According to the common phase of IR, there are Five key phases of an incident response plan.


1. Preparation:

  • Preparing users and IT staff to handle potential incidents, should they arise.


2. Identification and Assessment:

  • Determining and communicate clearly & engage expertise to ask some of the questions such as:

  1. When did the event happen?

  2. How many areas have been impacted?

  3. What is the scope of the compromise?

3. Containment and Intelligence:

  • After a breach is first detected we focus on limiting the damage of the incident and isolating affected systems to prevent further damage.


4. Eradication:

  • Eradication involves the following steps:

  1.  Identifying the root cause of the incident

  2.  Isolating affected systems from the production environment.

5. Recovery and Follow-up Actions:

  1. Post-incident activities the team brings affected production systems back online carefully, to ensure another incident doesn’t take place.

  2. Important decisions at this stage are from which time and date to restore operations,

  3. How to test and verify that affected systems are back to normal, and how long to monitor the systems to ensure activity is back to normal.