The Importance of an Effective Cyber Incident Response Plan

Following our previous post which discussed the basics of GDPR, this second article examines the qualities of an effective Cyber Incident Response Plan (CIRP) and what steps your organisation can put in place to ensure optimal preparation for the changing data-protection laws.

If you haven’t read the first article in this series, the link is here – we recommend reading it to help put the information here in context.

What is a Cyber Incident Response Plan?

By definition, a CIRP is the set of formulated steps an organisation has put in place to follow should they experience a data breach incident. The incident could be something as small as the administrator account for a service being locked out, or a member of staff being accused of data theft, right through to a full-blown system’s compromise by external attackers. The CIRP sets out who should do what, and when, to limit the breach, exclude and identify the attackers and remediate the system. As part of GDPR, the CIRP should also include clearly defined steps around data loss notification to the ICO.

Why is a CIRP important?

Despite best-efforts, data-breach incidents are always going to occur. The controllable aspect is how your company prepares itself to deal with these events. The importance of a CIRP has never been greater – without one, an organisation’s IT systems, day-to-day operations and business reputation are all at significant risk.

In the event of a data breach incident, a company without a CIRP will typically experience a reduced understanding of the complexity and scope of the threat and therefore how to respond effectively. In recent months, household names such as Talk-Talk, Equifax and even Deloitte have shown the speed at which data breaches can spiral out of control if an effective IR plan is not in place, or if it is not handled in the correct way.

With a well thought out CIRP it is possible for an organisation to suffer a significant breach or other data related incident, handle it well and move on with minimal impact.

The Importance of an Effective Cyber Incident Response Plan 2

What comprises a good CIRP?

To build an effective CIRP you need to be aware of where your information assets reside, the protections surrounding them, the potential impact of losing them and the threats the information assets face. This risk awareness will provide the information security framework for your unique requirements, highlighting the actions and controls that need to be put in place.

This part is essentially a standard ISO27001 risk assessment exercise, the CIRP will then take the output of that mini-assessment and provide a framework for handling incidents that threaten the organisations information assets, using a common-sense combination of human structures, workflow processes and staff training.

For a CIRP to be efficient it must encompass all potential sources of data loss, you need to be as prepared for a network intrusion as you are for an employee leaving a file on the bus. Other topics typically covered by your CIRP may include business impact mitigation, cyber insurance integration, crisis decision making and media relations. Another important quality of an effective CIRP is the codified interaction with stakeholders, internal teams like the Board and external ones such as law enforcement, regulatory bodies, and of course the ICO.

Necessary Steps

Know your data

Your first step should be the mapping out and locating of all Personally Identifiable Information (PII) held by the organisation. It is important to include any data held outside of your perimeter in this initial step, for example, data in external hard-drive storage, off-site backups, cloud storage and so on. 

Establish and Incident Response Team

The IR team needs to be comprised of senior staff with the authority to make decisions without the need to have these ratified by others. Ideally, heads of departments who report directly to the CEO or the Board. The composition of the IR Team will include obvious candidates, such as the Head of IT and the Chief Information Security Officer – but it also has some less obvious members including the Head of HR, the Head of Public Relations or Marketing and of course someone from Legal. The IR Team should, where possible, have an odd number of members to ensure that decision deadlocks never happen.

It is also important for at least one Board member to be on the team, not only to give the team the authority it requires to get things done but also to act as a liaison with the Board so they are aware of the ongoing nature of the incident as it unfolds and can take business related decisions as appropriate.

Each organisation is different – not every organisation has a CISO, for example. A partnership, such as a law firm won’t have a Board, but equivalents exist and the structure is flexible enough to fit the vagaries of modern organisational hierarchies with a little imagination.

Create a set of detailed workflows with prioritised actions

A clear workflow of actions will provide the IR Team with a step-by-step guide put together in a calm, considered manner beforehand of what to do in the case of a data breach incident. These are typically categorised by incident-type and comprise an ever-growing library of processes to follow to ensure a successful outcome. They will minimise confusion and panic and provide a universal action plan.


The most effective way to pick up on any issues with your CIRP is testing. By simulating situations which could happen in real life to cover technical controls, employee’s responses, processes and policies, the testing process can be made as accurate as possible. It is often helpful to engage an external specialist company to come in and run this exercise with you, allowing you to focus on the IR process rather than the logistics of the exercise itself.

To prevent what starts as a minor inconvenience from developing into a corporate crisis, it’s critical to have both an IR plan and immediate access to an IR specialist who is able to provide expert advice and guidance with a simple phone call. Setting this up may seem like a huge task especially with GDPR laws coming into effect so soon, but First Response is here to help.

How can First Response help?

First Response are incident response specialists. We can provide a scaled response strategy to assist your organisation in preparing for and responding to cyber-security incidents, balancing internal and external expertise and resources.

We offer three example levels of Cyber Incident Response Plan: Bronze, Silver and Gold, providing a flexible and appropriate solution for the size and nature of your organisation.

Each level of our plans provides you with two of our Incident Response Specialists who visit your premises to meet your key management, and IT staff to discuss your business processes, your data workflows, and the nature of your IT infrastructure and the role IT plays in your day-to-day operations.

We have encountered a wide range of attack and data loss scenarios over the years, and keep ourselves up-to-date with the latest attack techniques and threats. First Response deal with incidents every day and are practised in which responses are most appropriate in any given situation.

We will conduct a review which includes an examination of your existing information security policies and procedures, together with your business continuity and disaster recovery plans. The review helps us (and you) to develop a clear, up-to-date, and complete understanding of your network topology and defences. In the event of a cyber-security incident, we are able to hit the ground running and start the process of remediation smoothly and efficiently.

Once this on-site review has taken place we will prepare a Cyber Incident Response Plan tailored to your organisation. Aspects of this include:

  • Detailed information highlighting areas of concern, with our recommendations on how to address these
  • Establish an IR Team, defining the roles and responsibilities of relevant members of the organisation
  • Train internal First Responders with the skills needed to react appropriately to the initial impact of an incident
  • Provide a framework for the organisation’s management to know what decisions should be made, and understand the significance of these as they relate to the incident timeline
  • A direct 24/7 line of contact with your First Response IR Specialist who can provide advice and guidance in the event of an incident. If your Incident Response process is invoked we can make arrangements our IR Team to attend on-site if necessary.

The GDPR laws coming into effect in May next year mean an effective response to data loss is now an essential component for both the survival and continued growth of any organisation.

For more information on how First Response’s Cyber Incident Response Plans can help your organisation please call us on:

+44 (0) 207 1934905

or email us at:

Further detail on our Cyber Incident Response Plan is available here.