CAF – D1.a Response Plan

Incident Management Planning

• A documented Incident Management Plan should be maintained to outline how the organisation prepares for, detects, responds to and recovers from security incidents that may affect systems and services used to deliver managed services.
• The plan should be clear, accessible and understood across relevant teams.

Scope of the Incident Response Plan

• The plan should be informed by the organisation’s risk management process and consider the specific systems, data and services that support essential functions.
• It should cover the full incident lifecycle, including:

  • roles and responsibilities

  • escalation paths

  • communication requirements

  • coordination with suppliers

  • post-incident review

Integration with Wider Processes

• The incident response plan should be integrated with broader organisational processes such as:

  • business continuity

  • disaster recovery

  • supply chain management

• This ensures the response remains effective even when dependencies (e.g., infrastructure, hosting providers or key partners) are impacted.

Training and Awareness

• Relevant staff — including technical teams, service desk and managers — should be trained on their incident roles and responsibilities.

• Staff should be able to execute the plan when required.

Incident Communication

Incident communication procedures should ensure that appropriate internal and external stakeholders receive accurate and timely information. This may include clients, partners and regulators when required.

Reviewing and Updating the Plan

The Incident Management Plan should be reviewed periodically and updated when:

• risks change

• systems or services change

• threat conditions evolve

This ensures the plan remains current, comprehensive and understood across the organisation.