Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer III

Incident Response Policy and Procedures

Any recommendations for a Incident Response Policy and Procedures template?

I'm building a cyber program from scratch.

Any guidance is appreciated.

Thank you,


7 Replies
Community Champion

NIST, SANS, all have rather comprehensive documentations and templates on IRT. 


Also check out ITIL- Service Operation, on incident management, a fairly concise guideline on incident and response process, including a good  diagram on the flow.





Chuxing Chen, Ph.D., CISSP, PMP

My organization bases our policy and procedures on NIST 800 framework. The NIST 800-61 Computer security Incident guide is extremely helpful.

Influencer II

> Lwhite (Newcomer II) posted a new topic in Welcome on 06-24-2019 04:06 PM in the

> Any recommendations for a Incident Response Policy and Procedures template?


I guess my reaction is a little different than most: having started out in malware
research (way back when it was possible) good IR was about the first to work on.

More recently I've been doing a 2-4 hour IRP presentation with a one-page
handout as an inducement to quick and dirty "get started, durnit!" activity ...

====================== (quote inserted randomly by Pegasus Mailer)
This is primarily an investigative unit and I don't think we
should get sidetracked into the finer details of technology.
- Chief Superintendent Len Hynds
head of the UK National Hi-Tech Crime Unit


Other posts:

This message may or may not be governed by the terms of or
Newcomer I

As stated by others, the NIST Special Publication 800-61 Revision 2 is a good starting point. You can find it here:


If you have any workloads in the cloud you will need to adapt to account for any shared responsibilities/CSP requirements.



Scott P. Nicholson, MSM, CAP, RDRP
Advocate II

An alternative you could look at is ISO 27035, as a top level approach.  It'll also make sense to outline a playbook for each general type of incident.


You'll need to determine if you can have a permanent CSIRT or if you'll need to pull together a virtual CSIRT at the point of detecting major incident.  This will probably depend on your organisations business and its resource budget.  vCSIRT can work, but can also be problematic as getting the time to train and rehearse when there is actually an incident can be a tough ask with the members line management.  A common solution is to have first call on staff from your SoC or pay a retainer to a third party for first responders.

Newcomer III

Thank you!

Newcomer I


I found that this thread did not have any answer and therefore would like to put my thoughts.


NIST's Cyber Security Maturity Assessment Framework can be a good start as it has a dedicated domain on Incident Management life cycle.  In addition, inputs from well known security standards such as ISO 27001 and PCI DSS (current version 4.0) should also be considered. 


Policy which is a high level document must be specific to the organization, the business units, operating environment and in line with the risk appetite of the organization. 


Hope this helps.