The simplest definition of an incident response plan is "the steps you take from when you become aware of an incident...
to when you decide how to deal with it and act accordingly."
Incident response plans help you assess the nature of the event, identify potential implications of the event if it increases (or decreases) in severity, establish lines of communications regarding the event, help you assemble and launch trained response team(s) to handle the event and then serve as a decision point for launching disaster recovery plans, business continuity plans, evacuation plans, fire emergency plans and other emergency response activities.
Incident response activities are described in Section 8.4.2 of the global standard for business continuity management systems, ISO 22031:2012.
When an unplanned event occurs, especially one that threatens your organization, you must respond quickly and in an organized fashion. An incident response plan helps you do just that. It minimizes chaos through an organized structure and sequence of activities that achieve the goals stated above.
The following graphic depicts how an incident response plan fits into the overall process of business continuity. It provides a starting point for responding to a situation and then deciding how to proceed.
Once the event occurs and its presence is detected, three things need to happen quickly:
- People should be safe
- The situation needs to be assessed
- Next steps need to be identified and launched
The incident response plan addresses these and other time-critical activities following the onset of an incident. The following outline of an incident response plan describes these activities. Among the activities to be performed in an incident response are evacuating people from the building or relocating them to a safe place, assessing the nature and potential severity of the event, performing a damage assessment, communicating the situation to all relevant parties as defined in the plan, deciding to contact first responders and deciding if more specific emergency plans need to be activated. Once these activities have been completed, the incident response team coordinates decisions on next steps, e.g., launching a business continuity plan.
The structure and outline of an incident response plan typically includes the following:
- Scope and objectives of the plan. This part of the plan defines the fundamental elements of the plan, what it is supposed to achieve and what it addresses.
- Incident response assumptions and limitations. This section defines activities the plan can and cannot initiate, such as conducting an initial assessment, performing a damage assessment and assessing potential outcomes.
- Incident response teams, contact data and responsibilities. This section lists the names and contact data for individuals assigned to the incident response team. It may specify their duties and responsibilities, such as team leader, damage assessment specialist, liaison with first responders or evacuation coordinator.
- Notification process steps. It is essential to provide information about the incident to designated individuals as quickly as possible. This section defines who should be contacted, how quickly they should be contacted after an incident occurs and the information that should be communicated.
- Damage assessment steps. A key part of the initial situation assessment is to examine and assess the extent of damage to the building or floors in the building, the surrounding areas and any other operational items that are specified in the plan.
- Declaration process steps. This section provides criteria for the incident response team to either declare a disaster or provide information to designated individuals (e.g., company executives) so that they can officially declare a disaster.
- Escalation process steps. Information about the progress of the incident and its expansion (or decline) is essential to first responders or others designated individuals in the plan if incident response activities need to be escalated (or scaled back).
- Decision to launch additional emergency activities. Based on assessments from incident response team members, first responders and other authorized individuals, decisions may need to be made to launch additional response activities, such as launching an evacuation or a shelter-in-place plan.
- Incident response plan deactivation steps. If the situation can be successfully brought to a conclusion, or if first responders take control of the situation, this section provides procedures for deactivating the plan and standing down the incident response team.
- Plan testing activities. To ensure that the incident response plan is current and ready to use, periodic exercises are advised to ensure that the steps in the plan are relevant and team members are properly trained and understand their roles and responsibilities; it is also a good opportunity to have first responders review the plan and offer their advice.
- Plan maintenance activities. Incident response plans should have updates scheduled to validate the names and contact details of team members, as well as any other relevant plan information.
- Plan review and continuous improvement. Plan owners should schedule periodic reviews to ensure that the document is up to date, and any improvements to ensure that the plan remains relevant (e.g., audits) should also be scheduled.
Incident response plans help mitigate the severity of a disaster by quickly assessing an event and determining what the next steps should be, according to a structured and regularly rehearsed set of procedures. Without an incident response plan, events may have additional time to escalate, and emergency teams may be unable to respond to an event in a timely fashion. This could result in building damage, damage to or loss of the business, loss of human life and even loss of reputation.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.