Incident Response Plan Development

You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?

Contact us
/en/services/cyber-risk/governance-advisory/incident-response-plan-development service

If you have in place a well-thought-out cyber security incident response plan (IRP), you will know how to act swiftly and in the best ways possible to protect your network, operations and reputation. Whether you want to validate an existing IRP or are developing your first plan, Kroll’s experts can help. 

Unrivalled Insight Built into Every Incident Response Plan

As incident responders who every year work globally on thousands of cyber matters, we know the risk landscape well. We also have witnessed the value of organizations being prepared. 

In helping clients develop or validate an IRP, Kroll experts follow a methodology that integrates our front-line experience investigating persistent and emerging threats with guidance from leading security standards, such as the NIST Cybersecurity Framework and CIS Controls™ along with unique considerations based on your environment.

Some of the areas we will help you cover in building your plan include the following:

  • Assembling your incident response team (IRT). 
    Subject matter experts and key resources enterprise-wide should be involved in the response to ensure coverage of specific incident-related issues. 
  • Assigning IRT responsibilities. 
    The role of everyone on the IRT should be outlined and each team member’s responsibilities clearly defined. 
  • Outlining technical protocols. 
    It is human nature for technical teams to want to try and fix something before having to escalate the problem. Unfortunately, this often leads to a loss of critical evidence that has hurt many an organization. We can advise on the steps for IT and security teams to follow upon detecting an issue, including escalation points.
  • Determining authority to call an incident. 
    Your IRP should also cover protocols related to notifying senior leadership, external partners such as outside counsel or your insurance carrier, and regional or industry-specific regulators. 
  • Establishing communications procedures and responsibilities.
    In a crisis, the ability to communicate cannot be taken for granted. We will help you examine and decide how the IRT will communicate securely if corporate email becomes unsafe to use or not accessible due to ransomware. Also, we will help you determine who will communicate with external parties, such as outside counsel, your insurance carrier, law enforcement, the media and regulators. 
  • Gathering and documenting pertinent information. 
    Our experts will help ensure you compile information that will be critical to have in the event of an incident. This includes technical diagrams/schematics as well as comprehensive contact information for key resources such as:
    • IRT members and their alternates (backups)
    • Essential internal stakeholders (e.g., executives and legal counsel)
    • Vendors or providers of specialty services, e.g., investigations, forensics and remediation; breach notification; crisis communications; and cyber insurance 
  • Determining a review and testing schedule.
    IRPs cannot be a create-and-forget exercise. Based on the complexity of your organization, we will help you determine measures for updating the plan organically (e.g., when members leave the company or change roles) and provide for a regular testing schedule (e.g., quarterly or annually). 

Call for an Incident Response Plan Consultation Today

Beyond the pragmatic guidance that a cyber incident response plan provides, developing an IRP also signals to regulators, data subjects and other principal stakeholders your commitment to proactively address cyber threats. Take advantage of Kroll’s years of unique cyber incident response experience to better prepare to respond to a cyberattack. To learn more about creating an incident response plan or validating and testing an existing plan, contact us today. 

Connect with us
Michael Quinn
Michael Quinn
Managing Director
Cyber Risk
Andrew Beckett
Andrew Beckett
Managing Director and EMEA Leader
Cyber Risk
Lucie Hayward
Lucie Hayward
Associate Managing Director
Cyber Risk

See all servicesStay Ahead with Kroll


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate operational security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.

See all insightsExplore insights

Q4 2021 Threat Landscape: Software Exploits Abound

Feb 16, 2022

by Keith WojcieszekLaurie Iacono George Glass


10 Essential Cyber Security Controls for Increased Resilience (and Better Cyber Insurance Coverage)

Nov 03, 2021

by Devon AckermanMari DeGraziaJeff Macko


MS Exchange Critical Vulnerability CVE-2020-0688 Targeted by Multiple Actor Groups

Mar 24, 2020

by Nicole SetteJeff Macko Samuel Smoker


Data Exfiltration in Ransomware Attacks: Digital Forensics Primer for Lawyers

Sep 16, 2021

by Jaycee Roth


Kroll Launches Strategic Communications Service

Jun 01, 2022


Kroll Partners with Armis to Extend Preparedness and Response for OT and ICS Environments

May 09, 2022


Kroll Responder Recognized in 2021 Gartner Market Guide for Managed Detection and Response Services

Nov 19, 2021


Kroll Named a Cyber Security Services Pacesetter by ALM Intelligence

Oct 28, 2020


KAPE Intensive Training and Certification

Online Event Apr 12 - Dec 08, 2022 | Online Event