)
Ensure all systems have centralized logging enabled
Deploy endpoint detection and response (EDR) on all endpoints
Enforce multi-factor authentication (MFA) on all critical systems
Maintain offline backups following the 3-2-1 rule
Pre-negotiate a retainer with an external incident response firm
Verify cyber insurance coverage and understand policy terms
Train all employees on phishing recognition and incident reporting procedures
Maintain a physical "go bag" with printed contact lists, network diagrams, and admin credentials stored in a secure location

Phase 2: Identification (Detection and Triage)

When a potential incident is detected:

Determine if it is a real incident — Verify alerts against false positives. Correlate with other data sources.
Assign a severity level — Use the classification matrix above.
Notify the IR Lead — Call (do not email) the IR Lead. Use out-of-band communication if email may be compromised.
Begin the incident log — Record: date/time of discovery, who discovered it, affected systems, initial symptoms, and actions taken.
Preserve initial evidence — Take screenshots, capture log entries, note file hashes if malware is found.

Phase 3: Containment

The goal is to stop the bleeding without destroying evidence.

Short-Term Containment (First 30 Minutes):

Isolate affected systems from the network (disconnect Ethernet, disable Wi-Fi)
Block identified malicious IPs, domains, or email addresses at the firewall/email gateway
Disable compromised user accounts
Disconnect backup systems to prevent encryption or corruption

Long-Term Containment (Next 2–24 Hours):

Set up clean systems on a separate network segment if business operations must continue
Implement enhanced monitoring on unaffected systems
Capture forensic images of affected systems (before wiping)
Identify the attack vector (phishing, exploited vulnerability, stolen credentials, insider)

Phase 4: Eradication

Remove the threat completely from the environment.

Remove malware, backdoors, and persistence mechanisms from all affected systems
Reset all compromised credentials — start with admin and service accounts
Patch the exploited vulnerability that enabled the attack
Scan the entire environment for indicators of compromise (IOCs) using the identified threat intelligence
Verify that no additional compromised accounts or systems remain

Phase 5: Recovery

Restore normal operations in a controlled manner.

Rebuild affected systems from known-clean images and verified backups
Restore data from backups predating the compromise (verify integrity)
Re-enable services in phases: critical systems first (email, finance, customer-facing), then secondary
Enforce MFA on all restored accounts
Implement enhanced monitoring for at least 30 days post-recovery
Confirm with the IR team that all IOCs have been addressed before full restoration

Phase 6: Lessons Learned (Post-Incident Review)

Conduct within 2 weeks of the incident.

Hold a formal, blameless post-mortem meeting with all IRT members
Document the complete incident timeline: attack vector, dwell time, detection method, containment actions, and recovery steps
Identify what worked well and what failed in the response
Update this IRP based on lessons learned
Update detection rules, monitoring, and alerting based on the new IOCs
Brief executive leadership and the board (if applicable)
File required regulatory reports (GDPR: 72 hours, HIPAA, PCI DSS, SEC 8-K)
Schedule follow-up vulnerability assessment to verify remediation

Section 5: Communication Templates

Internal Notification (All Staff):

SUBJECT: Security Incident — Action Required

Team,

We are investigating a cybersecurity incident affecting [brief description].
As a precaution:
- Do NOT use [affected system/email/VPN] until further notice.
- Change your password immediately at [link].
- Report any unusual activity to [IR Lead name and phone].
- Do NOT discuss this externally until authorized.

Further updates will follow within [timeframe].

— [IR Lead Name]

External Notification (Customers / Regulators):

SUBJECT: Important Security Notification from [Company Name]

Dear [Customer / Authority],

We are writing to inform you that on [date], [Company Name]
identified a cybersecurity incident involving [brief description].

What happened: [Summary of the incident]
What data was affected: [Types of data involved]
What we are doing: [Actions taken to contain and remediate]
What you can do: [Recommended actions for affected individuals]

For questions, contact: [dedicated email/phone]

We take the security of your data seriously and are committed to
transparency throughout this process.

— [Company Name]

Section 6: Key External Resources

Resource	URL
FBI IC3 Reporting	https://www.ic3.gov
CISA Incident Reporting	https://www.cisa.gov/report
CISA Tabletop Exercise Packages	https://www.cisa.gov/cisa-tabletop-exercises-packages
No More Ransom Project	https://www.nomoreransom.org
NIST SP 800-61 Rev 3	https://csrc.nist.gov/publications/detail/sp/800-61/rev-3/final
SANS Incident Handler's Handbook	https://www.sans.org/white-papers/33901/

Common Mistakes When Building an Incident Response Plan

Writing a plan but never testing it — Only 30% of organizations test their IR plans. An untested plan is a document, not a capability. Run tabletop exercises at least twice a year.
Having only one person who knows the plan — If the sole IT administrator is on vacation when the breach occurs, the plan fails. Ensure at least two people can execute each role.
Relying on email for incident communication — If the attacker has compromised your email, they can read your entire response strategy. Establish out-of-band communication channels (phone, Signal, personal email) in advance.
Failing to pre-negotiate external support — Calling an incident response firm for the first time during an active breach results in slower response and premium pricing. Put a retainer agreement in place now.
Not including legal and communications from the start — Many small businesses treat incidents as purely technical problems. Legal counsel must be involved immediately to assess notification obligations. A communications lead prevents inconsistent messaging that damages customer trust.
Ignoring the "Lessons Learned" phase — This is the most skipped phase. Without a formal post-mortem, you will repeat the same mistakes. Make it mandatory and blameless.
Storing the IRP only digitally — If ransomware encrypts your file server and your IR plan is on that server, you have no plan. Keep printed copies in a secure physical location.

