Stage 5: Respond

When an incident has occurred, it is important to immediately engage a process to identify, respond and manage the impact of the incident. The incident team needs to ensure that a breach is contained, the effects are mitigated, and the incident is efficiently eradicated. It is important that the business operations are returned to normal as soon as possible, any compliance requirements are upheld and then the impact is fully understood.

By preparing for a breach, an organisation will have procedures in place for recovery time objectives and recovery point objectives (identifying the priority of IT systems, how quickly they need to be back up and running and the point of recovery) so that the business has an organised recovery plan in place.

It is important to assess key systems and assets and understand the capacity of protection. By analysing the current incident management process and policies, it is possible to understand how effective an organisation will be in implementing continuity and crisis management procedures. Recovery and communication plans must be tailored to each organisation so that it can restore all capabilities, services, and systems as well as inform internal and external stakeholders.

It is important to review and maintain these on a regular basis to minimise interruption to business operations and fully protect business objectives and reputation.

If an incident does occur, it is important to use post-incident and post-exercise reviews to actively reduce the risks associated with incidents happening in the future. By identifying the origin, the cause of the attack and assessing any shortfalls in response or preventative strategies, the business can prevent the issue from reoccurring. It is important to address the root cause or to identify systemic concerns, rather than to fix a limited issue.