Cyber Horizon
Back to Blog
Incident ResponseResiliencePlanning

How to Build a Cyber Incident Response Plan

5 June 2026·8 min read·Cyber Horizon Team

During a real incident, nobody reads a 60-page policy. They reach for the one-page runbook that says who to call, what to do first, and who can authorise the hard decisions. A good incident response plan is built for that moment — clear, fast, and practised — not for the audit shelf.

The six phases

Most effective plans follow the widely used incident-response lifecycle:

Preparation: Tooling, training, contacts and runbooks in place before anything happens.
Identification: Detect and confirm an incident, and classify its severity.
Containment: Limit the damage — short-term isolation, then a longer-term hold.
Eradication: Remove the root cause: malware, access, and the vulnerability that allowed it.
Recovery: Restore systems safely and confirm they are clean before going live.
Lessons learned: A blameless review that turns the event into concrete improvements.

Define roles before you need them

Name the people, not just the job titles. Who is the incident lead with authority to make calls? Who owns technical investigation, internal and external communications, legal and regulatory reporting, and the executive decisions like whether to take a system offline? Include out-of-hours contacts and at least one named deputy for every role — incidents do not respect annual leave.

Classify severity up front

Agree a simple severity scale (for example, low to critical) with clear criteria, because the severity drives everything else: who gets woken up, how fast you move, and when you escalate to executives or regulators. Tie regulatory reporting clocks to the relevant levels so nobody has to interpret obligations mid-crisis.

Write runbooks for likely scenarios

A general plan plus specific runbooks beats one giant document. Build short, step-by-step runbooks for the incidents you are most likely to face — ransomware, account compromise, a compromised vendor, data exfiltration — each with the first three actions, the decision points, and the contacts. These are the pages people actually open at 2am.

Plan your communications

Internal: who is told, when, and through which channel (with an out-of-band option).
Customers: holding statements and criteria for when to notify.
Regulators: which obligations apply and their reporting deadlines.
Press and public: a single approved spokesperson and pre-drafted statements.

Test it — or it does not exist

An untested plan is a hypothesis. Run a tabletop exercise against it at least twice a year, feed the findings back into the plan, and keep contacts and runbooks current. Maturity shows up as a calmer, faster response when a real event arrives.

Run incident response in Cyber Horizon

Manage cases on a kanban board, automate playbooks, capture the evidence trail, and run the post-incident review — all linked to your risk and compliance programme.

Book a Demo