A cybersecurity incident is not a question of if — it is a question of when. Organisations that prepare for incidents recover faster, suffer less damage, and face lower regulatory penalties than those that improvise their response. India's CERT-In regulations and the DPDP Act both require organisations to have incident response capabilities — making an Incident Response Plan (IRP) both a best practice and a legal necessity.
This guide walks through the complete process of building an IRP that works in practice — not just on paper.
An Incident Response Plan is a documented, tested set of procedures that guide an organisation's response to cybersecurity incidents. A good IRP covers: who does what, in what order, with what tools, and how decisions are made under pressure. It reduces response time, limits damage, ensures regulatory compliance, and protects the organisation's reputation.
| Phase | Description | Key Activities |
|---|---|---|
| 1. Preparation | Build IR capability before incidents occur | IRP development, team training, tool deployment, tabletop exercises |
| 2. Detection & Analysis | Identify and confirm a security incident | Alert triage, log analysis, threat intelligence, incident classification |
| 3. Containment | Stop the incident from spreading | Short-term containment, evidence preservation, system isolation |
| 4. Eradication | Remove the threat from the environment | Malware removal, vulnerability patching, account remediation |
| 5. Recovery | Restore systems to normal operation | System restoration, monitoring, validation, return to production |
| 6. Post-Incident Activity | Learn and improve from the incident | Lessons learned, IRP update, control improvements, regulatory reporting |
Define roles and responsibilities for incident response. Your IR team typically includes:
Classify incidents by severity to determine the appropriate response level:
| Severity | Description | Response Time | Example |
|---|---|---|---|
| Critical (P1) | Active breach, data exfiltration, ransomware | Immediate — 24/7 response | Ransomware encryption in progress |
| High (P2) | Confirmed compromise, significant risk | Within 2 hours | Compromised admin account |
| Medium (P3) | Suspected incident, moderate impact | Within 8 hours | Unusual outbound traffic |
| Low (P4) | Minor security event, low impact | Next business day | Failed login attempts |
You cannot respond to incidents you do not detect. Core detection capabilities include:
Create specific playbooks for your most likely incident types. Each playbook should document the step-by-step response procedure for that incident type:
Under India's CERT-In regulations, organisations must report certain cybersecurity incidents to CERT-In within 6 hours of detection. The DPDP Act will also require breach notifications to the Data Protection Board and affected individuals. Your IRP must document:
Improper evidence handling can compromise legal proceedings and regulatory investigations. Document procedures for preserving digital forensic evidence — maintaining chain of custody, creating forensic images before remediation, and retaining logs in tamper-proof storage.
An untested IRP is not reliable in a real incident. Conduct:
India's Computer Emergency Response Team (CERT-In) issued directions in April 2022 requiring organisations to report certain cybersecurity incidents within 6 hours of detection. Reportable incidents include:
Failure to comply with CERT-In reporting requirements can result in regulatory action. Your IRP must include a dedicated CERT-In notification procedure with a pre-approved template.
Vedtam helps Indian enterprises build comprehensive Incident Response Plans, conduct tabletop exercises, and deploy the detection and response capabilities needed to respond effectively to real incidents. Our team also provides emergency incident response support when organisations need immediate expert assistance.
Explore Cybersecurity Services →Build your Incident Response Plan today. Free consultation: vedtam.com/contact-us | +91 70651 11015