How to develop a cyber incident management and response plan

It is important to have an incident management plan in place to mitigate the impact of a cyber incident or attack.

Important components of cyber incident planning

• Basic guidance on legal and/or regulatory requirements can be useful in the moment so that those responding to the incident know when to engage legal support, HR, or follow careful evidence capture guidelines.
• When listing contact numbers, consider the availability of staff and the cyber maturity of your council. In particular, consider and review out of hours support and contractual requirements with suppliers along with your employment contracts.
• Basic incident management processes can include alerting or notifying relevant authorities and key stakeholders, working with the supplier to contain and mitigate the incident, conducting a post-incident review to identify lessons learned and implementing changes to improve cyber security and resilience in the supply chain.
• The key contacts in your organisations and within your supplier organisations. Good practice is to have at least two point of contacts and at least two contact methods.
• Clear roles and responsibilities are central to ensuring that an incident is identified, managed, escalated and recovered successfully.
• Escalation criteria and common understanding of severity between you and your suppliers is important. This includes escalation conditions for when your suppliers escalate an incident to you as well as when you need to escalate an incident internally.  Typically it is a severity level that will define when an incident is escalated.

When developing an incident management plan, you must consider both your own organisation's capability and constraints alongside those of your suppliers. It is often better to have simple and clear incident management and response plans rather than over complicated plans that people might struggle to follow.