Incident response plan
Emergency handbook for cyber incidents
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
The IRP under Section 30(2) No. 6 BSIG documents the procedure for handling cyber incidents. The NIST CSF structures this into six phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
What is an incident response plan?
IRP minimum contents:
- Crisis team and escalation paths
- Communication templates (employees, customers, authorities)
- Forensic procedures (imaging, log preservation)
- Authority notifications (BSI 24/72/30)
- Recovery procedures
- Post-incident review
Practical example
Suspected ransomware: IRP trigger. The crisis team convenes within 30 minutes. Forensics begins imaging. BSI initial notification within 24 hours. Recovery from backup. Post-incident: lessons-learned workshop.
Frequently asked questions
Standards?
NIST SP 800-61, ISO 27035, BSI 200-3. For SMEs, NIST is the most practical.
Training?
Annual tabletop exercise, live test every two years.