It’s probably best to start with what a Cyber Incident Response Plan isn’t? It’s not a Business Continuity Plan, a Disaster Recovery Plan, or a Breach Procedure. A Cyber Incident Response Plan is a structured response to a Cyber Security incident that includes participation from the whole business – by default a CIRP is a whole business response.
Why a CIRP?
The first question to ask is “do we need a CIRP?” the general answer is yes; however, it depends on the structure and type of business you run. For example, a small business on a single site that has all its applications (M365, CRM etc.) outsourced is not likely to benefit from having a CIRP in place as the limited lines of communication and outsourced applications presents a simple business model.
The requirement for a CIRP increases with the size and complexity of an organisation and the type of services it delivers, medium to large enterprises with multiple sites, mixed applications and a customer service model will almost certainly benefit from a CIRP.
So, what’s driving organisations to create a CIRP beyond the obvious benefit of having a structured response to a cyber incident? Most Cyber Insurance Companies currently have an expectation that an organisation they are insuring have a CIRP in place, many third-party due diligence questionnaires are now also asking if an organisation has a CIRP in place. In summary there are multiple drivers.
Building a CIRP is a fairly prescriptive process, but it should be remembered that a CIRP requires broad support from the functional management within an organisation and this typically includes IT, Data Protection, Human Resources, Finance, Operations, Board Representation and possibly most importantly Communications. The high-level build process is broadly as follows –
- Establish CIRP Team – the response team including deputies with suitable representation form the functional departments within the organisation.
- Establish Contact Details – the contact details for all stakeholders including staff, third parties and suppliers. This normally a list of “links” to other applications.
- Incident Assessment Approach – this is how an organisation establishes its level of response to a cyber incident.
- Define Incident Examples – typically three “worked” examples that provide a benchmark to assist in assessment and response.
- Technical Response Plan – how the IT Department will respond to the cyber incident, this may include seeking support from third parties.
- Procedural Response Plan – how Data Protection will respond to the cyber incident, this may include seeking support from third parties.
- Chain of Custody – how we gather, and store evidence of the cyber incident should this develop into a criminal act.
- Communications Plan – how we communicate with all stakeholders including media, clients, ICO and any other regulatory bodies.
- Training and Awareness – how we train the CIRP team and make stakeholders aware of the CIRP and what their responsibilities are (if any)
- Response Templates – a series of predefined templates with guidance to assist then CIRP team in structuring its response to the cyber incident.
- Post Incident Review – a review of the incident and the response and lessons learnt.
Check out our CIRP page or Contact Us for more information.