Implement your incident response plan

Most organisations will (or should)  have a disaster recovery plan that covers, among other things, cyber security incidents.

If IT systems are managed within your organisation, your Chief Technical Officer (or equivalent) will normally have responsibility for reviewing and implementing the incident response plan. If IT services are outsourced, you will need to co-ordinate closely with the outsource provider.

If you have an internal incident management (IM) plan covering cyber security incidents, put it into action. The plan should cover:

  •  a working definition of a cyber security incident
  • procedures for preliminary assessment of the incident
  • internal response procedures
  • an external communications strategy (see Media relations)
  • names and emergency contact details for key individuals in the IM team (see Activate the incident management team)
  • an escalation process for certain procedures within the incident response plan to avoid delays caused by unforeseen circumstances, such as IM members being unavailable

Consider whether the people handling incident-related issues "on the ground" know what to do - and what not to do - in line with your IM plan. 

For more information, see Developing and implementing a response plan