Bridgehead IT logo

The Key Phases Your Incident Response Plan Must Cover

Posted: Mar 2021

Experts predict that cybercrime will inflict $6 trillion in damage this year. While there is no way to completely prevent cybercrime from occurring, a good incident response plan can control and minimize the effects of cyberattacks on companies and their clients.

While every company needs a customized plan to achieve the best results, every major incident response plan needs to cover the same key phases. Keep reading now to learn what those phases are, what they need to address, and how you can construct or improve your plan for maximum effectiveness and protection against all cyber threats.

“Experts predict that cybercrime will inflict $6 trillion in damage this year.”

Essential Phases of an Incident Response Plan

Common incident response planning models range from four to seven steps. They all contain the same key phases, however. The only differences between them lie in how they group the phases in each step.

Regardless of how they group them, the essential phases of every effective cyber incident response plan are:

  • Preparation
  • Identification or Detection
  • Containment
  • Eradication
  • Recovery
  • Follow up

Skipping any of these steps leaves your organization open to threats, damages, liability, and loss. 


Globally, criminal actors can hack even the safest systems in less than five hours. Importantly, however, this timeframe represents only their initial breach of a system. Companies equipped to identify and respond to cyberattacks quickly can shut down infiltrations before any serious harm is done.

In order to respond with the necessary speed, companies need to:

  • Have a clear and documented plan of action
  • Determine specific thresholds for investigation and action
  • Communicate that plan to everyone involved
  • Provide training to involved parties as needed
  • Practice working the plan via drills or mock-ups until everyone involved consistently executes their role smoothly
  • Ensure that funding and support for all aspects of the plan are in place before breaches occur

This preparation lays the groundwork for all the other steps in the plan. Without a plan in place and trained, experienced staff, companies cannot act with the speed and efficiency they need to contain and control breaches to prevent a full-blown catastrophe. 

Some companies are not equipped to handle this kind of IT security in-house. Others find that it isn’t cost-effective to do so. In either case, the best solution is to hire professionals to handle it for you. 

Identification or Detection

Whether you prefer to call it “identification” or “detection” this step involves:

  • Recognizing that an incident has occurred
  • Gathering critical data about the breach
  • Determining the extent and scope of the breach
  • Researching the entry point of the breach
  • Reporting the breach to the right parties in a timely manner

Collecting and documenting information on the incident is critical. Having accurate and complete breach information is key in later steps such as recovery and follow up as it creates a foundation for future security improvements and the prevention of more incidents.

Without the right procedures in place, it is impossible to identify and take the correct steps to gather data, report the incident, and make the right choices about containment.

Both detection and information gathering can be automated to greater or lesser degrees. Microsoft Defender for Endpoints. Endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.


The goal of the containment phase of a cyber incident response plan is to limit damage as much as possible when an incident occurs. This can potentially involve drastic action, such as taking portions of a system offline or even shutting an entire system down to prevent further access by infiltrating parties. Importantly, in many cases, some portions of a system may need to remain online to help track and control the breach. 

In any case, it is important to:

  • Limit damage where possible
  • Protect records and traces of how the breach occurred 
  • Minimize disruption to the company and its clients wherever possible

Companies may also include additional tasks at this step, such as:

  • Putting emergency patches in place
  • Temporarily upgrading remote access protocols
  • Changing user access credentials and passwords

Preparation plays a key role here, as the faster a company or its IT service can contain an incident the less damage they are likely to suffer overall. Even small gains in speed and effectiveness here can pay huge dividends. 


Eradication cannot happen until the containment phase is complete. If companies rush into eradication without finishing all aspects of containment, they can:

  • Lose information that is critical to preventing future breaches
  • Miss affected areas and fail to fully rectify the problem 
  • Be liable for damages resulting from improperly or insufficiently resolved and protected areas of their system

When it is time for the eradication phase, companies will wipe their systems of any trace of the incident and the threat that caused it. This may involve:

  • Removing malware and other damage
  • Patching, hardening, and updating systems Restoring systems to backup points
  • Rebuilding operating systems
  • Re-imaging workstations Replacing hard drives
  • Running anti-virus software

Eradication also involves verifying that all relevant parties received notifications of the incident, its aftermath, and its resolution. This phase must be handled by qualified and experienced IT professionals.


The recovery phase is where your operations return to normal. This can involve:

  • Restoring any access or services cut off during the containment phase
  • Testing the restored or redone system to verify that it is operating correctly and to relevant standards
  • Re-certifying any components compromised in the attack for functionality and network and cyber security

The more prepared a company is for an incident, the faster they can return to normal operations. 

Follow up

The follow up phase can go by many names, including:

  • Review
  • Debrief
  • Hotwash

However you refer to it, this phase calls for the parties involved to do a thorough review of the incident from start to finish. Common questions that companies seek to answer are:

  • Were we prepared for this type of attack?
  • If not, why not?
  • Did we recognize and respond to the attack in a timely manner?
  • Did we work the plan the way we were supposed to?
  • Did communication happen the way it should?
  • How much damage did we incur?
  • What do we need to change to prevent future incidents like this one?

Answering these questions helps organizations increase their resistance to incursions and improve their responses. It can also play a key role in limiting liability for damages by proving that the incident response plan steps in place and actions taken were appropriate and effective. 

Making a Plan

The first step in how to create an incident response plan is to conduct an assessment. Risk assessments based on the NIST 800-30 framework are particularly powerful. Your assessment should help you identify:

  • What assets you have that need protecting What kinds of threats you are vulnerable to What documents and plans you already have in place
  • Where you need additional plans or documents
  • How much training your staff has or needs Who the key stakeholders and responsible parties are What resources are available with which to construct a plan
  • Regulatory requirements relevant to your business
  • Any concerns unique to your company that need accounting for 

This information will provide you with the groundwork you need to begin constructing a plan. The next steps are to:

  • Use that information to set standards your system and processes should meet
  • Decide how to get from your current situation to that ideal
  • Determine a timeline and budget
  • Work the plan until it is complete
  • Reassess to make sure that you have achieved your goals Periodically review your status for changes and address them as needed


For many companies, the process of creating and implementing an incident response plan is simply not feasible. Often, companies simply do not have the expertise or staff available in-house to set up, manage, and monitor their IT systems to the extent necessary to protect against cyberattacks. 

When that happens, outsourcing IT services can be the best option. Outsourcing enables companies to:

  • Access the expertise and resources they need
  • Keep their operations running smoothly with minimal disruptions
  • Protect themselves from costly legal liability Scale their operations securely and cost-effectively
  • Focus on their core competencies 

Managed IT services are appropriate for companies of all sizes and offer much more than just incident response planning. They also provide:

  • Customized and simplified solutions
  • Increased profitability
  • Regulatory compliance support

Learn More

Learn more about how managed IT services can build a powerful incident response plan for you and give your company the protection and competitive edge it needs. Browse our blog or contact us today and let our experts help you source the solutions you need. 

Contact us to learn more about how Bridgehead I.T. can help you align your I.T. with your business objectives.

Connect with us today for all of your outsourced IT needs