Skip to main content
New: free AI Readiness Assessment, see where your business stands
bdManagedIT
All articles

Cybersecurity

How to build a cyber incident response plan

A cyber incident response plan defines exactly what your business does when a security incident hits: who to call, how to contain it, and how to recover. Here are the phases and what to include.

By Wil Gibson June 16, 2026
How to build a cyber incident response plan

A cyber incident response plan is a written, step-by-step guide for what your business does the moment a security incident hits, who to call, how to contain it, and how to recover, so a breach becomes a managed event instead of chaos. Every business that holds sensitive data should have one in place before it is needed.

Why your business needs an incident response plan

When ransomware or a breach hits, the first hour decides how bad it gets. Without a plan, people freeze, evidence is lost, and the damage spreads while everyone argues about who should do what. A plan turns that panic into a checklist your team can actually follow under pressure.

The phases of incident response

Most plans follow the phases NIST lays out: preparation, detection and analysis, containment, eradication and recovery, and a post-incident review. Preparation is the work you do now; the rest is the playbook for during and after. Knowing the sequence keeps a response orderly instead of reactive.

What to include in the plan

A usable plan names roles and contacts, including who has the authority to take systems offline, and spells out how incidents are detected and reported, the containment and recovery steps for the most likely scenarios, who you notify (staff, customers, regulators, and your cyber insurer), and a review step to learn from each event. Keep it short enough that people will actually use it.

Test the plan before you need it

A plan in a drawer is not a plan. Run a tabletop exercise once a year, walking the team through a realistic scenario to find the gaps while the stakes are low. A managed SOC shortens detection and response dramatically, and a quick security self-assessment will show where your current readiness stands.

Frequently asked questions

What is a cyber incident response plan?
It is a written, step-by-step plan for how your business detects, contains, and recovers from a security incident such as ransomware or a breach. It assigns roles and contacts and lays out the actions to take, so the response is fast and orderly instead of chaotic.
What are the phases of incident response?
NIST describes five: preparation, detection and analysis, containment, eradication and recovery, and post-incident review. Preparation is done in advance; the remaining phases are the playbook for handling and learning from an active incident.
Who should be on the incident response team?
At minimum, someone with authority to make decisions and take systems offline, your IT or security provider, and a point of contact for communications. Larger plans add legal, leadership, and an outside incident response partner. Every role needs a named person and a backup.
How often should we test our incident response plan?
At least once a year, plus after any major change to your systems or team. A tabletop exercise, walking through a realistic scenario as a group, is a low-cost way to find gaps before a real incident does.
How does bdManagedIT help with incident response?
We help you build and test the plan, and our managed SOC and detection-and-response tooling shorten the time to spot and contain an incident. When something does happen, you have a documented playbook and a team that already knows your environment.

Want a straight answer for your business?

Book a first appointment with a bdManagedIT strategist. No sales script, no obligation.

Book your first appointment