Incident Response Steps

Incident Response Steps

A checklist for all stages of an incident

Incidents happen to all businesses. Because they’re unavoidable, we have to know how to handle them when they do happen. A good incident response program is paramount to the overall success of your security program.

This checklist will help you:

  • Decide what to do as you build an internal incident response program
  • Understand how to classify incidents
  • Work cohesively with an incident response provider to triage the incident
  • Execute a post-cleanup strategy

Free Resource

Download our free Incident Response Steps Checklist now.


Incident Response Steps Checklist

Before the Incident

  •  Understand your insurance policy
    •  Someone has reviewed it
    •  We know what they cover and what they won’t
  •  Have a plan in place
    •  Define roles
      •  Public relations
        •  Our messaging is tight
      •  Legal
    •  Define communication channels
    •  Know what laws you’re bound to
      •  Know how to contact law enforcement
  •  Practice the plan
  •  Be proactive with your security measures
    •  We’ve completed an annual risk assessment
    •  We’ve at least had a vulnerability scan

Incident Classification

  •  We know what the incident is
  •  We know what assets or systems it affects
  •  We know what legal or compliance requirements we have

After Classification

  •  Decide if the internal team can handle it
    •  Know what your insurance policy requires
    •  Follow your plan
    •  Contain the incident/event
    •  Call your CSIRT to help when the incident is past expertise
      • Reminder: Good at IT ≠ good at security or incident response

During the CSIRT Engagement

  •  Work in tandem with the CSIRT to handle the incident wheWe asked
    •  Follow the CSIRT plan & trust the CSIRT fully
    •  Don’t remove anything that the team has implemented
    •  Assist in containing the event when asked
    •  Preserve and isolate evidence so the CSIRT can analyze it
    •  Work with the CSIRT to eradicate when asked


  •  Get back to where you were before it happened
    •  Bring in aspects of your disaster recovery plan

Follow Up

  •  Reporting
  •  Regular updates with insurance
    •  Days and dollars to containment
  •  Lessons learned
    •  Decide what to change to prevent this from happening again
    •  Improve your plan
    •  Get an up-to-date risk assessment

Cheat Sheets


Incident Response Playbooks

Policy Templates

Program Guides


Incident Response Steps Checklist

Get your free copy now!