Incident Response Plan Section Catalogue In The United Kingdom
Section name | Purpose | Inclusion priority | Typical outputs |
|---|---|---|---|
Preparation | |||
Plan Scope And Objectives | Defines covered systems, incident types, objectives, assumptions, and plan limits. | Essential | Scope statement, objectives, exclusions, review schedule. |
Incident Response Roles And Responsibilities | Allocates decision-making, technical, legal, communications, and business responsibilities. | Essential | RACI matrix, role descriptions, duty rota. |
Incident Commander Authority | Confirms who leads the response and what emergency powers they hold. | Essential | Authority statement, delegation record, decision mandate. |
Emergency Contacts And Call Tree | Provides current internal and external contacts for urgent response activation. | Essential | Contact list, escalation tree, out-of-hours rota. |
Detection and reporting | |||
Plan Activation Criteria | Defines triggers for starting formal incident response procedures. | Essential | Activation decision, incident reference, mobilisation notice. |
Incident Reporting Channels | Explains how staff, contractors, suppliers, and users report suspected incidents. | Essential | Report form, hotline record, helpdesk ticket, email alert. |
Assessment and triage | |||
Initial Triage | Confirms whether an event is an incident and identifies immediate priorities. | Essential | Triage notes, preliminary impact rating, first actions list. |
Incident Classification | Categorises incidents by type, severity, impact, and urgency. | Essential | Classification code, severity level, priority rating. |
Severity Levels And Escalation Thresholds | Sets criteria for escalating incidents to management, legal, or crisis teams. | Essential | Severity matrix, escalation log, management alert. |
Business Impact Assessment | Assesses operational, financial, customer, legal, and reputational consequences. | Essential | Impact assessment, affected services list, priority decisions. |
Personal Data Breach Assessment | Determines whether the incident involves a UK GDPR personal data breach. | Essential | Breach assessment, affected data categories, risk decision. |
ICO Notification Decision | Determines whether the ICO must be notified within 72 hours. | Essential | ICO decision record, notification form, reasons for delay. |
Affected Individual Notification | Decides whether individuals must be told about a high-risk breach. | Essential | Notification script, recipient list, delivery evidence. |
Breach Register Entry | Records personal data breaches and reasons for notification decisions. | Essential | Breach register, risk rationale, accountability evidence. |
Legal Advice And Privilege Management | Sets when lawyers are engaged and how privileged material is protected. | Recommended | Legal instructions, privilege protocol, advice record. |
Evidence Preservation | Preserves logs, devices, images, and artefacts for investigation and assurance. | Essential | Evidence log, forensic image, chain-of-custody record. |
Chain Of Custody | Tracks who collected, accessed, transferred, and stored evidence. | Recommended | Custody form, access log, evidence transfer record. |
Technical Investigation | Identifies attack vectors, affected assets, indicators, and root causes. | Essential | Investigation notes, timeline, indicators of compromise, findings. |
Affected Asset Identification | Lists systems, devices, accounts, data stores, and services affected. | Essential | Affected asset list, owner list, dependency map. |
Detection and reporting | |||
Log Collection And Retention | Collects and protects relevant logs for analysis and later review. | Essential | Log bundle, retention note, SIEM export, access record. |
Assessment and triage | |||
Threat Intelligence Enrichment | Uses trusted intelligence to understand attacker methods and likely risks. | Recommended | Threat brief, IOC comparison, risk update. |
Containment | |||
Containment Strategy | Chooses short-term and long-term steps to stop further harm. | Essential | Containment plan, approved actions, residual risk note. |
Network Isolation | Disconnects or segments affected networks while preserving evidence. | Recommended | Isolation record, firewall changes, network diagram update. |
Account Suspension And Credential Reset | Stops misuse of compromised accounts, credentials, tokens, and keys. | Essential | Reset log, disabled accounts list, token revocation record. |
Privileged Access Review | Reviews administrator access for compromise, abuse, or excessive permissions. | Recommended | Admin account list, access changes, approval record. |
Malware Containment | Limits malware execution, lateral movement, and command-and-control activity. | Essential | Quarantine list, blocked indicators, endpoint actions log. |
Ransomware Response | Coordinates containment, recovery, communications, and ransom decision governance. | Essential | Ransomware playbook, recovery decision, extortion log. |
Detection and reporting | |||
Phishing And Business Email Compromise Response | Handles malicious emails, credential theft, mailbox compromise, and payment fraud. | Recommended | Email headers, takedown request, mailbox audit, fraud alert. |
Containment | |||
Exploited Vulnerability Response | Responds to exploited weaknesses in software, configuration, or exposure. | Recommended | Vulnerability record, patch plan, compensating controls. |
Assessment and triage | |||
Supplier Incident Coordination | Coordinates response where suppliers, processors, or cloud providers are involved. | Essential | Supplier notices, SLA review, processor update, action tracker. |
Detection and reporting | |||
Processor And Controller Notification | Manages breach notices between controllers, processors, and sub-processors. | Essential | Processor notice, controller update, contract notice log. |
