Incident Response Plan

5 Steps to building an Incident Response Plan for a Large Organization

Incident Response Plan

Large organizations are encountered continuously by questions like, “Will the data collected be safe?”, “What happens if a breach occurs?”, “What information did they gain access to?”, “Do we have the right skill/plan to protect the organization from being infiltrated?” It is because of these questions that large organizations must have an incident response plan.

Creating an Incident Response Plan for Large Organizations

A strong incident response plan ensures that the organization can handle the attack with efficiency and minimal damage. However, building the plan is not as easy as it seems. Not to worry, we’ve broken it down into five steps that you can follow to draft an incident response plan for a large organization:

Step 1: Prepare

When working with large organizations, start by analyzing the organization’s environment, determine essential services, components, and applications sensitive to maintaining operations in the event of the breach. Identify what data must be protected, understand where and how it is stored, and whether any changes must be made.

Step 2: Build an incident response team

Have a group of skilled professionals on board who are trained and certified to deal with an incident should it arise. The incident response manager will be in charge of ensuring coordination and communication with all different members of the team.

Note: The incident response manager will also have to coordinate with teams outside their own, such as the PR team.

Step 3: Establish a disaster recovery strategy

To ensure business continuity, it is essential that disaster recovery is a part of the incident response plan. This is done to reduce dwell time, thereby reducing potential damage – financial and reputational.

Step 4: Test the plan

Much like how a fire drill is implemented, it is important to test the plan to ensure that you have covered all areas. It is also essential that the cyber forensic team is included in the process to help the incident response team identify areas that need focus.

Step 5: Plan for debriefing

For the last step, consider all the areas that must be improved. Create a report that covers all that was done, including recommendations. Conducting a gap analysis will help you uncover which areas need more focus.

Become an incident handler and help reduce dwelling time

EC-Council’s Certified Incident Handler (ECIH) program is designed in collaboration with cybersecurity and incident handling and response practitioners across the globe. ECIH is a comprehensive specialist-level incident response program that imparts the skills and knowledge organizations need when handling the incident to reduce the impact of both a financial and reputational perspective.


What is incident handling?
Incident handling is the process of identifying, investigating, analyzing, and managing security incidents in real-time. The method mitigates ongoing security incidents as well as it is capable of avoiding potential cyber threats.

Read More: Best practices for effective incident handling in an organization

What does an incident handling team do?
Here’s what to look for in an incident handler to minimize the drastic effects of security incidents:

  1. Fortify your cloud-based business
  2. Save your organization from sophisticated phishing attacks
  3. Fight against anti-forensic techniques
  4. Comply with different regulations

Read More: 4 Types of incidents that a proactive incident handler should be able to address 

What are the steps to handle a cyber incident?

Maintaining an incident handling plan is critical to ensure a well-rounded incident handling and response plan. Here is a five-step process, as laid out by the ISO/IEC Standard 27035:

  1. Prepare
  2. Identify
  3. Assess
  4. Respond
  5. Learn

Read More: Recovery strategy post-data-breach: An incident handler’s guidebook

get certified from ec-council
Write for Us