Creating an Incident Response Plan

Incident Response Series Overview

This article is part of our Incident Response Series, created to help Australian small and medium businesses (SMBs) build confidence and compliance around cybersecurity readiness.

Part 1: What Is Incident Response and Why It Starts Before a Cyber Incident explains how proactive planning and frameworks like NIST CSF and SMB1001:2026 form the foundation of cyber resilience.

Part 2: Creating an Incident Response Policy explores how to define your business’s intent, authority, and responsibilities in partnership with your Managed Service Provider (MSP).

Part 3: Creating an Incident Response Plan (this article) shows how to turn that intent into coordinated action by defining roles, response procedures, and continuous improvement.

Together, these three articles help ensure your business is ready to respond, recover, and grow stronger after any cybersecurity event.

Incident Response Plan

If your Incident Response Policy defines your intent, your Incident Response Plan is the playbook that brings it to life.

It outlines exactly how your business, together with your Managed Service Provider (MSP) – will detect, respond to, and recover from cybersecurity incidents in a calm and coordinated way.

For SMBs, a clear plan reduces confusion, saves time, and limits the impact of an incident on day-to-day operations.

Why Every Business Needs a Plan

When a cyber incident happens, the first few hours are critical. A well-prepared plan ensures:

• Everyone knows what to do – no panic or mixed messages.
• Your MSP can act immediately – with authority to isolate or restore systems.
• Downtime stays minimal – your business returns to normal faster.
• Compliance is achieved – at SMB1001:2026 Level 3 (Gold) and above, a tested plan is mandatory.

Your plan turns preparation into performance.

What’s Included in an Incident Response Plan

Your plan doesn’t need to be complex, but it does need to be practical and relevant to your business. Most SMB plans include:

1. Purpose and Objectives | Explain what the plan is for – protecting data, restoring operations, and learning from incidents.
2. Scope | Define which systems, users, and data are covered. For most SMBs, this includes Microsoft 365, servers, and backups managed by your MSP.
3. Roles and Responsibilities 
   1. Business Owner or Manager | Authorises key decisions and oversees communication.
   2. MSP (Managed Service Provider) | Leads the technical response, containment, and recovery.
   3. Staff | Report suspicious activity and follow MSP or management instructions.
4. Incident Classification – A simple way to rank incidents, such as:
   1. Low | Phishing email or user error with no breach.
   2. Medium | Malware detected, MSP intervention required.
   3. High | Ransomware, breach, or system outage affecting operations.
5. Response Procedures – A high-level outline of how incidents are handled:
   1. Detect | Identify unusual activity or alerts.
   2. Contain | Isolate affected devices or accounts.
   3. Eradicate | Remove malicious files and reset credentials.
   4. Recover | Restore systems from verified backups.
   5. Review | Document findings and implement improvements.

The plan should also reference any runbooks or procedures your MSP maintains, such as Ransomware Response Runbook, Phishing or Credential Compromise Procedure, and Data Breach Notification Process. This modular approach keeps your plan practical while ensuring technical details remain current.

6. Communication and Escalation – Defines how communication flows during an incident. For smaller businesses, this might be:
   1. Staff → Manager → MSP
   2. MSP → Business Owner (with regular updates until resolution)
7. Performance and Continuous Improvement 

Include a short section describing how the plan’s effectiveness will be reviewed and improved over time. Your MSP should help track key metrics such as detection, response, and recovery times, and conduct post-incident reviews after major events. These reviews support ongoing SMB1001:2026 compliance and ensure the plan stays aligned with your business continuity goals.

Who Should Be Involved

For most SMBs, the key people involved in incident response are:

• Business Owner or General Manager who authorises major actions or external notifications.
• Office Manager or Key Admin Staff who help coordinate internal communication.
• Your MSP who acts as the technical lead and manages containment, recovery, and reporting.

At IQPC, we work with clients to draft, maintain, and test these plans through quarterly reviews and tabletop exercises, ensuring readiness before real-world incidents occur.

How It Fits with the Policy

Your Incident Response Policy defines your intent – it says “we will respond effectively.” Your Incident Response Plan defines how that happens, and the steps your MSP and team follow to make it real. Together, they form the foundation for SMB1001:2026 compliance and lasting business resilience.

Does Your Business Have a Plan in Place?

An Incident Response Plan is your business’s roadmap for calm under pressure. It turns your policy into coordinated action, helps your MSP move quickly, and ensures performance is measured and improved over time.

By aligning your plan with NIST CSF and SMB1001:2026, your business can respond confidently, recover faster, and maintain the trust of your clients and community.

If your business needs help to create an incident response plan, reach out to our team to discuss how we can help.