ESGComplete

Compliance guide

Incident Response Policy Template

An incident response policy sets out how your business detects, reports and recovers from a security incident, before one happens, so people aren't improvising under pressure. This guide gives you a free template built around the standard six-phase process, plus a done-for-you option.

Get it done for you->See the template

Last updated

Key takeaways

  • An incident response policy turns a chaotic situation into a known process: who does what, in what order, when something goes wrong.
  • It's typically built around six phases: prepare, identify, contain, eradicate, recover, review.
  • It sits under your cyber security policy and links to your data breach notification duties.
  • Customers and tenders increasingly ask whether you have one, and whether you test it.

What an incident response policy covers

An incident response (IR) policy, sometimes called an incident management policy or an incident response plan, defines what counts as a security incident and how your business responds to one. The aim is speed and consistency: a malware infection, lost laptop, phishing compromise or data breach is stressful, and a clear process prevents costly mistakes.

This is general guidance, not legal advice. Many places have mandatory data breach notification rules with tight deadlines, build those into your policy.

The six-phase incident response process

Most frameworks (including NIST) follow a version of this lifecycle. Your policy should describe each phase:

  1. 1

    Prepare

    Define roles, contacts and tools before an incident; train people and keep an up-to-date contact list.

  2. 2

    Identify

    Detect and confirm an incident, and classify how serious it is.

  3. 3

    Contain

    Limit the damage, isolate affected systems and stop the spread.

  4. 4

    Eradicate

    Remove the cause, malware, compromised accounts or vulnerabilities.

  5. 5

    Recover

    Restore systems and data from clean backups and confirm normal operation.

  6. 6

    Review

    Run a post-incident review to capture lessons and improve your defences.

What to include: incident response policy template structure

  1. Purpose and scope, why the policy exists and what counts as an incident.
  2. Roles and responsibilities, the response team, who leads, and escalation contacts.
  3. Severity levels, how incidents are classified and prioritised.
  4. The response process, the six phases above, adapted to your business.
  5. Reporting, how staff report a suspected incident, fast and blame-free.
  6. Breach notification, when and how you notify regulators and affected people.
  7. Communication, who handles internal and external communications.
  8. Records and review, logging incidents and running post-incident reviews.
  9. Testing, how often you rehearse the plan (e.g. a tabletop exercise).
A plan you've never tested rarely survives a real incident. Note a periodic tabletop exercise in your policy, reviewers look for it.

Download the editable incident response policy template

Pop your email in and we'll send the incident response policy and plan (Word and PDF), with the six-phase process and a reporting flow ready to adapt.

Free template vs done-for-you document

Happy to adapt the process and contacts yourself? The free template covers it. Want it tailored, with severity levels and notification steps mapped to your obligations? Here's the done-for-you option.

Free templateDone-for-you document
Price£0Fixed fee
Effort from youA few hours editingA short intake form
Roles & contacts mappedYou fill them inDone for you
Breach notification stepsYou research themMatched to your jurisdiction
Review-ready PDFFormat it yourselfSupplied, signed-ready
If a reviewer pushes backYou fix itWe revise it free

Prefer your incident response policy done for you?

Tell us about your business and we'll prepare a tailored incident response policy and plan, with severity levels, contacts and notification steps mapped for you.

Requests for the incident response policy are reviewed and prepared manually, we'll follow up by email.

Frequently asked questions

Is this incident response policy template free?+
Yes. The structure, the six-phase process and the guidance are free to use. A tailored, done-for-you version is the only paid option.
What's the difference between an incident response policy and a plan?+
The policy sets the principles, scope and responsibilities; the plan is the practical, step-by-step playbook the team follows during an incident. Many businesses combine them into one document, which is how this template is structured.
What counts as a security incident?+
Anything that threatens the confidentiality, integrity or availability of your systems or data, for example malware, a phishing compromise, a lost device, unauthorised access, or a data breach.
Do we have to notify anyone after a breach?+
Often, yes. Many jurisdictions have mandatory data breach notification rules with strict timeframes. Your policy should set out who decides, who's notified and how quickly.

Related guides

Cyber Security Policy Template->The overarching policy this sits under.Data Security Policy Template->How data is classified and protected.Access Control Policy Template->Limiting access to reduce incidents.Password Policy Template->Credentials and MFA.