Incident Response Plan

5 Steps to building an Incident Response Plan for a Large Organization

Incident Response Plan

Large organizations are encountered continuously by questions like, “Will the data collected be safe?”, “What happens if a breach occurs?”, “What information did they gain access to?”, “Do we have the right skill/plan to protect the organization from being infiltrated?” It is because of these questions that large organizations must have an incident response plan.

What is Incident Response Life Cycle?

The NIST incident response life cycle has divided the entire incident response process into five major categories – Identify, Protect, Detect, Respond, and Recover, which are further divided into 23 categories.

  • Identify – Keep an eye on systems, information assets, data, and operations for managing various security risks successfully
  • Protect – Developing and implementing necessary safeguards to protect critical infrastructures
  • Detect – Drafting and implementing processes to identify potential cyberattacks
  • Respond – A procedure for responding to an incident
  • Recover – Restoring affected systems and operations in the least time possible

To know more about NIST Incident Response Life Cycle, click here. You will also get to learn about the OODA Loop (Observe, Orient, Decide, Act).

Creating an Incident Response Plan for Large Organizations

A strong incident response plan ensures that the organization can handle the attack with efficiency and minimal damage. However, building the plan is not as easy as it seems. Not to worry, we’ve broken it down into five steps that you can follow to draft an incident response plan for a large organization:

Step 1: Prepare

When working with large organizations, start by analyzing the organization’s environment, determine essential services, components, and applications sensitive to maintaining operations in the event of the breach. Identify what data must be protected, understand where and how it is stored, and whether any changes must be made.

Step 2: Build an incident response team

Have a group of skilled professionals on board who are trained and certified to deal with an incident should it arise. The incident response manager will be in charge of ensuring coordination and communication with all different members of the team.

Note: The incident response manager will also have to coordinate with teams outside their own, such as the PR team.

Step 3: Establish a disaster recovery strategy

To ensure business continuity, it is essential that disaster recovery is a part of the incident response plan. This is done to reduce dwell time, thereby reducing potential damage – financial and reputational.

Step 4: Test the plan

Much like how a fire drill is implemented, it is important to test the plan to ensure that you have covered all areas. It is also essential that the cyber forensic team is included in the process to help the incident response team identify areas that need focus.

Step 5: Plan for debriefing

For the last step, consider all the areas that must be improved. Create a report that covers all that was done, including recommendations. Conducting a gap analysis will help you uncover which areas need more focus.

Become an Incident handler and help reduce dwelling time

EC-Council’s Certified Incident Handler (ECIH) program is designed in collaboration with cybersecurity and incident handling and response practitioners across the globe. ECIH is a comprehensive specialist-level incident response program that imparts the skills and knowledge organizations need when handling the incident to reduce the impact of both a financial and reputational perspective.


What is incident handling?
Incident handling is the process of identifying, investigating, analyzing, and managing security incidents in real-time. The method mitigates ongoing security incidents as well as it is capable of avoiding potential cyber threats.

Read More: Best practices for effective incident handling in an organization

What does an incident handling team do?
Here’s what to look for in an incident handler to minimize the drastic effects of security incidents:

  1. Fortify your cloud-based business
  2. Save your organization from sophisticated phishing attacks
  3. Fight against anti-forensic techniques
  4. Comply with different regulations

Read More: 4 Types of incidents that a proactive incident handler should be able to address 

What are the steps to handle a cyber incident?

Maintaining an incident handling plan is critical to ensure a well-rounded incident handling and response plan. Here is a five-step process, as laid out by the ISO/IEC Standard 27035:

  1. Prepare
  2. Identify
  3. Assess
  4. Respond
  5. Learn

Read More: Recovery strategy post-data-breach: An incident handler’s guidebook

get certified from ec-council
Write for Us