Why it matters
When an incident hits, improvisation costs money and trust. An incident response policy defines roles, decisions and timelines in advance, so your team acts instead of panicking — and so you can prove to auditors and regulators that you were prepared.
What to include
- Definitions and severity — what counts as an incident, and a severity scale that drives the response.
- Roles — who leads, who communicates, who decides on containment; an on-call path.
- Lifecycle — detection, triage, containment, eradication, recovery, and post-incident review.
- Communication — internal escalation and external notification, including the breach-notification clock.
- Regulatory timelines — GDPR's 72-hour notification to the supervisory authority; NIS2 and DORA reporting where applicable.
- Evidence and forensics — preserve logs and chain of custody.
- Lessons learned — a blameless review that feeds back into controls.
Common mistakes
- A plan no one has rehearsed; run at least one tabletop exercise a year.
- Ignoring notification deadlines — under GDPR the clock starts when you become aware, not when you finish investigating.
- No defined severity scale, so every alert becomes a fire drill.
Framework alignment
Maps to ISO 27001:2022 Annex A 5.24–5.28 (incident management), the SOC 2 incident criteria, and NIST CSF Respond and Recover.
Generate it in minutes
See a sample incident response policy or generate yours free.