IT PRO ~90 min

IT Security Incident Response

Structured response procedure for detecting, containing, investigating, and recovering from IT security incidents.

Purpose

Provide a clear, repeatable incident response process so the team can act quickly during a security incident, minimizing damage and downtime.

This is a PRO template — included with the Individual Pro plan.

Get PRO to Use This Template Browse All Templates

Steps (7)

1

Incident Detection & Initial Assessment

Assess severity when a potential incident is detected. Determine affected systems, incident type, timeline, and whether it is still active. Classify severity: Critical, High, Medium, or Low.

Checklist

  • Incident source identified
  • Affected systems identified
  • Incident type classified
  • Timeline established
  • Severity level assigned
  • Incident ticket created
  • IR team notified per escalation matrix

Expected Output

Incident classified and severity assigned. IR team notified. Incident ticket created.

2

Assemble Response Team & Assign Roles

Activate the appropriate response team based on severity. Assign Incident Commander, Technical Lead, Communications Lead, and Legal/Compliance roles. Brief the team.

Checklist

  • Incident Commander assigned
  • Technical Lead assigned
  • Communications Lead assigned (Critical/High)
  • Legal/Compliance contacted (if data breach suspected)
  • Response team briefed
  • Communication channel established
  • Status update cadence set

Expected Output

Response team assembled and briefed. Roles assigned. Communication channel established.

3

Containment

Isolate affected systems from the network. Do NOT power off — preserve forensic evidence. Disable compromised accounts. Block malicious IPs/domains at firewall and DNS level.

Checklist

  • Affected systems isolated from network (do NOT power off)
  • Compromised accounts disabled
  • Malicious IPs/domains blocked at firewall and DNS
  • Lateral movement paths blocked
  • Backup systems verified unaffected
  • Containment actions logged with timestamps

Expected Output

Incident contained. Affected systems isolated. No further spread observed.

4

Evidence Collection & Preservation

Collect system logs, memory dumps, disk images, and network traffic captures. Maintain chain of custody documentation. Store evidence on a secure, isolated drive.

Checklist

  • System logs collected (auth, network, application)
  • Memory dump captured from affected systems
  • IOCs documented (file hashes, IPs, domains)
  • Timeline of events reconstructed
  • Chain of custody documented
  • Evidence stored on isolated, encrypted drive

Expected Output

Evidence collected and preserved with chain of custody. Timeline established.

5

Investigation & Root Cause Analysis

Analyze evidence to determine: attack vector, what was accessed/exfiltrated, dwell time, and if other systems are compromised. Build the complete attack narrative.

Checklist

  • Attack vector identified
  • Entry point identified
  • Lateral movement traced
  • Data access/exfiltration determined
  • Dwell time calculated
  • Root cause determined
  • Attack narrative documented

Expected Output

Root cause identified. Full attack narrative documented. Scope of compromise determined.

6

Eradication & Recovery

Remove the threat from all affected systems. Reimage machines, patch vulnerabilities, rotate credentials. Restore from clean backups and monitor for re-infection.

Checklist

  • Malware removed or systems reimaged
  • Exploited vulnerability patched
  • All compromised passwords and API keys rotated
  • Systems restored from verified clean backups
  • Enhanced monitoring enabled
  • Systems brought online incrementally
  • 24-48 hour monitoring window with no re-infection

Expected Output

Threat eradicated. Systems restored and operational. Enhanced monitoring confirmed active.

7

Post-Incident Review & Reporting

Within 72 hours, conduct a blameless postmortem. Document timeline, root cause, impact, and lessons learned. Assess regulatory notification requirements.

Checklist

  • Post-incident review meeting held (within 72 hours)
  • Incident report written
  • Lessons learned documented
  • Detection and prevention gaps identified
  • Action items created with owners and deadlines
  • Regulatory notification requirements assessed
  • IR playbook updated based on lessons learned

Expected Output

Post-incident report completed. Action items assigned. Incident response process improved.

Tags

IT security incident-response cybersecurity compliance disaster-recovery

Want this template?

Upgrade to PRO to unlock PRO templates and more.

Get PRO Plan