Yes. 43% of all cyberattacks target SMBs.

How often should the plan be tested?

Semi-annually through tabletop exercises, annually through full simulation.

Who should create the plan?

Team of IT, management, and legal counsel.

What does creation cost?

Internal: 40-80 work hours. Externally guided: 5,000-15,000 euros.

IT-Sicherheit

Creating an Incident Response Plan: Guide for Rapid Response

Nico FreitagIT-Sicherheit

A cyberattack is not a question of if, but when. Companies without an Incident Response Plan lose an average of 58% more during a security incident than those with an established plan. An Incident Response Plan (IRP) defines who does what and when once a security incident is detected. Without an IRP, there's chaos – with an IRP, your team acts quickly and coordinated.

The Six Phases of an Incident Response Plan

NIST defines six phases: 1. Preparation – Define roles, provide tools, train team. 2. Identification – Recognize that an incident exists. SIEM systems are indispensable. 3. Containment – Limit damage. Short-term: isolate systems. Long-term: eliminate cause. 4. Eradication – Remove malware, patch vulnerabilities, lock compromised access. 5. Recovery – Restore systems from backups. 6. Lessons Learned – What happened? What worked? What needs improvement?

Roles in the Incident Response Team

Every IRP needs a clearly defined team: Incident Commander – Overall responsibility, makes decisions. Technical Lead – Leads technical analysis and remediation. Communications Lead – Coordinates internal and external communication. Legal/Compliance – Assesses legal aspects. Especially for GDPR: 72-hour reporting deadline. External Support – Forensics providers, lawyers, PR agency. At Axis/Port., we offer incident response support as part of our IT security consulting.

Communication During an Incident

Communication is the most underestimated aspect: Internal: - Who informs management? - What information is shared with employees? External: - When and how are customers informed? - Who speaks to the press? - When is the authority informed? Rules: - Only authorized persons communicate externally - Communicate facts, not speculation - Use encrypted channels - Document everything

Tabletop Exercises: Testing the Plan

A plan never tested is not a plan. Tabletop Exercises simulate scenarios: Scenario 1: Ransomware Attack – All servers encrypted. Details in our Ransomware Guide. Scenario 2: Data Breach – Customer data on the darknet. Scenario 3: Insider Threat – Employee copies data before leaving. Exercises should occur at least semi-annually.

Technical Foundations for Incident Response

Without proper infrastructure, no IRP can function: Logging and Monitoring - Central log collection (SIEM) is mandatory - Network, endpoint, authentication logs - Minimum 90 days retention Forensics Readiness - Secure disk images - Create RAM dumps - Document chain of custody Automation (SOAR) - Auto-isolate compromised endpoints - Automatic ticket creation Backup Systems – Immutable backups for fast recovery – details in our Backup & Disaster Recovery article

Fazit

An Incident Response Plan is not optional – it's mandatory. The plan must live: regularly tested and updated. At Axis/Port., we support companies in creating and testing their IRPs.

Our Service

IT Security

FAQ

IT-Sicherheit

Creating an Incident Response Plan: Guide for Rapid Response

The Six Phases of an Incident Response Plan

Roles in the Incident Response Team

Communication During an Incident

Tabletop Exercises: Testing the Plan

Technical Foundations for Incident Response

Fazit

FAQ

Related Articles

Ransomware Protection for Businesses: Prevention, Detection, Response

SIEM & Security Monitoring: Detect Threats Before It's Too Late

GDPR Technical Measures: What Companies Really Need to Implement