How long should an incident response plan be?

Five to ten pages for the core plan. Supporting documents can be longer but should be separate.

How often should I update my incident response plan?

At least annually, after any incident, and whenever your environment changes materially.

Do I need to test my incident response plan?

Absolutely. Run at least one tabletop exercise per year.

What is the difference between an incident response plan and a disaster recovery plan?

Incident response focuses on security events. Disaster recovery covers broader business continuity. You need both.

Can my MSP create an incident response plan for me?

Yes, and they should. A good MSP builds a plan tailored to your environment and helps you test it regularly.

What Is an Incident Response Plan and How Do I Create One?

An incident response plan is a documented, step-by-step playbook that tells your team exactly what to do when a cybersecurity event occurs — who to call, what to disconnect, how to communicate, and how to recover. Every small business needs one. Without a plan, a security incident that could be contained in hours turns into weeks of chaos, lost revenue, and damaged trust.

Why Does My Small Business Need an Incident Response Plan?

Because incidents are not hypothetical. The FBI IC3 2025 report recorded over one million cybercrime complaints in a single year, with losses totaling $20.9 billion. The Verizon 2025 DBIR found ransomware in 44% of all breaches and 88% of SMB breaches.

An incident response plan reduces response time, limits damage, and meets compliance and insurance requirements. The IBM 2025 Cost of a Data Breach Report found that AI-driven security tools cut the breach lifecycle by 80 days and saved nearly $1.9 million on average.

What Framework Should I Follow?

The most widely adopted framework is NIST SP 800-61, updated to revision 3 in April 2025. The core incident handling process breaks down into four phases:

Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity

Phase 1: Preparation

Define roles and responsibilities. Who is your incident commander? Who contacts your MSP? Who handles communications?

Build your contact list. Include your IT provider, cyber insurance carrier, legal counsel, law enforcement contacts, and key stakeholders. Print this list and store it where it can be accessed even if your network is down.

Inventory your assets. Maintain a current list of all systems, applications, and data repositories.

Establish communication protocols. Assume your email may be compromised. Define backup communication channels.

Ensure your backups are tested. Backups are your recovery lifeline.

Phase 2: Detection and Analysis

Monitor for indicators of compromise using EDR tools, firewall logs, and dark web monitoring. Classify incidents by severity. Document everything from the moment an incident is suspected.

Phase 3: Containment, Eradication, and Recovery

Containment. Isolate affected systems. As CISA’s ransomware checklist emphasizes, isolate first — investigate second.

Eradication. Remove the threat — rebuild compromised systems, patch vulnerabilities, reset credentials.

Recovery. Restore from verified clean backups. Bring systems back online methodically.

Phase 4: Post-Incident Activity

Conduct a lessons-learned review within one to two weeks. Update your plan. Share relevant findings with your MSP and report to CISA and FBI IC3.

How Do I Get Started Today?

Write down your emergency contact list
Assign three roles — incident commander, technical lead, communications lead
Define your communication backup
Verify your backups
Schedule a tabletop exercise

Need help building an incident response plan? Contact ROI Technology Inc. and we will help you create a plan that is practical, tested, and ready when you need it.