“Sure – we have an incident response plan… somewhere.”
If that’s what comes to mind when someone asks about your incident management documentation, you're not alone.
At Talanos, we work with scaleups and mid-sized businesses every day. More often than not, when we first engage, they don’t have an incident response plan, it’s too vague to act on, or it’s too technical to follow in the heat of a crisis.
Most of the time, what’s missing isn’t intention or effort - it’s experience and structure.
The Five-Layer Document Series of Incident Management
Incident management works best when it’s layered, with each layer serving a distinct role, from big-picture strategy down to real-time execution. Here’s how we break it down:
1. Crisis Management Plan
First in the series is the organisation-wide crisis management plan. This is the document that guides leadership through any major business disruption. It's way broader than cyber, covering everything from natural disasters to reputational crises.
This is the plan that tells the CEO what to say to the press, outlines business continuity procedures, and brings legal and finance into the fold. A great resource on crisis communications can be found on the UK Government Communications Service website: https://gcs.civilservice.gov.uk/publications/crisis-comms-planning-guide/
Your Managed SOC provider doesn't own this document, but as a security partner we often contribute input where cybersecurity intersects with business operations - particularly when a cyber incident threatens service availability or customer trust.
2. Incident Management Policy
Next comes the incident management policy. This document defines what qualifies as a “cybersecurity incident,” who has the authority to declare one, and how the organisation governs its response. It’s a formal, strategic statement - typically owned by the customer - that sets the stage for more detailed operational plans.
It’s the kind of thing an auditor asks to see, not because it’s thrilling to read, but because it shows there’s a clear chain of accountability.
Legal and Regulatory Considerations
If your business operates in the UK or EU - or processes data belonging to individuals in those regions - you're subject to data protection laws like the UK GDPR, EU GDPR, and the Data Protection Act (DPA). These laws place strict requirements on how you handle personal data, and what you must do in the event of a security incident. For a more comprehensive view of the UK Cybersecurity regulatory landscape, read our guide.
Most organisations will hold some form of personal data - whether that is employee records, customer information, or supplier contact details. Depending on your sector, there may also be additional industry regulations or contractual obligations around incident notification and reporting.
As a minimum, your incident response plan should include:
- A clear definition of what counts as a reportable incident under GDPR and other applicable laws — including those involving third-party processors.
- Guidance on when and how to involve legal counsel, especially in the early stages of an incident.
- Documentation protocols - including preserving evidence, tracking actions taken, and ensuring decisions are recorded in case of regulatory review.
3. Incident Response Plan (IRP)
Where the policy grants authority, the IRP puts it into action. This plan outlines what happens when an incident occurs - who does what, when, and how. It defines key contacts, a severity matrix, escalation paths and criteria, communication protocols, and how different teams coordinate across incident lifecycle processes.
At Talanos, we frequently co-develop this document with customers, making sure it reflects real-world response capabilities and integrates cleanly with our outsourced SOC services. The IRP is the bridge between strategy and execution — the map you follow when time is short, and pressure is high.
How the IRP Fits with BCP and DRP
Your Incident Response Plan (IRP) is one part of a broader resilience and continuity strategy. It focuses specifically on identifying, managing, and recovering from cybersecurity and information security incidents - such as data breaches, ransomware attacks, or insider threats. This includes a structured approach to cyber incident response.
But it's not the only document in play. Here’s how it connects with two other key plans:
|
Plan |
Focus |
When It’s Activated |
Overlaps with IRP |
|
Business Continuity Plan (BCP) |
Keeping essential business functions running during a disruption. |
Broader disruptions - including cyber incidents, natural disasters, supply chain failures. |
IRP may trigger BCP if the incident impacts critical operations (e.g. system downtime, customer communications). |
|
Disaster Recovery Plan (DRP) |
Restoring IT infrastructure and data after a major incident. |
Typically post-incident - focuses on recovery and restoration. |
IRP may hand off to DRP for restoration tasks (e.g. rebuilding servers, restoring backups). |
Think of it like this:
- The IRP contains the playbook for handling the incident itself
- The BCP ensures the business keeps going
- The DRP helps you recover IT systems once the threat is contained
All three should align and reference each other - especially around roles, escalation paths, and communication protocols.
4. Incident Response Playbooks
These are key components of any robust cyber incident response plan.
If the IRP is the map, then playbooks are the turn-by-turn directions. These documents dive into the technical specifics of different incident types - ransomware, phishing, insider threats, and more - and lay out exactly what steps to take, in what order, using which tools. These are key components of any robust cyber incident response plan.
Talanos authors and maintains these playbooks. They're tailored to each customer’s environment, regularly updated based on threat intelligence, and followed closely during real-world incidents. These are key components of any robust cyber incident response plan.
5. Battlecards
And finally, there are the battlecards - the fast, accessible reference sheets used during high-stress moments. While playbooks provide depth, battlecards prioritise speed. They represent a simple checklist of first steps to take across the incident response lifecycle. They’re designed for frontline responders who need just-in-time clarity - not a 30-page PDF.
Unlike some outsourced SOCs and MDR providers, Talanos often acts on behalf of its customers to stop an incident in its tracks. Battlecards provide authorisation for performing containment actions in the customers environment on their behalf, under strict pre-agreed conditions and within certain parameters. These are key components of any robust cyber incident response plan. For guidance on how to select a Managed SOC provider that is proactive in its approach to cyber incident response, check out our tips for choosing the right SOC outsourcing partner.
Who Owns What
To make this series work, ownership has to be clear. Here’s how we draw the line:
|
Document Type |
Owner |
Talanos Role |
|
Crisis Management Plan |
Executive team |
Input where cyber risk intersects with business ops, such as regulatory cyber incident reporting. |
|
Incident Management Policy |
Customer |
Advise and review as stakeholder. |
|
Incident Response Plan (IRP) |
Customer (with support) |
Co-develop and align to SOC capabilities. |
|
Incident Response Playbooks |
Talanos |
Author, maintain, and execute. |
|
Battlecards |
Talanos |
Provide for frontline responders and as authorisation to contain incidents on behalf of customers. |
This shared responsibility means you're not doing it alone, but you remain in control.
Why You Need Incident Management Documentation
Incident management documentation isn’t just box-ticking for compliance (although it helps with that too). It's your safety net when something goes wrong.
If you're hit with ransomware, the crisis plan keeps your business moving. The IRP gets the right people involved. The playbook tells your team what to do next. And the battlecard helps them do it - even if they’re tired, stressed, or unsure. To learn about the other critical cybersecurity steps all growing businesses should adopt, read our blog here, or watch the video here.
Without preparation, people default to improvisation. That’s rarely a recipe for good outcomes.
What ‘Good’ Looks Like
We’ve pulled together a ready-to-customise Incident Response Plan template
to help overstretched IT leaders build their own response series - no security degree required.
There's also a step-by-step Ransomware Playbook template that's ready to be used by security analysts and cyber incident responders.
You don’t need to write everything from scratch. We’ve done the heavy lifting for you.
Don’t Let the Breach Be the Wake-Up Call
Incident management isn’t just one document. It’s a system of clarity - and most organisations are missing at least one critical layer. Start with what’s practical. Build up over time. And when in doubt, remember that the middle of a breach is the worst possible time to realise you're unprepared.