Assessment and triage | |||
Contractual Notification Obligations | Identifies customer, lender, insurer, and partner notification duties. | Recommended | Contract review, notice tracker, deadline calendar. |
Sector Regulator Notification | Assesses whether FCA, PRA, Ofcom, or other regulators must be informed. | Recommended | Regulatory assessment, notification draft, submission evidence. |
NIS Incident Reporting Assessment | Checks whether incident reporting is required under UK NIS rules. | Recommended | NIS assessment, competent authority notice, service impact record. |
Law Enforcement Reporting | Sets criteria for reporting cybercrime, fraud, extortion, or theft. | Recommended | Action Fraud report, crime reference, police correspondence. |
Detection and reporting | |||
NCSC Reporting | Identifies when and how to report significant cyber incidents to NCSC. | Recommended | NCSC report, incident reference, advice record. |
Containment | |||
Internal Communications | Controls staff messages, instructions, and updates during the incident. | Essential | Staff briefing, FAQ, communications approval log. |
External Communications | Manages customer, partner, media, and public communications. | Essential | Holding statement, customer notice, media lines, approval record. |
Communications Approval Workflow | Requires legal, executive, and communications approval before release. | Recommended | Approval log, message version history, sign-off record. |
Media Handling | Sets spokespersons, press lines, monitoring, and enquiry handling. | Optional | Press statement, Q&A, media log, spokesperson brief. |
Customer Support Readiness | Prepares support teams for queries, complaints, and protective advice. | Recommended | Call scripts, FAQs, complaint log, escalation route. |
Crisis Management Interface | Links incident response to executive crisis management arrangements. | Recommended | Crisis escalation, executive briefing, command structure. |
Assessment and triage | |||
Board And Executive Reporting | Provides senior leaders with risk, impact, decision, and recovery updates. | Recommended | Executive brief, board update, decision paper. |
Incident Decision Log | Records key decisions, owners, reasons, timings, and approvals. | Essential | Decision log, action log, approval evidence. |
Containment | |||
Action Tracking | Tracks assigned response tasks, owners, deadlines, and completion status. | Essential | Action tracker, task updates, overdue item list. |
Situation Reports And Meeting Cadence | Sets reporting frequency, attendees, agenda, and situation report format. | Recommended | Sitrep, meeting notes, attendance log, action updates. |
Eradication and recovery | |||
Business Continuity Coordination | Connects incident response with continuity plans for critical operations. | Essential | Continuity invocation, workaround plan, service priority list. |
Disaster Recovery Invocation | Defines when technical recovery plans are invoked for affected systems. | Essential | DR invocation record, recovery runbook, service restoration plan. |
Backup Integrity Verification | Checks backups are available, uncorrupted, uncompromised, and restorable. | Essential | Backup test result, restore point decision, integrity evidence. |
Eradication Plan | Removes malware, unauthorised access, vulnerabilities, and persistence mechanisms. | Essential | Eradication steps, remediation tickets, closure evidence. |
Patch And Configuration Remediation | Applies security fixes and configuration changes to remove weaknesses. | Essential | Patch records, configuration changes, vulnerability closure report. |
System Rebuild And Hardening | Rebuilds compromised assets to a trusted and hardened state. | Recommended | Rebuild log, hardening checklist, baseline image record. |
Recovery Prioritisation | Restores services in agreed order based on risk and business impact. | Essential | Recovery priority list, restoration schedule, owner approvals. |
Recovery Validation | Confirms restored systems are secure, functional, and monitored. | Essential | Validation checklist, test results, service restoration sign-off. |
Post-Recovery Monitoring | Monitors for reinfection, attacker return, or residual compromise. | Recommended | Monitoring plan, alert review, residual risk report. |
Data Restoration And Reconciliation | Restores data and reconciles transactions, records, and integrity gaps. | Recommended | Restore report, reconciliation log, data gap list. |
Containment | |||
Payment Fraud Response | Coordinates bank contact, payment freezes, fraud reporting, and recovery attempts. | Optional | Bank notice, fraud report, payment recall record. |
Detection and reporting | |||
Cyber Insurance Notification | Ensures insurer notification and panel provider requirements are followed. | Recommended | Insurer notice, claim reference, panel appointment record. |
Containment | |||
Emergency Procurement And Spend Approval | Authorises urgent purchase of specialists, tools, infrastructure, or support. | Optional | Purchase approval, supplier engagement, cost tracker. |
Assessment and triage | |||
External Specialist Engagement | Defines when to engage forensic, legal, PR, recovery, or security specialists. | Recommended | Statement of work, engagement letter, specialist report. |
Containment | |||
Remote Working Incident Handling | Manages incidents involving home networks, personal devices, or remote access. | Optional | Remote access log, device instruction, user guidance. |
Assessment and triage | |||
Cloud Service Incident Handling | Coordinates response for cloud platforms, SaaS tenants, and shared responsibility gaps. | Recommended | Cloud logs, provider case, tenant configuration review. |
Insider Incident Handling | Manages incidents involving staff, contractors, or trusted users. | Optional | HR referral, access review, investigation notes, evidence log. |
