This website uses cookies. View our cookie policy

Cyber Incident Response Management

With cyber attacks continuing to make headlines, suffering a data breach is an imminent and real business threat faced by organisations. Failure to prepare for such an event can have both short- and long-term repercussions – and even prove fatal for some organisations.

The changing threat landscape

The ever-evolving cyber threat landscape means that organisations must consider internal as well as external threats. These include advanced persistent threats, amateur hackers, disgruntled employees and full-blown cyber warfare. 

With severe penalties for failing to protect information from cyber attacks and data breaches, the speed at which you identify and mitigate such incidents makes a significant difference in controlling your risks, cost and exposure.

Prepare for and respond to incidents 

Effective incident response processes will enable you to respond efficiently and effectively to data breaches, and mitigate any damage or penalties incurred as a result of the breach. 

With an effective incident response plan, you can detect incidents at an early stage and develop appropriate defences.

Stringent incident reporting requirements under the GDPR

In the case of serious breaches (those that are likely to result in a high risk to the rights and freedoms of individuals), the GDPR requires organisations to inform data subjects without undue delay, and their national supervisory authority within 72 hours of becoming aware of the breach.

Incident response planning mandated as part of all major cyber security programmes

Both ISO 27001 (the international information security standard) and ISO 22301 (the business continuity standard) require effective incident response management.

The PCI DSS (Payment Card Industry Data Security Standard) requires organisations to develop cyber incident response management plans, which need to be tested annually.

The obligation to report cyber incidents under the GDPR applies to all manner of organisations private, public and government bodies alike.

Typical phases in a cyber attack

CREST describes the following 3 basic phases of a cyber attack and recommended countermeasures:




1. Reconnaissance

  • Identify target
  • Look for vulnerabilities
  • Monitoring and logging
  • Situational awareness
  • Collaboration

2. Attack target

  • Exploit vulnerabilities
  • Defeat remaining controls
  • Architectural system design
  • Standard controls (i.e. ISO 27001)
  • Penetration testing

3. Achieve objectives

  • Disruption of systems
  • Extraction of data
  • Manipulation of information
  • Cyber security incident response planning
  • Business continuity and disaster recovery plans
  • Cyber security insurance

The top ten challenges in incident response management

Typically, most organisations are inadequately prepared to respond to a cyber security incident – particularly more sophisticated cyber attacks – and often fail to address vulnerabilities across the three key domains of people, processes and technology.

The top ten challenges faced by organisations attempting to respond effectively to a cyber security incident are:

  1. Identifying a suspected cyber security incident;
  2. Establishing the objectives of an investigation and a clean-up operation;
  3. Analysing all available information related to the potential cyber security incident;
  4. Determining what has actually happened;
  5. Identifying what systems, networks and information (assets) have been compromised;
  6. Determining what information has been disclosed to unauthorised parties, stolen, deleted or corrupted;
  7. Finding out who did it and why;
  8. Working out how it happened;
  9. Determining the potential business impact of the cyber security incident;
  10. Conducting sufficient investigation using forensics to identify those responsible.

Prepare, respond to and follow up on incidents

Utilising the CREST Cyber Incident response approach and drawing from ISO 27001 and ISO 27035 standards. IT governance can assist you in defining and implementing an effective prepare, respond, and follow up incident response approach as defined below:


  1. Conduct a criticality assessment;
  2. Carry out a cyber security threat analysis;
  3. Consider the implications of people, process, technology and information;
  4. Create an appropriate control framework;
  5. Review your state of readiness in cyber security incident response.


  1. Identify cyber security incident(s);
  2. Define objectives and investigate the situation;
  3. Take appropriate action;
  4. Recover systems, data and connectivity.


Follow up:

  1. Investigate incident more thoroughly;
  2. Report incident to relevant stakeholders;
  3. Carry out a post incident review;
  4. Communicate and build on lessons learned;
  5. Update key information, controls and processes;
  6. Perform trend analysis.

How IT Governance can help

Identify, detect and contain incidents faster, mitigate the impact of an incident, and restore services in a trusted manner. You are never going to eliminate the inevitable from happening but you can prepare an effective response plan and do all you can to minimise the impact of a breach when it does happen.

Get started with your incident response planning strategy today with support from IT Governance’s CIR team. Receive access to an experienced, dedicated technical team who are able to carry out sophisticated cyber security incident investigations quickly and effectively.

Speak to an expert

Please contact our team for more information on how IT Governance can help with your cyber incident response management.