Incident Response Plan

What the Incident Response Plan Is

The Incident Response Plan (IRP) is the documented, management-approved set of procedures that an organization follows when a confirmed or suspected security event occurs. On the CISM exam it lives inside Domain 4, Information Security Incident Management, which carries 30% of the 150 multiple-choice questions on the four-hour exam (passing score 450 on the 200-800 scale). ISACA confirms the Exam Content Outline updates effective 3 November 2026, so verify which blueprint your study materials follow.

A CISM-grade IRP is not a runbook of commands. It answers governance questions: who has authority to declare an incident, how the Computer Security Incident Response Team (CSIRT) is staffed and activated, what severity thresholds trigger escalation, and which stakeholders (legal, HR, communications, regulators, executives) must be notified and when. The plan must be approved, version-controlled, and tested before an incident, because the worst time to design a response is during one.

The Incident Response Lifecycle

ISACA aligns its lifecycle closely with NIST SP 800-61. Memorize the order; exam questions hinge on which phase a described activity belongs to.

A frequent exam trap collapses containment and eradication: you contain first (isolate the host, block the account) to stop the bleeding, then eradicate the root cause, then recover. Recovery before eradication reinfects the environment.

Roles, Declaration, and Evidence

The incident response manager or CSIRT lead coordinates the response; the information security manager ensures the plan aligns with business objectives and reports to senior management and the board. Clear role definition prevents the classic failure where everyone assumes someone else has notified legal. Exam answers that assign ownership and follow the pre-approved escalation path beat answers that depend on a single heroic responder improvising.

Containment Strategy Selection

The IRP should pre-define containment options so the team is not debating during a crisis. Choose based on damage potential, evidence preservation needs, service availability, and time/resources. Common factors:

• Criticality of affected assets and the data they hold
• Need to preserve evidence for forensics, litigation, or law enforcement
• Service availability the business can tolerate losing during containment
• Likelihood of attacker detection if you act visibly

Evidence and Chain of Custody

When a scenario could involve prosecution or regulatory action, preserving evidence and maintaining chain of custody outranks the urge to wipe and rebuild quickly. Chain of custody documents who collected, handled, transferred, and stored each piece of evidence, with timestamps, so it is admissible. Pulling the network cable to isolate a host may destroy volatile memory evidence; the IRP must say whether forensic capture happens first.

Worked scenario: Ransomware is spreading from an HR file server. The strongest CISM answer is to isolate the affected segment per the approved IRP and notify the predefined stakeholders, not to immediately restore from backup (that is recovery, and it skips eradication and root-cause analysis, risking reinfection).

Detection Sources, Communication, and Management Reporting

Detection feeds the lifecycle, and a mature IRP names its sources so nothing is missed. Incidents surface from automated tooling such as a Security Information and Event Management (SIEM) platform, intrusion detection and prevention systems, endpoint detection and response agents, and antivirus alerts; from people, including help-desk tickets, employee reports of suspicious email, and external parties such as customers, partners, or law enforcement; and from third-party threat intelligence. A program that relies on a single channel routinely misses incidents that arrive through another.

The information security manager's job is to ensure these feeds funnel into a single triage point with defined coverage.

Internal and External Communication

The IRP must specify communication before an incident, not during. Internal communication keeps responders, management, and affected business units coordinated and avoids the chaos of duplicate or contradictory action. External communication is sensitive and must be pre-authorized: a single designated spokesperson speaks for the organization, legal reviews wording, and disclosure timing respects both regulatory deadlines and the integrity of any investigation. Premature public disclosure can tip off an attacker still inside the environment or create legal exposure.

Aligning the IRP With the Business

CISM repeatedly frames incident response as a governance function, not an IT function. The plan must connect to enterprise objectives, define roles with real authority, and produce the evidence and metrics management needs to make decisions and demonstrate due diligence. Three durable principles:

• The plan is approved, owned, and funded by senior management, giving the team authority to act.
• Decisions follow pre-defined criteria and escalation paths, so responders are not inventing process under stress.
• Every incident generates records (timeline, actions, decisions, costs) that feed reporting, regulatory obligations, and program improvement.

A recurring exam pattern asks what the security manager should do first in a fresh incident. The best answer is usually to declare the incident and activate the response team per the plan, because that establishes coordinated authority before any technical action, rather than a lone responder beginning ad hoc remediation.