Cyber incidents are computer systems or networks experience a breach leading to an adverse effect or a loss observed by Bahaa Al Zubaidi. Even as technology tries to make systems safer, cyber criminals are using the same technology to their advantage. With the risk of cyber incidents being always there, it is essential that businesses have a cyber incident response plan. We explain more in this guide.

Cyber incident response plan

 A cyber incident response plan is a document that explains all that a business would do in response to a cyber incident. With a plan in place, businesses can react quickly to a cyber incident and minimize its impact.

The cyber incident response plan would consider the following:

  • Importance of incident response and need to respond fast.
  • The framework for incident response that includes:
  • Preparation
  • Prevention
  • Detection
  • Action
  • Post-incident activity
  • Details of each phase with activities and responbilities
  • Plan for communication
  • Performance metrics to measure effectiveness of incident response

Creating a cyber incident response plan

The following explains in detail how a business can create its response plan.

  1. Preparation

The plan must have a policy that explains how to prepare for a cyber incident. The plan should identify the incident response team that would be responsible to take action. Roles and responsibilities should be clearly defined.

  1. Prevention

Measures to prevent a cyber incident from occurring should be outlined in the plan. Security safeguards would help in preventing a cyber incident. Existing vulnerabilities and threats must be identified, so prevention measures can be taken.

  1. Detection

Inspite of the best prevention mechanisms, cyber incidents can occur. The plan must explain how the incident would be detected. Use of continuous monitoring by using incident event management tools can help. Once an incident is detected, it must be analysed to understand details of what happened, why it happened, and its fallout.

  1. Action

Once an incident has occurred, appropriate action has to be taken. The plan must outline in detail the action that needs to be taken. The action includes:

  • Containment to prevent the problem for spreading.
  • Eradication to remove the cause of the problem. The tools or measures needed for this must be explained.
  • Recovery is essential to get back things to normal. Some systems may be shutdown due to an incident. The measures to bring back the systems must be detailed.
  1. Post incident activity


All activities after the incident including measuring of metrics to determine effectiveness of the plan must be explained.

Thank you for your interest in Bahaa Al Zubaidi Blogs. For more information, please visit