What Is an Incident Management Plan?

An incident management plan is also known as an incident response plan or emergency management plan. It is a business document that aids an organization to return to its normal operations as soon as possible, following an unforeseen event. The incident management plan also recognizes possible weaknesses in the system, mitigates the impact of various situations, and limits the effect on the reputation, operations, and financial capacity of the organization. With the increase in several security issues at present, including ransomware attacks and data breaches, organizations must ensure they have a system to mitigate and recover from these situations. Instead of waiting for these occurrences to happen, companies must be proactive and secure an incident management plan. The plan serves as a break or make point of the company when it comes to response effectiveness. Incident management can also be part of a larger planning document like the overall business continuity management plan. Services restoration depends on the impact and severity of the event with temporary solutions. Generally, the use of the incident management plan focuses on recognizing an incident, assessing a situation, notifying affected individuals or departments, organizing and mobilizing response techniques and resources, and documenting the recovery process.

According to the information from Securelist entitled Incident Response Analyst Report 2019, victims of incidents show that less than a quarter of received requests are false positives, mostly suspicious files or activities in systems. True positive requests include the discovery of suspicious and encrypted files and alerts from security tools. Most incidents happen in the Middle East at 32.6 percent, the European Union at 24 percent, and the Commonwealth of Independent States at 21.7 percent.

Components of an Incident Management Plan

An incident management plan is a vital document in ensuring that a company can function after an unforeseeable event. The contents of the plan must communicate the necessary responses the organization must perform to make sure that operations can continue as soon as possible. Below are the essential elements that the incident management plan must contain.

Introduction: The introduction section contains essential components covering the incident management plan. It outlines the specific goals, scope, and guiding principles of the action plan. The section highlights the purpose of the plan that acts as the guide for the rest of the elements of the document. The introduction must also indicate the possible limitations and assumptions of the plan, especially during the initial planning phase. It is best to include in the document what the plan intends to accomplish and what it cannot.Incident identification and first response: The company must identify possible forms of incidents that can happen. From specifying these events and occurrences, the plan must indicate whether to activate the plan and the person responsible for administering the processes. It must also indicate possible meeting locations and channels of communication. It is practical to be more specific in this section of the plan, especially if workers are facing mixed work setups.Resources: People tasked with the responsibility to respond to incidents need to have the proper supply and equipment in the event of incidents. The resources a company needs range from spare cables, chargers, notepads, contact cards, among other things. These items must be handy and in the office area and hosting facilities at all times. The requirements for these go bags, including their contents, review, replacement, and maintenance schedules, are written in this section of the plan.Roles and responsibilities: Crises come during the most unexpected times, and an organization can never be too ready when it happens. Some employees may not be present, or some deadlines are just around the corner. It is necessary to define the roles and responsibilities of the incident response team and its members, including secondary or backup contacts, in case of unavailability. If and when an incident happens, time is of the essence, and everyone must be on the same page to act on the event. These activities can range from establishing client communications, support notifications, and other things present on the plan.Detection and analysis: The detection and analysis section is one of the essential sections of the incident management plan. The document details the steps to identify and detect the incident, including the guidelines for reporting, investigating, and containing detected threats. This section of the plan focuses on scenarios, as the recognition and response of the company depend on the type and severity of the incident. In a cybersecurity attack, an organization can respond through the use of templates, web examples, brainstorming response exercises, and at most, seek the assistance of external cybersecurity experts that faced similar threats, providing real-life data. Gaining information about these techniques will help the company to produce playbooks that will become the main focus of this section.Containment, eradication, and recovery: This section of the plan contains the most technicality. It outlines the necessary methods for limiting the scope of the threat. It also indicates the containment and isolation procedures a cyberattack includes, like shutting down systems to prevent the organizational spread and isolating unaffected systems. The section outlines the necessary strategies for eradicating threats through the recovery of affected systems, with recovery techniques being the priority. When it comes to handling ransomware, eradicating the infection by restoring the backup is the solution. Whatever approach the incident management team takes, record the recovery time and recovery point objective. Tolerance for downtime and data loss are critical factors to structure responses, circling back to the original analysis of risk acceptance. Considerations for cyber forensics and the length of retention of incident logs are within this section of the plan.Incident communications: The incident communications section is in line with the previous two sections and details the procedure for handling the communications protocol and management. It details notification methods, involvement of responding personnel, cybersecurity consultants, third-party providers, regulators, law enforcement, and other forms of legal cybersecurity experts and specialists. An effective incident emergency response plan needs coordination and team effort. Thus, it is essential to identify and document all the moving elements to ensure a smooth flow of communication and operation.Retrospective: After the resolution of an incident, the company performs a retrospective process. The first step to the process is to determine the origins of the security breach and prepare a prevention plan to prevent similar incidents and address the changes. The second step is to focus on the proper execution of the plan since poor execution leads to a more serious breach. Give recognition to the team members with excellent performance, and provide additional training to those that did not. It gives the company and the employees the time to learn and improve.Appendices: The appendix section contains several reference materials and documents, depending on the length and scope of the incident management plan. Different organizations maintain physical copies of the plan and its references in the unlikely event that computer systems are unavailable. The resources include network infrastructure diagrams, backup and snapshot schedules, incident logs, security solutions documents, web and cloud services connections, contact lists, risk, severity, and impact tables, and update, testing, and revision schedules.

