What should an incident response plan include?

An incident response plan should include: a purpose and scope statement, roles and responsibilities with named individuals and backups, severity classification criteria, escalation procedures, response procedures for each major incident type (ransomware, data breach, insider threat), communication templates for internal and external stakeholders, regulatory notification requirements and timelines, external contact information (DFIR firm, outside counsel, cyber insurer, law enforcement), evidence preservation guidelines, and a post-incident review process.

How often should an incident response plan be updated?

An incident response plan should be reviewed and updated at minimum annually, after every significant incident, after every tabletop exercise, and whenever major organizational changes occur (mergers, acquisitions, new technology deployments, leadership changes). The most effective organizations treat the IR plan as a living document with quarterly review cycles rather than an annual compliance artifact.

What is the difference between an incident response plan and an incident response playbook?

An incident response plan is the overarching policy document that defines the organization's IR capability: governance, roles, severity levels, escalation paths, and external relationships. An incident response playbook contains the specific, step-by-step procedures for handling particular incident types (ransomware playbook, data breach playbook, DDoS playbook). The plan tells you who does what and when to activate. The playbook tells you exactly how to execute each phase for a specific scenario.

Can small businesses use enterprise IR plan templates?

Yes, but they should be simplified. A small business does not need a 60-page plan with 30 named roles. Start with a one-page quick reference card covering the five most critical decisions, a contact list of internal and external responders, and basic playbooks for your two or three most likely incident types. Scale the template to your organization's size and complexity. IR-OS provides templates that adapt to organizational scale.

Incident Response Plan Template

By Mark Lynd Published April 11, 2026 15 min read

An incident response plan is the governing document that defines how your organization detects, responds to, and recovers from cybersecurity incidents. A good IR plan is not an 80-page binder that collects dust -- it is a concise, actionable document with clear roles, pre-authorized decisions, escalation paths, and tested playbooks for your most likely threat scenarios. This guide walks through what an IR plan must contain, compares three proven template frameworks (Expert, NIST 800-61, and ISO 27035), and shows how to customize a template for your organization's size and regulatory environment.

Most organizations that have an incident response plan still fail their first real incident. The reason is almost always the same: the plan was written for compliance, not for execution. It was authored by a consultant, reviewed once by legal, filed in SharePoint, and never practiced. When the ransomware note appears, nobody opens it because nobody knows where it is, and even if they did, it does not answer the questions that actually matter in the first 60 minutes.

The templates described in this guide take a different approach. They are built from operational experience across 150+ real tabletop exercises and structured to answer the questions that arise under pressure, not the questions that look good in an audit.

What Should an Incident Response Plan Contain?

Every effective IR plan contains the same core sections, regardless of which framework it follows. The sections below represent the minimum viable structure. Organizations can add industry-specific sections (healthcare, financial services, critical infrastructure), but removing any of these creates dangerous gaps.

Section	Purpose	Common Mistake
Purpose and Scope	Define what the plan covers and who it applies to	Scope too broad or too narrow; does not address cloud or third-party incidents
Roles and Responsibilities	Name individuals and backups for each IR role	Lists titles instead of names; no backups designated
Severity Classification	Define levels 1-4 with objective criteria	Subjective criteria that require debate during an active incident
Escalation Procedures	Define who gets notified at each severity level	Single escalation path with no after-hours coverage
Response Playbooks	Step-by-step procedures for each incident type	Generic procedures that do not map to actual infrastructure
Communication Templates	Pre-drafted messages for stakeholders, customers, regulators	No templates exist; messaging is improvised under pressure
Regulatory Requirements	Notification obligations with deadlines and responsible parties	Incomplete list; does not account for multi-jurisdiction requirements
External Contacts	DFIR firm, outside counsel, insurer, law enforcement, breach vendor	Contacts are outdated or retainers have lapsed
Evidence Preservation	Guidelines for forensic evidence handling and chain of custody	Evidence destroyed by well-intentioned remediation before forensics
Post-Incident Review	After-action review process with improvement tracking	Reviews are skipped or findings are never tracked to completion

How Do the Three IR-OS Templates Compare?

IR-OS provides three distinct starting templates, each aligned with a different framework philosophy. All three produce a complete, operational IR plan -- they differ in structure, terminology, and emphasis.

Expert Template

The Expert template is built from practitioner experience across 150+ tabletop exercises. It prioritizes operational clarity over framework compliance. Sections are organized by the questions that arise during a live incident rather than by framework phase. This template is ideal for organizations that want an immediately executable plan and will map it to compliance frameworks afterward.

NIST 800-61 Template

The NIST SP 800-61 template follows the four-phase lifecycle: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. This is the most widely referenced framework in the United States and the default expectation for organizations subject to federal regulations or working with federal agencies. See our NIST Incident Response Framework deep dive for full phase-by-phase guidance.

ISO 27035 Template

The ISO 27035 template follows the international standard for information security incident management. It uses a five-phase structure: Plan and Prepare, Detection and Reporting, Assessment and Decision, Responses, and Lessons Learned. This template suits multinational organizations that need alignment with the ISO 27000 family of standards and is particularly relevant for organizations with European operations or ISO 27001 certification.