NIST vs. SANS: How This Template Combines Both

NIST CSF 2.0 Function	SANS Phase	This Template
Govern + Identify + Protect	Preparation	Phase 1: Preparation
Detect	Identification	Phase 2: Identification
Respond (Containment)	Containment	Phase 3: Containment
Respond (Eradication)	Eradication	Phase 4: Eradication
Recover	Recovery	Phase 5: Recovery
All (Continuous Improvement)	Lessons Learned	Phase 6: Lessons Learned

NIST SP 800-61 Revision 3 (April 2025) is the most current federal guidance and aligns incident response with the broader NIST Cybersecurity Framework 2.0. The SANS framework provides more tactically prescriptive steps. This template uses SANS sequencing with NIST governance structure — giving you both strategic alignment and operational clarity.

Citations and References

IBM / Ponemon Institute — Cost of a Data Breach Report 2024 — $4.88 million average breach cost; organizations with tested IR plans save $1.49 million; 58% higher costs without a plan; 258-day breach lifecycle without a plan vs. 189 days with one.
IBM — Cost of a Data Breach Report 2025 — Mean time to identify and contain a breach dropped to 241 days (nine-year low); US breach costs rose to $10.22 million.
NIST SP 800-61 Revision 3 — Updated April 2025. Aligns incident response with CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover).
SANS Institute — Incident Handler's Handbook — 6-phase tactical framework: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
CISA — Federal Incident and Vulnerability Response Playbooks — Standardized incident response procedures and tabletop exercise packages.
GDPR Articles 33-34 — 72-hour supervisory authority notification requirement.
PCI DSS 4.0.1 Requirement 12.10 — Annual IR plan testing requirement for organizations processing payment card data.

How Cyberlords Can Help

A great incident response plan is only as good as its last test.

At Cyberlords, our incident response services help small businesses:

Develop a customized incident response plan — We build an IRP tailored to your technology stack, regulatory requirements, and team size.
Run realistic tabletop exercises — We facilitate scenario-based drills so your team practices decision-making under pressure.
Provide retainer-based rapid response — When an incident occurs, our forensic team deploys within hours, not days.
Conduct post-incident forensic investigations — We identify the root cause, assess data exposure, and provide court-admissible evidence.

If you need help building, testing, or activating an incident response plan, contact the Cyberlords team today.

Frequently Asked Questions

What is an incident response plan?

An incident response plan (IRP) is a documented set of procedures that guides your organization through detecting, containing, eradicating, and recovering from cybersecurity incidents. It defines roles and responsibilities, escalation paths, communication protocols, and technical procedures so your team can respond quickly and consistently under pressure. A well-tested IRP is the single most important document in your cybersecurity program.

Does a small business really need an incident response plan?

Absolutely. IBM's 2024 Cost of a Data Breach report found that organizations without a formal IR plan face 58% higher breach costs — an avoidable premium that can be devastating for a small business. Beyond cost savings, multiple regulations now mandate a documented IRP: GDPR, HIPAA, PCI DSS 4.0.1, the FTC Safeguards Rule, and SOC 2 all require documented incident response procedures. Many cyber insurance policies also require a plan as a policy condition.

How often should an incident response plan be tested?

Test your IR plan at least twice a year through tabletop exercises — facilitated discussions where your team walks through a realistic scenario and makes decisions. At least once a year, conduct a more hands-on simulation where technical staff actually practice containment and recovery procedures. CISA offers free tabletop exercise packages you can use. Organizations that regularly test their plans save an average of $1.49 million per breach compared to those that do not test.

What is the difference between the NIST and SANS incident response frameworks?

The NIST SP 800-61 Rev 3 framework (April 2025) aligns incident response with the six CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, and Recover. It takes a strategic, governance-focused approach. The SANS framework uses six more tactical phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Both are widely respected and cover the same core activities. This template combines SANS sequencing with NIST governance structure for maximum clarity.

Who should be on an incident response team?

At minimum, your IRT needs five roles: an Incident Response Lead (overall coordinator), a Technical Responder (investigation and containment), Legal/Compliance counsel (regulatory assessment), a Communications Lead (internal and external messaging), and an Executive Sponsor (business decisions and resource approval). For small businesses, one person may fill multiple roles — the CEO often serves as both Executive Sponsor and Communications Lead. The most critical supplementary resource is an external IR firm on retainer for forensic support.

What regulations require an incident response plan?

Multiple: GDPR Articles 33-34 (72-hour notification), HIPAA Security Rule, PCI DSS 4.0.1 Requirement 12.10 (annual testing), the FTC Safeguards Rule (written IR plan with coordinators), SOC 2 Trust Services Criteria, the EU DORA regulation (financial sector), the EU NIS2 Directive (essential entities), and SEC cyber disclosure rules (Form 8-K within 4 business days for public companies). Many cyber insurance carriers also require a documented and tested IR plan as a policy condition.

What is the average cost of a data breach for a small business?

The global average cost of a data breach reached $4.88 million in 2024 (IBM), with US costs averaging $10.22 million in 2025. While small businesses typically face lower absolute dollar amounts, the proportional financial impact can be existential. The most actionable statistic: organizations with a tested IR plan and dedicated response team save an average of $1.49 million per breach and resolve incidents 69 days faster than those without a plan. Investing in a plan is far cheaper than recovering without one.

How long does it take to detect and contain a breach?

According to IBM's 2025 report, the mean time to identify and contain a breach dropped to 241 days — a nine-year low, partly due to more organizations detecting breaches internally rather than learning about them from attackers. However, breaches with lifecycles exceeding 200 days still cost an average of $5.46 million. A tested IR plan with defined detection procedures, escalation matrices, and pre-positioned tooling significantly reduces this timeline and lowers costs.

incident response plan template overview

Key decisions, risks, and implementation actions for incident response plan template.