TheArtOfService
Incident Response

Incident Response Plan

A comprehensive incident response plan template aligned to NIST SP 800-61, ISO 27035, and SOC 2 for preparing, detecting, containing, and recovering from security incidents.

22-26 pages|Updated 2026-02-15|3 frameworks
Aligned to:
NIST SP 800-61
ISO 27035
SOC 2

What's Included

1. Purpose & Scope

Defines the objective and scope of the incident response plan, including covered incident types.

Plan ObjectiveIncident DefinitionScope of Coverage

2. Incident Response Team

Defines the composition, roles, and responsibilities of the incident response team.

Team StructureRole DefinitionsContact DirectoryEscalation Authority

3. Incident Classification

Establishes a severity classification system for prioritising incident response efforts.

Severity LevelsClassification CriteriaImpact Assessment Matrix

4. Preparation

Outlines preparedness activities including tools, training, and communication infrastructure.

Tools & ResourcesTraining & ExercisesCommunication ChannelsExternal Contacts

5. Detection & Analysis

Defines processes for detecting and analysing potential security incidents.

Detection SourcesInitial TriageEvidence PreservationRoot Cause Analysis

6. Containment, Eradication & Recovery

Outlines strategies for containing incidents, eliminating threats, and restoring operations.

Short-Term ContainmentLong-Term ContainmentEradication StepsSystem Recovery

7. Post-Incident Activities

Defines post-incident review and improvement processes.

Lessons Learned MeetingDocumentation RequirementsProcess ImprovementsEvidence Retention

8. Communication & Reporting

Establishes internal and external communication protocols during and after incidents.

Internal CommunicationExternal NotificationRegulatory ReportingMedia Management

Frequently Asked Questions

What should a incident response plan include?

A comprehensive incident response plan should include purpose & scope, incident response team, incident classification, preparation, and more. This template covers 8 key sections aligned to NIST SP 800-61, ISO 27035, SOC 2 requirements.

Which frameworks require a incident response policy?

Major frameworks requiring incident response policies include NIST SP 800-61, ISO 27035, SOC 2. This template maps directly to their control requirements, making it easier to demonstrate compliance across multiple standards.

How often should a incident response plan be reviewed?

Best practice is to review your incident response plan at least annually, or whenever significant changes occur in your organisation, technology environment, or regulatory landscape. Most frameworks including ISO 27001 and NIST CSF require documented policy review cycles.

Related Templates

Data Breach Notification Procedure

A data breach notification procedure template defining timelines, processes, and communication templates for notifying authorities and affected individuals.

Digital Forensics Policy

A digital forensics policy template defining evidence collection, preservation, analysis, and chain of custody procedures for security investigations.

Security Monitoring & Logging Policy

A security monitoring and logging policy template defining log collection, retention, analysis, and SIEM requirements for threat detection.

Build Your Compliance Programme

Pair this policy template with our compliance platform to map controls across 693+ frameworks, run self-assessments, and get AI-powered compliance advisory.

Get Started Free →

Free forever — no credit card required