Close this search box.

A CISO’s Guide to Developing an Incident Response Plan

Hand holding digital lock surrounded by icons.

Every company needs a cybersecurity incident response plan. Without one, you may waste time deciding how to respond to an incident, resulting in more damage to your organization. Here’s more information on how CISOs can develop an effective incident response plan.

Some cybersecurity insurance policies require an incident response plan, but every company should have one ready so everyone immediately knows what steps to take in case of a cybersecurity incident.

Even if you outsource your cybersecurity management, it’s still essential to document your internal response plan. It should state how to reach your managed security services provider (MSSP) and outline any responsibilities for your team.

What to Include in an Incident Response Plan

Creating a comprehensive incident response plan requires a lot of detail. If you’re creating one for your organization, here is some of the most important information to include:

Incident definition

An “incident” can mean different things to different organizations. Spell out what constitutes an incident, how it will be identified, and the potential impacts. It’s also useful to define other terms that you reference in your document.  

Roles and responsibilities

Identify who is part of the incident response team and who will make the call about when the incident response plan should be activated. It’s also important to note who needs to be notified of an incident. Include when and how to contact them, as well as how often to update them.

Preparation and reporting

Outline your preparation strategies, including documentation, procedures, workflows, software handling, network diagrams, and asset inventories. Review reports and credentials necessary for the investigation. 

Identification and assessment

Determine how you will identify and verify an incident. This often involves a notification via an employee or detection tool, then a preliminary investigation by the incident response team leader. 

Containment and intelligence

Your containment strategy will depend on the type of incident, so you may need multiple plans for how to contain the threat and limit any damage. 


This phase should eliminate and clean up the threat. It includes updating software, installing patches, and changing passwords. The phase may also include a full removal and re-installation of systems. 


Plan how you will restore systems and data so that they’re functional again. It’s often useful to work with a managed security services provider in this phase to ensure a full recovery and help prevent future attacks. 

Lessons learned

Make a plan to look back on what happened before, during, and after the incident. Determine how you can protect your organization against that kind of incident occurring again.

How Cybersecurity Management Pros Craft Incident Response Plans

You can create an incident response plan internally, work together with a cybersecurity services consultant, or hire a managed security services provider to create it for your company.

However you decide to create yours, it’s important to get input from across your organization. An incident is likely to impact many departments and even critical business processes.

As an MSSP, Corsica is experienced in creating incident response plans and customizing them for each organization’s environment. We can do everything from reviewing an existing plan to developing the plan in its entirety.

Be Prepared for Cyber Incidents

If you’d like your organization to be better prepared with an incident response plan or other cybersecurity protections, schedule a security assessment with a Corsica security consultant today.

Ross Filipek
Ross Filipek is Corsica Technologies’ CISO. He has more than 20 years’ experience in the cybersecurity industry as both an engineer and a consultant. In addition to leading Corsica’s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica’s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame.

Related Reads

AI for business: Where do you start? - Corsica Technologies

Where To Start With AI For Business

AI has taken the world by storm. It’s a big buzzword, but it’s also a real technology—and it’s doing some amazing things. That’s great for companies that are already using AI. But what if you’re not sure how to make

Read more
Cloud repatriation - reverse migration - Corsica Technologies

Cloud Repatriation 101: What’s Right For You?

As the phenomenon of cloud migration reaches maturity, companies are starting to scratch their heads—particularly when they compare the long-term cost of cloud hosting to the long-term cost of on-premises hosting. Sometimes, the numbers don’t add up. This is why

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.