HR And Disciplinary Coordination | Coordinates employee investigation, suspension, interviews, and disciplinary routes. | Optional | HR case note, interview record, suspension decision. |
Detection and reporting | |||
Physical Security Incident Linkage | Links cyber response to lost devices, theft, tampering, and premises breaches. | Optional | Lost device report, wipe confirmation, police reference. |
Containment | |||
Data Subject Requests During Incidents | Coordinates urgent rights requests arising from breach communications or complaints. | Optional | DSAR log, response plan, complaint escalation. |
Review and improvement | |||
Incident Records Management | Defines retention, access, storage, and ownership of incident records. | Recommended | Record index, retention decision, access list. |
Post-Incident Review | Reviews causes, decisions, response performance, and improvement opportunities. | Essential | Lessons learned report, root cause analysis, improvement plan. |
Corrective Action Plan | Tracks security, process, training, contractual, and governance improvements. | Essential | Remediation tracker, owners, due dates, closure evidence. |
Incident Metrics And Reporting | Measures detection, response, recovery, impact, and improvement performance. | Recommended | MTTD, MTTR, incident trend report, KPI dashboard. |
Preparation | |||
Testing And Exercising | Schedules tabletop exercises, simulations, and technical response tests. | Essential | Exercise plan, scenario, attendance record, improvement actions. |
Incident Response Training | Ensures staff and responders know reporting and response duties. | Recommended | Training record, attendance list, awareness materials. |
Plan Maintenance And Review | Defines ownership, review cycle, version control, and update triggers. | Essential | Version history, review record, change log, approval note. |
Template Library | Stores ready-to-use notices, checklists, forms, and scripts. | Recommended | ICO draft, customer notice, triage form, call script. |
Eradication and recovery | |||
Residual Risk Acceptance | Records accepted risks where full remediation is delayed or impractical. | Recommended | Risk acceptance, mitigation plan, executive approval. |
Review and improvement | |||
Responder Debrief And Welfare | Captures responder feedback and manages fatigue during prolonged incidents. | Optional | Debrief notes, rota changes, welfare actions. |
Assessment and triage | |||
DPO Or Privacy Lead Involvement | Defines when privacy specialists advise on breach risk and notifications. | Essential | DPO advice, privacy risk note, notification recommendation. |
Review and improvement | |||
DPIA Reassessment | Checks whether processing risks and controls need reassessment after incidents. | Recommended | Updated DPIA, control changes, residual risk decision. |
Assessment and triage | |||
Ransom Payment And Sanctions Check | Assesses legal, sanctions, insurance, and governance risks of ransom decisions. | Recommended | Sanctions check, ransom decision paper, legal advice record. |
Review and improvement | |||
Threat Information Sharing | Shares relevant indicators and lessons with trusted cyber communities. | Optional | Shared IOCs, advisory note, community posting. |
Assessment and triage | |||
Legal Hold And Claims Preservation | Preserves documents and evidence for disputes, claims, and investigations. | Optional | Legal hold notice, preservation list, custodian record. |
Review and improvement | |||
Incident Closure Criteria | Defines conditions for closing the incident and returning to normal governance. | Essential | Closure checklist, sign-off, final incident report. |
What Should A UK Incident Response Plan Include?
A UK corporate incident response plan should cover the full incident lifecycle: preparation, detection, assessment, containment, eradication, recovery, and review. The most important sections are those that create audit-ready evidence: incident classification, escalation criteria, decision logs, communications approvals, personal data breach assessment, ICO notification decisions, recovery validation, and post-incident lessons learned.
When Does An Incident Become A Reportable Personal Data Breach?
For UK GDPR purposes, an incident response plan should include a specific section for assessing whether an incident is a personal data breach and whether it must be notified to the ICO within 72 hours. The plan should also require records of non-notified breaches, because accountability duties apply even where notification is not made.
Which Sections Are Most Important For Directors And Senior Management?
Senior management need clear sections on incident roles, severity levels, escalation thresholds, legal privilege, regulatory notification, customer communications, business continuity, and board reporting. These sections help ensure urgent commercial decisions are recorded, approved, and aligned with UK data protection, cyber governance, and contractual obligations.
How Should The Plan Support Evidence And Audit Requirements?
The dataset shows that a strong plan should not only describe actions, but also specify outputs. Key outputs include incident tickets, triage notes, forensic preservation records, notification assessments, containment decisions, recovery sign-offs, communications logs, and post-incident improvement trackers.
What Makes An Incident Response Plan Practical Rather Than Theoretical?
The plan should assign ownership for each phase, define decision points, and include templates for high-pressure tasks. Practical UK plans usually include contact lists, call trees, severity matrices, supplier escalation routes, ICO notification workflows, law enforcement referral criteria, and tested recovery procedures.

FAQs
You Might Also Be Interested In



