Getting started with a Cyber Incident Response Plan (CIRP)

Every business should have a Cyber Incident Response Plan (CIRP). Every business that handles sensitive data, operates under regulatory requirements, or wants to protect its reputation needs one. Unfortunately, all too often, many organisations still rely on outdated documents that have been sitting on a shelf, or worse yet, realise that a CIRP is needed mid-crisis.

Getting started might seem daunting, but the good news is that CIRPs don’t need to be perfect from day one. In fact, they should start simple; evolving alongside your business and integrating with broader incident response and business continuity planning as your organisation matures.

We spoke to PGI Resilience Consultant, Billy Ruston, about how businesses looking to create—or even just update—their CIRP should get started, what they should cover, and how organisations should evolve their cyber planning into a comprehensive resilience framework.

At what point in a business’ growth should a CIRP be created? When should this evolve into a broader IRP?

“Early. If a business handles any sensitive data, has a governance structure, or any contractual or regulatory requirements, a CIRP should be developed to provide assurance. It focuses on the immediate ‘hands-on’ actions taken by technical teams when a cyber incident occurs.

An IRP, on the other hand, looks at the broader strategic business response to incidents (not just cyber). Most organisations realise the need for an IRP while updating their CIRP as questions arise like: “Who escalates this?” “Who makes this call?”. It’s not a critical mass thing where ‘a full plan is now required’, but the plan should start basic and grow and mature alongside the business.”

Who is responsible for developing a CIRP and who should be involved for it to be effective?

“Usually, the Head of IT or the SOC Manager is responsible for developing the CIRP, but input is required from all technical teams and application owners in the business. Senior Leadership don’t manage the actual response, but they are accountable for risk. It’s also recommended to involve other business functions like communications for messaging and HR for potential insider threat. Clear assignment of roles and responsibilities ensure decisions can be made quickly under pressure.”  

What’s a common misconception leaders have about CIRPs?

“Many organisations make assumptions that they’re protected, when actually, there are common pitfalls that could leave them vulnerable to threat:

• “We have insurance, so we don’t need to worry”
• “We’re only a small business; we’ll manage the incident when it happens”
• “Everything is cloud-based, so we’re safe”
• “We’ve contracted an IR provider, so we don’t need a plan”

These beliefs often mean that people get caught out when there is an incident because, ultimately, there is a lack of clarity and structure when it’s needed most.”

If a business is starting from nothing, what’s the first step they should take in writing their plans? What should a foundational plan cover?

“If your business is starting with no formal plan, the goal is to create a practical plan that covers the essentials, including immediate actions and responsibilities when a cyber incident occurs. Make sure you cover:

• Who are our stakeholders in a cyber incident? When and how do they need to be notified?
• Who does what in the first hour of an incident being detected?
• Who is responsible and accountable for critical actions?
• What are those actions and who is the decision maker?”

If a business has an outdated or informal CIRP, how can they update it effectively?

“For businesses that already have a CIRP but know it’s outdated, the focus should be on identifying gaps and alignment:

• Run a workshop with key operational stakeholders who will be involved in an incident response to challenge assumptions about systems, external dependencies and decision-making authority.
• Identify gaps in processes and outdated material.
• Update the plan with new insights and test it again until it reflects accurate internal processes and escalation pathways.”

How much time and resource does it take to effectively write and implement a CIRP?

“A few days are usually enough to develop an initial plan, run the workshop and create the CIRP document. Securing stakeholder time is often the biggest challenge but this top-level support is critical. More mature businesses will need additional time for testing and developing specific playbooks and continuous improvement processes.”

What does a strong CIRP look like? What sets apart organisations who can recover well with minimal disruption?

“First, a plan that integrates well with other disciplines: Business Continuity, Disaster Recovery, Crisis Management etc. as these plans are key to minimising long-term business disruption.

Second, a plan that is understood by operational stakeholders – i.e., they know in advance if they have designated roles and responsibilities. The response should be muscle memory.

And third, a plan that removes ambiguity and is understood by strategic stakeholders – i.e., operational teams are empowered by executives to act fast under delegated authority.”

What threats should a CIRP cover?

“A CIRP shouldn’t be written for specific incidents and should be suitably generic to cover a range of potential threats. Think of it as a high-level framework supported by a suite of playbooks sitting beneath the plan that outline specific responses. Specific scenarios like malware, data breaches and insider threat are common, but each should be risk-assessed and prioritised based on your unique environment.”

When does seeking external expertise add value to a CIRP?

“External support is most valuable when there are issues with alignment or communication across teams, like if your teams are siloed or there are gaps in knowledge or capability.

Every few years it can be beneficial to bring in an outside perspective to benchmark your plan against industry peers and to scrutinise processes with knowledge of evolving threats. And, to ensure that your assumptions are regularly challenged and validated by an unbiased third party. I recommend that the first draft should always be developed internally first to ensure it reflects your processes accurately.

Strategic guidance from experienced Incident Response and Business Continuity professionals can help to accelerate maturity and validate your approach.”

How should a business test their CIRP?

“Businesses should test their CIRP at least once annually via a tabletop exercise (TTX). This should either be an operational exercise by technical teams or as part of a wider business resilience exercise with senior leadership involvement. Testing should be conducted more frequently in high-risk or highly regulated sectors.

Mature businesses should also consider Live-Play exercises to test the hands-on skills of operational teams. The plan should be reviewed following any significant changes to organisational processes or technology to ensure the document is up-to-date. If any real-life cyber incidents occur, it’s important to note and incorporate lessons learned, including any gaps or opportunities for improvement."

Ready to get started?

An effective CIRP starts simple and evolves and grows alongside your business. As your CIRP matures, this will naturally lead to broader incident response and business continuity planning. 

If you’re looking for further support, get in touch with our friendly team to find out how we can help you with Incident Preparedness and Response.