Incident Response Plan

Step-by-step incident response procedure covering detection, containment, eradication, and recovery. Maps to SOC 2 CC7.3-CC7.5. This free, professionally written template from Proveably is ready to download in multiple formats and customise for your organisation. No account required.

A complete incident response plan with severity classification matrix, RACI chart, communication templates, and post-incident review process. Designed for startup and SMB security teams.

soc2 iso27001 hipaa
700 words ~15 min read 0 downloads Free
Link copied!
Free

No account required

Browse All Templates
Categoryplan
Formatmarkdown
Downloads0

Why You Need This Incident Response Plan

A well-documented Incident Response Plan is essential for organisations pursuing compliance certifications and building trust with customers, partners, and auditors. Without formal documentation, your organisation faces several risks:

  • Audit failures — Auditors specifically check for documented policies. A missing or incomplete plan is one of the most common reasons organisations fail SOC 2, ISO 27001, or other compliance audits.
  • Security gaps — Without clear guidelines, employees and contractors may follow inconsistent security practices, creating vulnerabilities.
  • Regulatory exposure — Many regulations (GDPR, HIPAA, PCI DSS) require documented policies. Non-compliance can result in fines and legal liability.
  • Lost business opportunities — Enterprise customers increasingly require vendors to demonstrate formal security policies before signing contracts.

This Proveably template gives you a professional starting point that covers industry best practices and maps directly to compliance framework requirements.

Compliance Framework Requirements

This template is designed to satisfy requirements from the following frameworks:

soc2

This template addresses key soc2 control requirements with pre-mapped sections and audit-ready language.

iso27001

This template addresses key iso27001 control requirements with pre-mapped sections and audit-ready language.

hipaa

This template addresses key hipaa control requirements with pre-mapped sections and audit-ready language.

Specifically mapped control codes: CC7.2, CC7.3, CC7.4, CC7.5, A.16.1

Template Preview

# Incident Response Plan ## 1. Purpose This plan establishes procedures for detecting, responding to, and recovering from security incidents at **[Company Name]**. ## 2. Scope This plan covers all security incidents affecting **[Company Name]** systems, data, employees, or customers. ## 3. Severity Classification | Severity | Description | Examples | Response Time | |----------|-------------|----------|---------------| | **P1 — Critical** | Active data breach, system compromise | Customer data exfiltrated, ransomware, production down | **15 minutes** | | **P2 — High** | Significant threat, no confirmed breach | Malware detected, unauthorized access attempt succeeding | **1 hour** | | **P3 — Medium** | Potential threat requiring investigation | Suspicious login patterns, phishing email reported | **4 hours** | | **P4 — Low** | Minor issue, no immediate risk | Policy violation, failed brute force attempts | **24 hours** | ## 4. Incident Response Team | Role | Responsibility | Primary | Backup | |------|---------------|---------|--------| | **Incident Commander** | Overall coordination, decisions | [Name] | [Name] | | **Technical Lead** | Investigation, containment | [Name] | [Name] | | **Communications Lead** | Internal/external communications | [Name] | [Name] | | **Legal Counsel** | Regulatory, legal obligations | [Name] | [Name] | ## 5. Response Phases ### Phase 1: Detection & Triage (0-30 min) 1. Receive alert from monitoring, employee report, or external notification 2. Initial triage — confirm incident is real (not false positive) 3. Classify severity (P1-P4) 4. Activate incident response team for P1/P2 5. Create incident channel (e.g., #incident-YYYY-MM-DD in Slack) 6. Begin incident log with timestamps ### Phase 2: Containment (30 min - 2 hours) 1. **Short-term containment**: Isolate affected systems (network segmentation, disable accounts) 2. Preserve evidence (disk images, memory dumps, log snapshots) 3. Assess blast radius — what systems/data are affected? 4. Implement temporary workarounds to restore service if safe 5. Notify leadership for P1/P2 incidents ### Phase 3: Eradication (2-24 hours) 1. Identify root cause and attack vector 2. Remove malware, unauthorized access, compromised credentials 3. Patch vulnerable systems 4. Reset affected credentials 5. Verify no persistence mechanisms remain ### Phase 4: Recovery (24-72 hours) 1. Restore systems from clean backups if needed 2. Re-enable services in staged approach 3. Enhanced monitoring for recurrence 4. Verify data integrity 5. Confirm all indicators of compromise (IOCs) are resolved ### Phase 5: Post-Incident Review (within 5 business days) 1. Conduct blameless post-mortem meeting 2. Document timeline, root cause, impact, and actions taken 3. Identify lessons learned and improvement actions 4. Update runbooks and playbooks 5. File regulatory notifications if required (GDPR: 72h, HIPAA: 60 days) ## 6. Communication Templates ### Internal Notification (P1/P2) > **Security Incident Alert — [Severity]** > We have detected a security incident affecting [systems/data]. The incident response team has been activated. Please do not discuss this incident outside of #incident-[date]. Updates will be provided every [30 min / 1 hour]. ### Customer Notification (if data breach confirmed) > We are writing to inform you of a security incident that may have affected your data. We detected [brief description] on [date]. We immediately [actions taken]. [What data was affected]. [What we are doing]. [What you should do]. ## 7. Evidence Preservation All evidence must be preserved in accordance with legal hold requirements: - System logs (retain 1 year minimum) - Network packet captures - Disk and memory forensic images - Email communications related to the incident - Screenshots and notes ## 8. Regulatory Notifications | Regulation | Notification Deadline | Authority | |------------|----------------------|-----------| | GDPR | 72 hours | Supervisory Authority | | HIPAA | 60 days | HHS + affected individuals | | SOC 2 | Auditor notification at next assessment | Auditor | | State breach laws | Varies (typically 30-60 days) | State AG + affected individuals | --- *Approved by: [Name, Title]* *Effective Date: [Date]* *Version: 1.0*

Frequently Asked Questions

An Incident Response Plan is a formal plan that step-by-step incident response procedure covering detection, containment, eradication, and recovery. maps to soc 2 cc7.3-cc7.5. It provides a structured framework for organisations to document and enforce security and compliance requirements.
Yes. Proveably provides this Incident Response Plan template completely free of charge. You can download it in Markdown, PDF, Word, Excel, or plain text format — no account required.
This plan is mapped to soc2, iso27001, hipaa. It includes the specific control references and requirements needed to satisfy auditor expectations for these frameworks.
Download the template in your preferred format, then customise the bracketed placeholder sections with your organisation's specific details. Review with your security team or compliance officer, get management approval, and distribute to relevant staff. Proveably recommends reviewing and updating this plan at least annually.
Absolutely. This template is designed as a starting point. All sections should be tailored to your organisation's size, industry, and specific compliance requirements. The placeholder text indicates sections that require customisation.

Tags

incident-response security breach essential plan

Automate Your Compliance

Go beyond templates. Proveably automates evidence collection, continuous monitoring, and audit preparation for SOC 2, ISO 27001, and more.

Start Free Trial

Report a Bug

Help us improve by reporting issues

Screenshot
Page:
Browser:
Time:

Bug Report Submitted

Thank you! We'll investigate this issue.