Home Compliance & Certification Cyber Incident Response Plan Guide

Cyber Incident Response Plan Guide

Last updated on Sep 23, 2025

1. Purpose of this Guide

This artefact demonstrates that your company has a written, structured plan to handle cyber incidents. Cyber Essentials requires this because when disaster strikes — ransomware, phishing, or even a defaced website — you need more than panic and guesswork. A documented plan shows you’re ready to act quickly, assign responsibilities, and recover effectively.

2. What You Will Submit

You will need:

  • Your Cyber Incident Response Plan document (policy/procedure template).

  • It should include:

    • Version history (effective/review dates, owner).

    • Introduction and scope (which staff/systems are covered).

    • Roles and responsibilities (e.g. CEO as Incident Lead, IT Manager as Technical Lead, PR Head as Comms Lead).

    • Playbooks for common incident types (e.g. DDoS, malware/ransomware, phishing, website defacement, data breach).

    • Post-incident review template (to record lessons learned).

3. How to Collect / Obtain / Generate This Evidence

  • If you are using StrongKeep, upload the CIRP template that is provided for you.

  • If you are starting from scratch:

    1. Open the Cyber Incident Response Plan Template.

    2. Fill in your company details, contacts, and version history.

    3. Assign incident roles (Incident Lead, Technical Lead, Comms Lead, Secretary).

    4. Draft playbooks for at least the 5 common incidents:

      • Distributed Denial-of-Service (DDoS)

      • Malware / Ransomware

      • Phishing / Scam

      • Website Defacement

      • Data Breach

    5. Include a post-incident review form with fields like date, personnel involved, impact, summary, and improvements.

    6. Save and keep this document updated annually or after a real incident.

4. Evidence Format

  • Accepted file types: DOCX, PDF.

  • Suggested naming format:
    YourCompanyName_CIRP_YYYY-MM-DD.pdf

5. What “Good” Looks Like

  • Version control and ownership — shows it’s maintained, not abandoned.

  • Clear roles and contacts — no confusion during a crisis.

  • Detailed playbooks — step-by-step response for common incidents.

  • Review template included — proving you’ll learn from past incidents.

Why this matters: auditors want to see that you’re not improvising when chaos hits, but following a well-rehearsed plan.

6. Tips

  • Keep contacts updated — old phone numbers or missing staff will undermine your plan.

  • Test your CIRP at least once a year with a tabletop exercise.

  • If outsourcing IT, make sure vendors are included in the roles & responsibilities.