Incident response plan for SMBs on 2 pages

An incident response plan doesn't have to be a 50-page document. Two pages covering who does what and when is enough — as long as everyone knows it.

When something goes wrong — ransomware, a data breach, a lost laptop with client data — you have 15 minutes to take the right steps. A plan helps.

Contents (2 pages)

• Contact details (page 1):
  • Incident response lead (name + phone number + backup).
  • Management / owner.
  • GDPR/DPO contact if applicable.
  • External parties: hosting provider, accountant, insurer, and any external security firm.
  • External communications lead (PR).
• Triage (page 2, top half):
  1. What happened? (1 sentence)
  2. Containment: can the damage be limited right now?
  3. Scope: which systems? which data?
  4. Severity: low / medium / high.
• Action list (page 2, bottom half):
  1. Assign a lead (or take ownership yourself).
  2. Relevant technical actions (revoke passwords, disconnect systems, isolate backups).
  3. Internal communications: who knows what.
  4. Keep a log (time, action, who).
  5. Notify external parties: clients, the DPA (in case of a data breach), insurer.
  6. Post-mortem within 2 weeks.

Practise

Run a tabletop exercise once a year. One hour. Read out a scenario, have everyone say what they would do. Find the gaps in your plan.

Documentation during an incident

On paper (not in the system that may be compromised). Chronological order. Makes the post-mortem and any insurance claim much easier.

Post-incident

• Lessons learned shared with the team.
• Preventive measures planned.
• Update the risk register.
• Incident added to the incident log.

See also: security pillar, reporting a data breach.