Incident response plan

Description

An incident-response plan is the document and the practiced workflow that runs when a cybersecurity incident is detected, designed to compress the time between detection and containment and to produce the artifact a regulator or insurer asks for after the fact. The canonical NIST framing organizes the work into six phases (preparation, detection and analysis, containment, eradication, recovery, post-incident review) and most modern regulations either reference NIST directly or carry a similar structural skeleton. The plan itself is necessary but not sufficient: the regulatory and contractual question that follows almost every incident is whether the plan was tested, whether the testing exercised the parts that mattered, and whether the people on the response team had run the playbook before they had to run it for real. CIRCIA (the US Cyber Incident Reporting for Critical Infrastructure Act, with rules published in 2024 and reporting deadlines that compress to 72 hours for covered cyber incidents and 24 hours for ransomware payments) and the EU's NIS2 directive both lift the bar on plan-and-exercise expectations for in-scope entities. Tabletop exercises (executives walking through a scripted incident, decision points and all) are the cheap pre-incident investment that most consistently produces a faster real-world response, and the absence of recent tabletop documentation is one of the things that tends to surface in post-incident regulator conversations.

Required by (10 regulations)

• APPI

  Act on the Protection of Personal Information (Act No. 57 of 2003, as amended by Act No. 44 of 2020, effective April 1, 2022)

• CIRCIA
• CSL

  Cybersecurity Law of the People's Republic of China (adopted November 7, 2016, effective June 1, 2017)

• GDPR

  Article 32 — security of processing.

  Regulation (EU) 2016/679 of the European Parliament and of the Council

• LGPD

  Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

• NIS2

  Article 21 — incident-handling cybersecurity risk management measures.

• Privacy Act

  Privacy Act 1988 (Cth), No. 119 of 1988

• Anti-Cyber Crime Law

  Royal Decree M/17, Anti-Cyber Crime Law, issued 8/3/1428 AH (March 26, 2007)

• PDPL

  Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023

• KVKK

Fulfilled by (4)

• sentry · partial · low effort · $
  Detection layer only.
• datadog · partial · medium effort · $$
• In-house build · medium effort
• crowdstrike · partial · medium effort · $$$
  Falcon endpoint detection + IR services as part of an incident playbook.

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

• incident response playbook
• tabletop-exercise records
• incident retrospective archive