Security Incident Response Checklist

Designate an Incident Response Lead

Assign someone to coordinate incidents and serve as point-of-contact.

Document Roles & Responsibilities

Clarify who does what during a security event—IT, legal, comms, etc.

Create a Response Plan

Have a written plan that outlines steps to detect, respond, escalate, and recover.

Employee Awareness

Train all staff to recognize incidents and know how to report them.

Secure Communication Channel

Establish an out-of-band channel (e.g., Signal or Slack backup) for incident coordination.

Test the Plan

Conduct tabletop exercises at least annually. Log results and improvements.

Monitor for Security Events

Set up logs, alerts, and monitoring tools on key systems and endpoints.

Incident Identification Criteria

Define what qualifies as an incident (e.g., phishing, data leak, malware).

Incident Reporting Process

Provide a simple way for employees to report issues (form, email, hotline).

Triage Reported Incidents

Categorize the severity and impact of the event for faster prioritization.

Contain the Incident

Disconnect affected systems, revoke compromised credentials, block access.

Preserve Evidence

Capture logs and screenshots before cleanup. Useful for root cause and audits.

Eliminate the Threat

Remove malware, patch vulnerabilities, disable unauthorized accounts.

Restore Services

Recover from backups and confirm integrity before bringing systems back online.

Notify Stakeholders

Inform internal teams, affected clients, legal counsel, and third parties if needed.

Conduct a Retrospective

Within 48–72 hours, hold a review meeting to identify what went well and what failed.

Update Documentation

Refine incident response plan based on lessons learned.

Communicate Internally

Share learnings (without blame) across the team to increase preparedness.

Report to Auditors

Keep incident logs and response summaries for SOC 2 or ISO 27001 reviews.