Feature	Expert	NIST 800-61	ISO 27035
Framework alignment	Practitioner-driven	US federal standard	International standard
Number of phases	6 operational stages	4 phases	5 phases
Best for	Operational readiness	US regulatory compliance	Global / ISO-certified orgs
Pre-built playbooks	8 scenario types	4 generic procedures	5 incident categories
Regulatory mapping	SEC, GDPR, HIPAA, state laws	FISMA, FedRAMP, CMMC	GDPR, NIS2, ISO 27001

The best IR plan template is the one your team will actually use. Framework alignment matters for compliance, but operational clarity matters for survival. Choose the template that matches how your organization makes decisions under pressure.

How Do You Customize a Template for Your Organization?

A template provides structure. Customization makes it operational. The following steps transform any template from a generic document into a plan your team can execute at 3 AM on a Saturday.

Name every role. Replace every title with a name and a phone number. Add a backup for each. A plan that says "the Incident Commander" without specifying who that is will produce a 30-minute argument when the incident starts.
Map to your infrastructure. Generic containment steps are useless. Your plan must reference your actual network segments, cloud providers, identity platform, backup architecture, and critical applications by name.
Define pre-authorized decisions. Document which actions can be taken without additional approval: isolating a production system, engaging outside counsel, contacting the cyber insurer, taking the website offline. These decisions consume the most time during live incidents.
Write scenario-specific playbooks. At minimum, create playbooks for ransomware, data exfiltration, business email compromise, and insider threat. Each playbook should contain the first 10 actions in sequence, not a flowchart.
Validate with a tabletop exercise. Run a 90-minute scenario against the plan with the actual named personnel. Every gap, ambiguity, and missing contact will surface. Fix them immediately. See our tabletop exercise guide for methodology.

The IR-OS AI Plan Coach guides this customization process interactively, asking targeted questions about your organization and generating plan sections tailored to your answers.

What Are the Most Common Mistakes in IR Plan Templates?

After reviewing hundreds of IR plans across organizations of all sizes, the same failure patterns appear repeatedly. Avoiding these mistakes is as important as including the right sections.

Written for audit, not for use. Plans that are 60+ pages long with policy language and no operational detail. Nobody reads them during an incident.
No named individuals. Roles are assigned to titles, not people. When the incident starts, nobody knows who is the Incident Commander today.
No pre-authorized decisions. Every critical action requires approval from someone who is unreachable, traveling, or asleep.
Outdated contact information. DFIR retainer lapsed six months ago. Outside counsel left the firm. The insurer changed their claims hotline number.
No scenario-specific playbooks. A single generic procedure for all incident types. Ransomware and data exfiltration require fundamentally different first actions.
Never tested. The plan was written, approved, and filed. It has never been exercised. The first time it is used in practice is during a real incident.

The one-page test: If you cannot summarize your IR plan's five most critical decisions on a single page, the plan is too complex to execute under pressure. Start with the one-page version and build depth behind it.

When Should You Replace a Template With a Custom Plan?

Templates are starting points, not destinations. The progression from template to mature IR plan follows a predictable path:

Month 1: Select a template (Expert, NIST, or ISO) and complete the customization steps above. You now have a functional baseline plan.
Month 2-3: Run your first tabletop exercise against the plan. Document every gap and update the plan immediately.
Month 4-6: Add scenario-specific playbooks for your top three threat types. Validate external retainer agreements.
Month 7-12: Run quarterly exercises, each targeting a different scenario. Incorporate lessons into the plan after each exercise.
Year 2+: The plan is now a living document shaped by your organization's actual experience. The original template structure remains as scaffolding, but the content is entirely yours.

Organizations that skip the template phase and attempt to build from scratch typically take 6-12 months longer to achieve the same maturity level. The template provides the structure; your exercises and incidents provide the substance.

How Does an IR Plan Connect to Broader Security Governance?

An incident response plan does not exist in isolation. It connects to and depends on several other governance documents and capabilities:

Business Continuity Plan (BCP) -- Defines recovery priorities and acceptable downtime. The IR plan's recovery phase must align with BCP-defined RTOs and RPOs.
Disaster Recovery Plan (DRP) -- Provides the technical recovery procedures that the IR plan's recovery phase depends on.
Risk Register -- Identifies the threats and assets that the IR plan's playbooks should address. If ransomware is your top risk, the IR plan needs a detailed ransomware playbook.
Vendor Management -- Third-party incidents require coordination with vendors. The IR plan should include procedures for third-party breach notification and response.
Crisis Communications Plan -- Major incidents require stakeholder communication. The IR plan's communication templates should align with the broader crisis communications framework.

IR-OS maintains these connections within the platform, ensuring that updates to the IR plan automatically surface dependencies with related governance documents. The CIRM framework provides the overarching structure for how these documents work together during a cyber incident.

Start with a proven template, not a blank page

IR-OS provides three IR plan templates -- Expert, NIST 800-61, and ISO 27035 -- with an AI Plan Coach that customizes each section to your organization.

Start free

Incident Response Plan Template

What Should an Incident Response Plan Contain?

How Do the Three IR-OS Templates Compare?

Expert Template

NIST 800-61 Template

ISO 27035 Template

How Do You Customize a Template for Your Organization?

What Are the Most Common Mistakes in IR Plan Templates?

When Should You Replace a Template With a Custom Plan?

How Does an IR Plan Connect to Broader Security Governance?

Related Reading

Start with a proven template, not a blank page