Incident Response Plan Development

You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?

Contact us
/en/services/cyber-risk/governance-advisory/incident-response-plan-development service

If you have in place a well-thought-out cyber security incident response plan (IRP), you will know how to act swiftly and in the best ways possible to protect your network, operations and reputation. Whether you want to validate an existing IRP or are developing your first plan, Kroll’s experts can help. 

Unrivalled Insight Built into Every Incident Response Plan

As incident responders who every year work globally on thousands of cyber matters, we know the risk landscape well. We also have witnessed the value of organizations being prepared. 

In helping clients develop or validate an IRP, Kroll experts follow a methodology that integrates our front-line experience investigating persistent and emerging threats with guidance from leading security standards, such as the NIST Cybersecurity Framework and CIS Controls™ along with unique considerations based on your environment.

Some of the areas we will help you cover in building your plan include the following:

  • Assembling your incident response team (IRT). 
    Subject matter experts and key resources enterprise-wide should be involved in the response to ensure coverage of specific incident-related issues. 
  • Assigning IRT responsibilities. 
    The role of everyone on the IRT should be outlined and each team member’s responsibilities clearly defined. 
  • Outlining technical protocols. 
    It is human nature for technical teams to want to try and fix something before having to escalate the problem. Unfortunately, this often leads to a loss of critical evidence that has hurt many an organization. We can advise on the steps for IT and security teams to follow upon detecting an issue, including escalation points.
  • Determining authority to call an incident. 
    Your IRP should also cover protocols related to notifying senior leadership, external partners such as outside counsel or your insurance carrier, and regional or industry-specific regulators. 
  • Establishing communications procedures and responsibilities.
    In a crisis, the ability to communicate cannot be taken for granted. We will help you examine and decide how the IRT will communicate securely if corporate email becomes unsafe to use or not accessible due to ransomware. Also, we will help you determine who will communicate with external parties, such as outside counsel, your insurance carrier, law enforcement, the media and regulators. 
  • Gathering and documenting pertinent information. 
    Our experts will help ensure you compile information that will be critical to have in the event of an incident. This includes technical diagrams/schematics as well as comprehensive contact information for key resources such as:
    • IRT members and their alternates (backups)
    • Essential internal stakeholders (e.g., executives and legal counsel)
    • Vendors or providers of specialty services, e.g., investigations, forensics and remediation; breach notification; crisis communications; and cyber insurance 
  • Determining a review and testing schedule.
    IRPs cannot be a create-and-forget exercise. Based on the complexity of your organization, we will help you determine measures for updating the plan organically (e.g., when members leave the company or change roles) and provide for a regular testing schedule (e.g., quarterly or annually). 

Call for an Incident Response Plan Consultation Today

Beyond the pragmatic guidance that a cyber incident response plan provides, developing an IRP also signals to regulators, data subjects and other principal stakeholders your commitment to proactively address cyber threats. Take advantage of Kroll’s years of unique cyber incident response experience to better prepare to respond to a cyberattack. To learn more about creating an incident response plan or validating and testing an existing plan, contact us today. 

Connect with us

Michael Quinn
Michael Quinn
Managing Director
Cyber Risk
Andrew Beckett
Andrew Beckett
Managing Director
Cyber Risk
Lucie Hayward
Lucie Hayward
Associate Managing Director
Cyber Risk

See all servicesStay Ahead with Kroll


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.


Cyber Risk and CFOs: Over-Confidence is Costly

Sep 13, 2022

by Greg MichaelsJames McLearyWilliam Rimington


Optimizing the CISO and Board Roles in Heightened Risk Periods

Aug 05, 2022

by James McLeary Edward Starkie

The Monitor

Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20

May 27, 2022

by Cole Manaster George Glass, Elio Biasiotto


10 Essential Cyber Security Controls for Increased Resilience (and Better Cyber Insurance Coverage)

Nov 03, 2021

by Devon AckermanMari DeGraziaJeff Macko


Chief Financial Officers Ignoring Cyber Risk Worth Millions of Dollars According to Kroll Report

Sep 13, 2022


Kroll Launches Strategic Communications Service

Jun 01, 2022


Kroll Partners with Armis to Extend Preparedness and Response for OT and ICS Environments

May 09, 2022


Kroll Responder Recognized in 2021 Gartner Market Guide for Managed Detection and Response Services

Nov 19, 2021


KAPE Intensive Training and Certification

Online Event Apr 12 - Dec 08, 2022 | Online Event