📋 Free Download

The Incident Response Plan your organization needs before the next incident

83% of SMBs have no documented IR plan. When an incident hits, you're starting from zero. This 12-page editable template walks your team through roles, severity classification, containment checklists, evidence preservation, communications templates, and regulator deadlines — before you need them.

12-page template — download instantly, fill in your team

3 tabletop exercise scenarios included

HIPAA, GDPR, SEC, NYDFS regulator deadline reference inside

IR Plan Template — 12 pages · 2026

What's inside the Incident Response Plan Template

🛡

Executive Overview — triggers, activation protocol, pre-incident prep checklist

👥

Roles & Responsibilities Matrix — IR Lead, Comms, Legal, IT, HR, Executive Sponsor

🚦

Severity Classification Framework — SEV 1–4 definitions, response times, team activation

🔌

Containment, Eradication & Recovery Checklist — step-by-step for each phase

📁

Evidence Preservation Protocol — chain of custody, volatile data capture, what NOT to touch

📞

Communications Templates — internal, customer, HIPAA 60-day, GDPR 72-hour, SEC 8-K

🎯

3 Tabletop Exercise Scenarios — ransomware, BEC/wire fraud, insider data theft

📋

Post-incident Review Template — response evaluation, action items, maintenance log

📞

Vendor Contact Sheet — DFIR, breach counsel, cyber insurer, FBI IC3, CISA

⚖️

Regulator Notification Deadline Reference — HIPAA, GDPR, SEC 8-K, NYDFS, DORA, state AGs, PCI DSS

What's inside

4 things your organization will use immediately

This IR Plan isn't theory — every section is built to be used under pressure, by your IR team, IT leadership, legal counsel, and executives. From the moment an incident is suspected to full post-incident review.

🚦

Severity classification framework — know instantly what you're dealing with

SEV 1–4 definitions with response times and team activation thresholds. Declared within 15 minutes of incident notification.

🔌

Containment, eradication & recovery checklists — step by step

Isolate without destroying forensic evidence. Preserve volatile memory before disconnecting. Sequence restoration by critical system priority.

📁

Evidence preservation protocol — don't blow your insurance claim

Chain of custody, write blockers, hash verification, what to capture first (RAM, processes, network connections). Includes what NOT to touch.

⚖️

Regulator notification timing — HIPAA, GDPR, SEC, NYDFS, DORA

Deadlines vary by industry and jurisdiction. The playbook gives you the exact clock for each regulatory framework so you don't miss a notification requirement.

The IR Plan Template covers the full incident lifecycle

From detection to post-incident review — every phase covered

Most organizations have no plan when an incident hits. They make costly decisions in real time — who do we call, do we isolate the network, when do we notify regulators? This template gives your team a documented process before you're in the fire.

Detection & Triage

First 15 minutes: IR Lead notification, severity assessment, evidence preservation, out-of-band channel activation. Includes initial containment checklist.

First 15 minutes

Containment

Network isolation, credential revocation, remote access tool disablement, firewall blocking, enhanced logging activation.

15–60 minutes

Eradication

Malware and persistence removal, vulnerability patching, credential reset, firewall hardening, DFIR firm engagement.

Hours to days

Recovery

Clean backup restoration, critical system sequencing, monitoring for re-infection, perimeter control updates based on lessons learned.

Days to weeks

Regulator Notification

HIPAA 60-day, GDPR 72-hour, SEC 8-K 4 business days, NYDFS 72-hour, DORA 4h/24h. Template notifications included.

Clock starts at discovery

Post-Incident Review

Response evaluation table, gap analysis, action items, IR plan maintenance log update. Complete within 2 weeks of closure.

Within 14 days

Why IR plans matter

Organizations without a plan pay the highest price

Every one of these incidents involved organizations that didn't have a documented, practiced IR plan. The difference between a $4M recovery and a $18M recovery is often having the right plan and the right people — before the incident.

Change Healthcare — $22M ransom, 100M+ records exposed

February 2024. UnitedHealth subsidiary paid $22M in bitcoin within a week. The attack disrupted healthcare payments nationwide for months. The IR plan Template includes the exact notification timelines and vendor contact protocols thatChange Healthcare needed.

Healthcare, financial services, critical infrastructure

City of Baltimore — $18M in recovery costs

2019. Ransomware disabled 911 dispatch, email, and payment systems for weeks. The city refused to pay the $76,000 ransom — but spent $18M on recovery. The playbook covers the exact pay/don't pay decision tree and the regulatory notification timelines that applied.

Government, municipalities, public services

Target — $292M in breach-related costs, 70M records

2013. Point-of-sale malware exfiltrated 40M payment cards. The initial access vector was a third-party HVAC vendor. The IR plan Template includes a vendor contact sheet and supplier risk playbook that could have changed this outcome.

Retail, hospitality, any company with third-party vendors

MGM Resorts — $100M+ in losses, 10 months to full recovery

September 2023. Social engineering attack on LinkedIn employee data led to a 10-month recovery. No ransomware detonation — pure operational disruption and data exposure. The IR Plan Template covers social engineering and insider threat response scenarios.

Hospitality, retail, any company with frontline staff

Free download

Get the Incident Response Plan Template

Enter your work email and we'll send the 12-page PDF instantly — roles matrix, severity classification, containment checklists, evidence preservation, communications templates, 3 tabletop scenarios, and regulator notification deadline reference.