Incident Response Plan Development

You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?

Contact us
/en/services/cyber-risk/governance-advisory/incident-response-plan-development service

If you have in place a well-thought-out cyber security incident response plan (IRP), you will know how to act swiftly and in the best ways possible to protect your network, operations and reputation. Whether you want to validate an existing IRP or are developing your first plan, Kroll’s experts can help. 

Unrivalled Insight Built into Every Incident Response Plan

As incident responders who every year work globally on thousands of cyber matters, we know the risk landscape well. We also have witnessed the value of organizations being prepared. 

In helping clients develop or validate an IRP, Kroll experts follow a methodology that integrates our front-line experience investigating persistent and emerging threats with guidance from leading security standards, such as the NIST Cybersecurity Framework and CIS Controls™ along with unique considerations based on your environment.

Some of the areas we will help you cover in building your plan include the following:

  • Assembling your incident response team (IRT). 
    Subject matter experts and key resources enterprise-wide should be involved in the response to ensure coverage of specific incident-related issues. 
  • Assigning IRT responsibilities. 
    The role of everyone on the IRT should be outlined and each team member’s responsibilities clearly defined. 
  • Outlining technical protocols. 
    It is human nature for technical teams to want to try and fix something before having to escalate the problem. Unfortunately, this often leads to a loss of critical evidence that has hurt many an organization. We can advise on the steps for IT and security teams to follow upon detecting an issue, including escalation points.
  • Determining authority to call an incident. 
    Your IRP should also cover protocols related to notifying senior leadership, external partners such as outside counsel or your insurance carrier, and regional or industry-specific regulators. 
  • Establishing communications procedures and responsibilities.
    In a crisis, the ability to communicate cannot be taken for granted. We will help you examine and decide how the IRT will communicate securely if corporate email becomes unsafe to use or not accessible due to ransomware. Also, we will help you determine who will communicate with external parties, such as outside counsel, your insurance carrier, law enforcement, the media and regulators. 
  • Gathering and documenting pertinent information. 
    Our experts will help ensure you compile information that will be critical to have in the event of an incident. This includes technical diagrams/schematics as well as comprehensive contact information for key resources such as:
    • IRT members and their alternates (backups)
    • Essential internal stakeholders (e.g., executives and legal counsel)
    • Vendors or providers of specialty services, e.g., investigations, forensics and remediation; breach notification; crisis communications; and cyber insurance 
  • Determining a review and testing schedule.
    IRPs cannot be a create-and-forget exercise. Based on the complexity of your organization, we will help you determine measures for updating the plan organically (e.g., when members leave the company or change roles) and provide for a regular testing schedule (e.g., quarterly or annually). 

Call for an Incident Response Plan Consultation Today

Beyond the pragmatic guidance that a cyber incident response plan provides, developing an IRP also signals to regulators, data subjects and other principal stakeholders your commitment to proactively address cyber threats. Take advantage of Kroll’s years of unique cyber incident response experience to better prepare to respond to a cyberattack. To learn more about creating an incident response plan or validating and testing an existing plan, contact us today. 

Connect with us

Connect with us

Michael Quinn
Michael Quinn
Managing Director
Cyber Risk
Lucie Hayward
Lucie Hayward
Associate Managing Director
Cyber Risk
Scott Hanson
Scott Hanson
Associate Managing Director & Head of Global Security Operations
Cyber Risk
Devon Ackerman
Devon Ackerman
Regional Managing Director, North America
Cyber Risk
New York

See all servicesStay Ahead with Kroll


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Middle Market M&A, Strategic Advisory, Debt Advisory and Private Capital Markets, Restructuring and Insolvency Services, Financial Due Diligence, Fairness Opinions, Solvency Opinions and ESOP/ERISA Advisory.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation, disputes and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.


Cyber Risk and CFOs: Over-Confidence is Costly

Sep 13, 2022

by Greg MichaelsJames McLeary

Threat Intelligence

Emerging Chatbot Security Concerns

Mar 23, 2023

by Nicole Sette Joe Contino

Cyber Governance and Risk

The Economics of Secure Software Development

Mar 23, 2023

by Rob Deane

Threat Intelligence

PyPI Packages Used to Deliver Python Remote Access Tools

Mar 01, 2023

by Dave Truman, George Glass

Press Release

Kroll Responder Recognized in 2023 Gartner Market Guide for Managed Detection and Response Services for the Third Consecutive Year

Mar 23, 2023


Kroll Launches Cyber Partner Program Delivering Lifetime Returns

Feb 28, 2023


Kroll Named an MDR “Champion” by Bloor Research

Feb 27, 2023

Press Release

Gartner Names Kroll a Representative Vendor for Managed Security Incident and Event Management

Jan 09, 2023


Kroll at RSA Conference 2023

Conference Conference Apr 24 - Apr 27, 2023 | Conference


KAPE Intensive Training and Certification

Online Event Online Event Apr 13 - Dec 07, 2023 | Online Event