Introduction
A cybersecurity incident is not a question of if — it is a question of when. Organisations that prepare for incidents recover faster, suffer less damage, and face lower regulatory penalties than those that improvise their response. India's CERT-In regulations and the DPDP Act both require organisations to have incident response capabilities — making an Incident Response Plan (IRP) both a best practice and a legal necessity.
This guide walks through the complete process of building an IRP that works in practice — not just on paper.
What is an Incident Response Plan?
An Incident Response Plan is a documented, tested set of procedures that guide an organisation's response to cybersecurity incidents. A good IRP covers: who does what, in what order, with what tools, and how decisions are made under pressure. It reduces response time, limits damage, ensures regulatory compliance, and protects the organisation's reputation.
The Six Phases of Incident Response (NIST Framework)
| Phase | Description | Key Activities |
|---|---|---|
| 1. Preparation | Build IR capability before incidents occur | IRP development, team training, tool deployment, tabletop exercises |
| 2. Detection & Analysis | Identify and confirm a security incident | Alert triage, log analysis, threat intelligence, incident classification |
| 3. Containment | Stop the incident from spreading | Short-term containment, evidence preservation, system isolation |
| 4. Eradication | Remove the threat from the environment | Malware removal, vulnerability patching, account remediation |
| 5. Recovery | Restore systems to normal operation | System restoration, monitoring, validation, return to production |
| 6. Post-Incident Activity | Learn and improve from the incident | Lessons learned, IRP update, control improvements, regulatory reporting |
Building Your Incident Response Plan — Step by Step
Step 1: Establish Your Incident Response Team
Define roles and responsibilities for incident response. Your IR team typically includes:
- Incident Commander — Overall decision-maker during an incident, usually CISO or senior IT leader
- Technical Lead — Coordinates technical investigation and remediation activities
- Communications Lead — Manages internal and external communications including media, clients, and regulators
- Legal/Compliance Lead — Advises on regulatory notification obligations and legal implications
- External Forensics Retainer — Pre-engaged forensics firm for major incidents
Step 2: Define Incident Classification
Classify incidents by severity to determine the appropriate response level:
| Severity | Description | Response Time | Example |
|---|---|---|---|
| Critical (P1) | Active breach, data exfiltration, ransomware | Immediate — 24/7 response | Ransomware encryption in progress |
| High (P2) | Confirmed compromise, significant risk | Within 2 hours | Compromised admin account |
| Medium (P3) | Suspected incident, moderate impact | Within 8 hours | Unusual outbound traffic |
| Low (P4) | Minor security event, low impact | Next business day | Failed login attempts |
Step 3: Build Your Detection Capabilities
You cannot respond to incidents you do not detect. Core detection capabilities include:
- SIEM (Security Information and Event Management) — Aggregates and correlates logs from across the environment
- EDR (Endpoint Detection and Response) — Detects and alerts on endpoint-level threats
- Network monitoring — Detects anomalous network traffic and connections
- Threat intelligence feeds — Provides context on known threat actors, indicators of compromise
- User behaviour analytics — Detects insider threats and compromised accounts
Step 4: Document Response Playbooks
Create specific playbooks for your most likely incident types. Each playbook should document the step-by-step response procedure for that incident type:
- Ransomware response playbook
- Data breach response playbook
- BEC (Business Email Compromise) response playbook
- DDoS attack response playbook
- Insider threat response playbook
- Cloud security incident playbook
Step 5: Define Notification and Communication Procedures
Under India's CERT-In regulations, organisations must report certain cybersecurity incidents to CERT-In within 6 hours of detection. The DPDP Act will also require breach notifications to the Data Protection Board and affected individuals. Your IRP must document:
- Who is authorised to declare a reportable incident
- The 6-hour CERT-In notification procedure and template
- DPDP Act breach notification procedure
- Client and partner notification procedures
- Internal executive and Board communication procedures
- Media and public relations procedures for significant incidents
Step 6: Establish Evidence Preservation Procedures
Improper evidence handling can compromise legal proceedings and regulatory investigations. Document procedures for preserving digital forensic evidence — maintaining chain of custody, creating forensic images before remediation, and retaining logs in tamper-proof storage.
Step 7: Test Your Plan
An untested IRP is not reliable in a real incident. Conduct:
- Tabletop exercises — Scenario-based discussions (quarterly recommended)
- Functional exercises — Testing specific IR procedures with relevant teams
- Full simulation exercises — End-to-end incident simulation (annually recommended)
CERT-In Reporting Requirements
India's Computer Emergency Response Team (CERT-In) issued directions in April 2022 requiring organisations to report certain cybersecurity incidents within 6 hours of detection. Reportable incidents include:
- Data breaches, data leaks, and unauthorised data access
- Ransomware attacks
- Identity theft and phishing attacks
- Compromise of critical systems (banking, power, telecom, healthcare)
- Malware deployment and backdoor installation
Failure to comply with CERT-In reporting requirements can result in regulatory action. Your IRP must include a dedicated CERT-In notification procedure with a pre-approved template.
How Vedtam Can Help
Vedtam helps Indian enterprises build comprehensive Incident Response Plans, conduct tabletop exercises, and deploy the detection and response capabilities needed to respond effectively to real incidents. Our team also provides emergency incident response support when organisations need immediate expert assistance.
Visit vedtam.com/solutions/cyber-security/ for more information.
Build your Incident Response Plan today. Free consultation: vedtam.com/contact/ | +91 98915 55588
Published by Vedtam Cybersecurity Team | Vedtam Tech Solutions, Ghaziabad, India
