Creating a Cyber Security Incident Response Plan: A Checklist for Mid-Sized Organizations

Emily Chee
| 10/1/2023

In an era of digital ubiquity, the risk of cyberattacks is not a matter of "if" but "when." For mid-sized organizations that often lack the expansive resources of large enterprises, the necessity for a rock-solid Cyber Security Incident Response Plan (CSIRP) is paramount. 

Crowe MacKay's Technology Consultants can help demystify the convoluted process of creating a robust, actionable CSIRP and provide guidance on tailoring your incident response plan. If you want to develop a cyber security strategy and/or incident response plan that protects your business against cyberattacks and data breaches, contact our experts in Alberta, British Columbia, Northwest Territories, or the Yukon.

Ensuring Cyber Security Incident Response Plan Integrates with Cyber Security Policy and Strategy

A cyber security policy and strategy should include:

  1. the scope of technology and information assets that need to be protected,
  2. assessment and identified threats to those assets, and
  3. detail the rules and controls for safeguarding the assets and the business. 

An incident response plan is part of the rules and controls for protecting valuable assets.

Cyber Security Incident Response Plan Checklist: Where to Start?

Formulating a CSIRP requires a multi-pronged approach. This checklist should be your primary reference point and be adapted to match your organization's unique landscape. A generic CSIRP, such as NIST’s Incident Handling checklist, can be a good reference point. Still, you must tailor every piece to fit your organization's needs and challenges. 

Our trusted Technology Consultants highly recommend seeking an expert to create your custom-fitting CSIRP.

Assessment Phase: Where Are You Now?

Obtain an understanding of the cyber security strategy, policy, and existing incident management process.  For example, what tools are in place to monitor for incidents? What is our current incident reporting and documentation process? Who are the individuals that are informed? These are just some of the questions that can help to map out the current state of your incident response process.

Identifying Current Security Measures

Commence by auditing your existing security measures. Your audit is not merely a cursory glance; it involves an exhaustive analysis of the software, hardware, and protocols currently in place. Identify weak links and potential areas of improvement, along with what might or might not be working.

Gap Analysis

Once the existing setup has been cataloged, the next step involves a thorough gap analysis. Scrutinize your security measures vis-a-vis industry best practices to spot vulnerabilities needing immediate attention.

Building Blocks of a CSIRP

Components that Form an Effective Plan

Let's dissect the anatomy of an effective CSIRP. Its core comprises multiple building blocks, each equally critical in formulating a successful incident response strategy.

Threats and Risk Assessment
This exercise should be part of the overall cyber security strategy and policy development phase. Make sure to be cognizant of the internal and external threats to your organization, the likelihood that they will occur, and their impact on your business operations.

Team Composition

A comprehensive Cyber Incident Response Team (CIRT) must involve multidisciplinary experts. Experts involved should include IT specialists, legal advisors, HR professionals, and corporate communication teams. External consultants and specialists could also be considered.

Training and Awareness

Develop a comprehensive training regimen that provides your team members and other members of your organization with real-world scenarios and best practices. Tabletop exercises, simulations, and role-playing could be used to deepen their understanding and readiness. Make sure to conduct training regularly and maintain documentation of completed training activities.


Choosing the Right Tools

Choosing applications that align with your specific needs is crucial in a market flooded with cyber security tools. Aspects to consider are system support, scalability, reliability, ease of integration, and performance expectations.

Configuration and Implementation

More than merely purchasing the best cyber security tools is required. Each instrument must be fine-tuned to align with your organization's security requirements. Proper implementation involves configuring settings, updating patches, and regularly monitoring performance.


Compliance and Documentation

Regulatory Requirements

Compliance isn’t simply a checkbox activity; it’s an ongoing commitment. Ensure your CSIRP aligns with regional legislation, including GDPR for Europe, HIPAA for healthcare, or industry-specific regulations.


Ensure sufficient documentation of the incident and every action, decision, and outcome during a cyber security breach. These records serve dual purposes as they offer an opportunity for post-mortem evaluations and act as a legal bulwark in case of lawsuits or compliance checks.

Implementation and Testing

Rollout Plan

The transition from planning to execution requires meticulous attention to detail. Develop a phased rollout plan, ensuring every member understands their role, timelines, and expectations.

Regular Simulations

Testing is essential for gauging the efficacy of your CSIRP. Schedule simulations for cyberattacks to identify areas needing reinforcement or revisions.

Performance Metrics
Develop key performance indicators (KPIs) such as incident detection, response, and resolution time to evaluate your CSIRP's efficacy objectively.
Formalize procedures and streamline the incident response process. Procedures and corresponding checklists, forms, and metrics must be documented as formal policies or guidance to ensure consistent understanding and application across the organization.
Refine and Monitor
The cyber security landscape is far from static. Evolving threats require a CSIRP that is equally dynamic. Regularly revisit and update your CSIRP to keep it aligned with emerging threats and technologies along with the growth of your business.

The Bottom Line

An efficient Cyber Security Incident Response Plan is a non-negotiable element in any mid-sized organization’s cyber security framework. Embedded with industry best practices and actionable strategies, a tailored checklist will be your go-to guide in creating an unassailable CSIRP. Given the continually evolving cyber threat landscape, staying prepared is no longer merely an option; it's a mandate!


This article has been published for general information. You should always contact your trusted advisor for specific guidance pertaining to your individual needs. This publication is not a substitute for obtaining personalized advice.

Crowe MacKay’s Technology Consultants have decades of experience advising clients on how to protect and enhance their business through the implementation of new technology-centred strategies. We work with you to ensure your digital transformation not only meets your business’ needs but exceeds your expectations.

Subscribe to Our Newsletter
Receive insight from our advisors that will help you make smart decisions that provide lasting value.

Over 12 years of experience in IT audit (both general IT controls and IT application controls), internal audit, system implementation reviews, fraud risk assessments, forensic investigations, litigation support, data analytics, database design, and project management. 
Emily Chee
Emily Chee
Director, Risk and Forensic Services

Require Assistance?

Connect with a trusted Crowe MacKay advisor to discuss your specific situation by calling us toll-free at 1 (844) 522 7693, emailing [email protected], or by completing the form.
* Required

Shield your business against cyberattacks and data breaches

Contact Crowe MacKay's trusted Technology Consultants to protect your business against cyberattacks and data breaches.