Incident Response Plan Template (SMB)

In a small and midsize business (SMB), the fastest way to fail is to assume everyone will "figure it out" during an incident. Your plan should assign decision-making roles and confirm who has the technical access to execute.

• Incident commander: runs the process, drives updates, and records decisions.
• IT lead: executes containment and recovery actions.
• Security lead: handles investigation, evidence, and logging.
• Leadership: approves business-impact decisions (shutdowns, public statements).
• Legal / counsel: advises on notification and regulatory obligations.
• Communications: owns internal updates and any external statements.

Related: incident response tabletop exercises.

Communications should be deliberate. During an incident, assume email may be compromised and chat may be unavailable.

• Escalation: how do you reach people after-hours, and who is on-call?
• Channels: define a backup channel (phone tree, alternate chat, emergency email).
• External contacts: cyber insurance, counsel, key vendors, and critical customers.

Related: DNS and registrar security and identity foundations.

An IR plan is only as good as your ability to execute it. If you cannot revoke sessions, see logs, or restore systems, the plan becomes a document-only exercise.

• Identity: Multi-Factor Authentication (MFA) on admins, break-glass accounts, and recovery procedures.
• Logging: know where authentication and admin activity is captured and retained.
• Recovery: backups are tested and RPO/RTO expectations are realistic.

Related: MFA, SIEM, and backup testing.

This is a starter template. Keep it short, keep contacts current, and add playbooks for your most likely scenarios.

# Incident Response Plan (SMB) - Starter Template

## 1) Purpose
This plan defines how we coordinate, communicate, contain, and recover from security incidents.

## 2) Incident roles
- Incident Commander:
- IT Lead:
- Security Lead:
- Leadership Approver:
- Legal / Counsel:
- Communications:

## 3) Contact list (keep current)
- After-hours escalation number:
- Cyber insurance:
- External counsel:
- Key vendors (email, identity, backup, MSP/MSSP):

## 4) Severity levels and escalation
- SEV-1 (Business down / active attacker): notify leadership immediately
- SEV-2 (Material risk / partial impact): notify within 1 hour
- SEV-3 (Limited scope): notify next business day

## 5) Containment authority
IT may take immediate actions to contain risk (disable accounts, revoke sessions, isolate endpoints).
Actions that materially impact business operations require leadership approval unless delay increases risk.

## 6) Communications plan
- Primary channel:
- Backup channel (assume email compromise):
- Customer communication owner:
- Internal update cadence:

## 7) Evidence and logging
- Where logs are stored:
- Who collects evidence:
- Chain-of-custody notes location:

## 8) Playbooks (attach or link)
- Ransomware
- Business Email Compromise
- Lost or stolen device
- Vendor breach

## 9) Testing and review
- Tabletop exercise frequency:
- After Action Report / Improvement Plan owner:
- Last tested date:

Related scenarios: ransomware and business email compromise.

• No after-hours plan: the first hour is chaos because nobody can reach the right people.
• Unclear authority: everyone waits for approval while the attacker continues.
• Evidence drift: logs exist, but access to them is unclear or retention is too short.
• Backups assumed: restore timelines are guessed, not tested.

Related: cyber insurance readiness.