How to Develop an Incident Management Plan

In terms of cyber security, the goal of the incident management plan is to address detected data breaches using different phases. In each phase of the plan, the members of the incident management team must consider and perform to find possible solutions. Below are the phases to follow when developing the incident management plan.

  • 1. Preparation Phase

    The initial step to the incident management plan serves as the workhorse and the most crucial phase to protect the business. During the preparation phase, the organization ensures that all the employees have the proper training and knowledge about their roles and responsibilities in the event of a security breach. There must also be a development of incident response drills and possible scenarios, including the regular conduction of mock data breaches for evaluation. In the preparation phase, the organization also approves necessary budget plans for the implementation of the plan. The management plan must be well-documented, highlighting personnel duties and testing performance, to guarantee the best response.

  • 2. Identification Phase

    In the identification phase, the incident management team determines whether there is an event of security or data breach, and it can originate from different areas. In this step, the team members must identify the time of occurrence, method of discovery, the person responsible, impacted areas, the scope of the compromise, operational implications, and the point of entry.

  • 3. Containment Phase

    At the initial discovery of a breach, the initial response is to delete it. However, it will affect the company in the long run for destroying valuable evidence to determine the source of the breach, and from there, develop a plan to prevent its reoccurrence. Contain the breach to prevent its spread to different systems and cause further damage to the organization. Try disconnecting devices from the internet, and prepare to perform short-term or long-term containment strategies. Setting up system backups also helps with restoring business operations. It is advantageous to perform system updates and patches, scan remote access protocols, modify user and administrative access credentials, and strengthen password lists.

  • 4. Eradication Phase

    After the containment process, the next step is to detect and destroy the root cause of the breach. As a result, begin securely removing all malware, patch and harden all systems, and apply the necessary updates. The company has the option of hiring a third-party specialist to perform the steps thoroughly. If there are malware or security issues that remain in the systems, there is still the risk of losing data, decreasing liabilities.

  • 5. Recovery Phase

    In this step, responsible personnel takes the time to restore and return affected systems and devices and incorporate them back to business operations. At this time, take the necessary steps to get the company running once again without the fear of running into another breach. It is also advisable to keep monitoring systems and devices and prepare the necessary tools to counter any reoccurrence of attacks.

  • 6. Lessons Learned

    After the overall incident investigation, hold a post-incident meeting with the incident management team members and discuss all necessary information and learnings from the event. This step allows the company to analyze and record details about the breach. The team then determines the processes and techniques that were successful and indicates any possible holes in the system. This step helps strengthen the future responses to future attacks.


What are the five stages of the incident management process?

The five steps of incident resolution include incident identification and categorization, incident notification and escalation, incident diagnosis and investigation, resolution and recovery, and closure.

What is the KPI for incident management?

Key performance indicators are measurement tools that aids organizations to determine whether they are reaching their business goals.  In terms of incident management, the necessary metrics that must be present include the number of incidents, resolution time, and the average time between each incident.

What is an IR plan?

An IR plan or an incident response plan is more common terminology for the incident management plan. It details pre-determined instructions and processes to detect, respond to, and limit possible data breaches in organizational systems.

Every organization must ensure the safety of its resources, especially those that are within systems. It is better to be proactive than reactive when it comes to handling security breaches in the business. As early as possible, prepare possible mitigation methods and processes to help the organization at the possibility of unforeseen events. Design your incident management plan by downloading the samples available in the article, and ensure that your company is ready for any incident that comes your way.