Introduction
A cybersecurity incident is not a question of if — it is a question of when. Organisations that prepare for incidents recover faster, suffer less damage, and face lower regulatory penalties than those that improvise their response. India's CERT-In regulations and the DPDP Act both require organisations to have incident response capabilities — making an Incident Response Plan (IRP) both a best practice and a legal necessity.
This guide walks through the complete process of building an IRP that works in practice — not just on paper.
What is an Incident Response Plan?
An Incident Response Plan is a documented, tested set of procedures that guide an organisation's response to cybersecurity incidents. A good IRP covers: who does what, in what order, with what tools, and how decisions are made under pressure. It reduces response time, limits damage, ensures regulatory compliance, and protects the organisation's reputation.
The Six Phases of Incident Response (NIST Framework)
| Phase | Description | Key Activities |
|---|---|---|
| 1. Preparation | Build IR capability before incidents occur | IRP development, team training, tool deployment, tabletop exercises |
| 2. Detection & Analysis | Identify and confirm a security incident | Alert triage, log analysis, threat intelligence, incident classification |
| 3. Containment | Stop the incident from spreading | Short-term containment, evidence preservation, system isolation |
| 4. Eradication | Remove the threat from the environment | Malware removal, vulnerability patching, account remediation |
| 5. Recovery | Restore systems to normal operation | System restoration, monitoring, validation, return to production |
| 6. Post-Incident Activity | Learn and improve from the incident | Lessons learned, IRP update, control improvements, regulatory reporting |
Building Your Incident Response Plan — Step by Step
Step 1: Establish Your Incident Response Team
Define roles and responsibilities for incident response. Your IR team typically includes:
- Incident Commander — Overall decision-maker during an incident
- Technical Lead — Coordinates technical investigation and remediation
- Communications Lead — Manages internal and external communications
- Legal/Compliance Lead — Advises on regulatory obligations
- External Forensics Retainer — Pre-engaged forensics firm
Step 2: Define Incident Classification
| Severity | Description | Response Time | Example |
|---|---|---|---|
| Critical (P1) | Active breach, data exfiltration, ransomware | Immediate — 24/7 response | Ransomware encryption in progress |
| High (P2) | Confirmed compromise, significant risk | Within 2 hours | Compromised admin account |
| Medium (P3) | Suspected incident, moderate impact | Within 8 hours | Unusual outbound traffic |
| Low (P4) | Minor security event, low impact | Next business day | Failed login attempts |
Step 3: Build Your Detection Capabilities
- SIEM — Aggregates and correlates logs
- EDR — Detects endpoint threats
- Network monitoring — Detects anomalies
- Threat intelligence feeds
- User behaviour analytics
Step 4: Document Response Playbooks
- Ransomware response playbook
- Data breach response playbook
- BEC response playbook
- DDoS response playbook
- Insider threat response playbook
- Cloud security incident playbook
Step 5: Define Notification and Communication Procedures
- CERT-In notification within 6 hours
- DPDP Act breach notification
- Client and partner communication
- Internal executive communication
- Media and PR procedures
Step 6: Establish Evidence Preservation Procedures
Document procedures for preserving digital forensic evidence — maintaining chain of custody and secure log retention.
Step 7: Test Your Plan
- Tabletop exercises
- Functional exercises
- Full simulation exercises
CERT-In Reporting Requirements
India's Computer Emergency Response Team (CERT-In) requires organisations to report certain cybersecurity incidents within 6 hours of detection.
- Data breaches and leaks
- Ransomware attacks
- Identity theft and phishing
- Critical system compromise
- Malware deployment
Failure to comply can result in regulatory action. Your IRP must include a CERT-In notification procedure.
How Vedtam Can Help
Vedtam helps Indian enterprises build Incident Response Plans, conduct exercises, and deploy detection and response capabilities.
Visit vedtam.com/solutions/cyber-security/ for more information.
Build your Incident Response Plan today.
Free consultation: vedtam.com/contact/ | +91 98915 55588
Published by Vedtam Cybersecurity Team | Vedtam Tech Solutions, Ghaziabad, India
