IT risk management

IT incident response and recovery


Incident response is a way in which you manage the aftermath of an IT security breach or failure. It is vital to have a response plan in place before an incident occurs so that you can limit the damage caused by the event and reduce recovery time and costs for your business.

What is an IT incident response plan?

An IT incident response plan is a set of written instructions that can help you respond to a number of potential scenarios, such as:

  • information data breaches
  • denial of service attacks
  • firewall intrusion
  • virus or malware infection
  • insider threats
  • damage to equipment or premises
  • loss of power or other technology failures

Your incident response plan should identify key people who will act in case of an incident and describe their roles and responsibilities. It should also say who is responsible for testing the plan and putting it into action. Your business' incident response plans should be based on thorough and comprehensive IT risk assessments.

See an example of a minimal Denial of Service attack response plan from the National Cyber Security Centre (NCSC).

IT incident management process

The process of managing an IT incident typically consists of six steps:

  • prepare staff and managers to handle potential incidents should they arise
  • determine if an event is an IT failure or a security incident
  • contain the incident and prevent further damage to systems and equipment
  • find the cause of the incident and remove the affected systems
  • recover those systems after removing the threats
  • document and analyse the situation to update, change or improve procedures

An IT incident can be isolated to one or more IT components of your business or it can be a part of a wider crisis (eg fire, flood or natural disaster). If a wider emergency occurs such as fire, the safety of staff and the public is your first priority. You should include emergency response plans in your incident response strategy.

Read more about business continuity and crisis management.

IT incident recovery planning

How you respond to IT incidents will determine how well your business recovers from them. Planning can help you shorten recovery times and minimise losses. A recovery plan could include your recovery time goals, as well as:

  • strategies to recover your business activities in the quickest possible time
  • a description of key resources, equipment and staff needed to recover your operations

It's essential to plan thoroughly to protect yourself from the impact of potential business crises brought on by IT failure or security breaches.

To help you prepare for and plan your response to a cyber incident, the NCSC has produced small business guidance on response and recovery. You can also test and practise your response to a cyber attack with the help of their 'Exercise in a Box' online training tool.