Building a Cyber Security Incident Response Plan: A Comprehensive Guide

Cyber attacks aren’t just a possibility. They’re a growing certainty. In fact, according to the Australian Cyber Security Centre, over 87,400 cybercrime reports were filed in the 2023–24 financial year.

To put this in perspective, that’s one report every six minutes, with small and medium-sized businesses often bearing the brunt. That’s why having a Cyber Security Incident Response Plan (CIRP) matters. However, building an effective CIRP can feel overwhelming without the right guidance and support.

And that’s why we’ve put together this comprehensive guide. We’ll walk you through the key stages of a Cyber Security Incident Response Plan and show you how partnering with a Managed IT Services provider like ADITS can turn your plan from a document on the shelf into a real, operational defence.

What is a cyber security incident response plan?

A cyber attack can throw your entire business into chaos. Without a clear plan in place, your team is forced to react on the fly. 

A Cyber Security Incident Response Plan is a documented, strategic approach that outlines how your business will detect, respond to and recover from a cyber incident. It gives you a clear action plan for different threat scenarios, from ransomware attacks and phishing scams to data breaches.

A strong CIRP helps your business:

• Minimise downtime and operational disruption.
• Reduce the impact of data loss or corruption.
• Strengthen legal, financial and reputational protection.
• Demonstrate to regulators and clients that you take cyber threats seriously.

Why your business needs a CIRP in 2025

Cybersecurity threats are evolving, and so too is the risk to Australian businesses. It’s no longer just tech giants and government agencies under attack. Today’s cybercriminals are targeting small and medium-sized businesses with growing frequency, often because they’re seen as easier targets.

New tactics like ransomware-as-a-service, AI-generated phishing emails, and supply chain breaches make attacks faster, stealthier, and harder to contain. And with regulatory pressure mounting, the cost of mishandling a breach can quickly escalate.

That’s why a CIRP is a key part of your cyber resilience strategy. Backed by a Managed IT Services provider like ADITS, your CIRP becomes a proactive, well-practised response, and not just a scramble when things go wrong.

The 9 steps of an ADITS cyber security incident response plan

No two incidents are exactly the same, but ADITS follows a proven nine-step process to make sure every response is fast, structured and effective. Here’s what that looks like:

1. Identification & initial response – Spot the threat and act fast

The first step is all about speed. As soon as something suspicious is detected, the Incident Response Coordinator is notified. ADITS performs a rapid initial assessment and classifies the incident, setting the stage for the right response.

2. Immediate containment – Isolate the risk

Once an incident is identified, the first priority is to stop it in its tracks. At ADITS, we isolate any impacted systems right away, cutting them off from the wider network so the issue can’t spread further. At the same time, we verify the integrity and availability of your backups. This makes sure they’re clean, secure and ready if recovery becomes necessary.

This step is all about creating breathing room. By containing the threat early and confirming that safe backups are on standby, your business can keep operating while the technical investigation and longer-term fixes are put into motion.

3. Technical response procedures – Tailored to the type of attack

After the immediate damage has been contained, ADITS shifts into problem-solving mode. This stage is about applying the right technical fixes based on the type of attack. Different threats call for different playbooks, which ensures the response is precise and effective. For example:

Managed Detection and Response (MDR) alerts

When monitoring tools detect a serious threat, the alert is escalated to Priority 1 and immediately assigned to a technician. From there, the issue is investigated and contained using ADITS’ MDR standard operating procedures.

Business Email Compromise (BEC)

If a mailbox has been hacked, ADITS jumps in with a clear step-by-step process to secure it again. That means:

• • Resetting passwords
  • Stripping out any sneaky forwarding rules
  • Enforcing multi-factor authentication if it’s not already in place
  • Cutting off active sessions, and 
  • Collecting evidence so nothing slips through the cracks.

4. Incident documentation & reporting – Keeping track and keeping you informed

When a cyber incident happens, it’s easy for things to feel chaotic. That’s why ADITS keeps a detailed record of every action taken, using standard reporting templates to make sure nothing is missed.

Just as important is how updates are shared with your business. Communication is structured so the right people get the right information without being overwhelmed:

• Your Client Liaison (ADITS Account Manager) keeps day-to-day contacts and affected staff updated with clear, practical information.
• An Executive Sponsor (an ADITS executive) handles conversations with your C-suite or board when bigger picture issues come into play, like legal, reputational or strategic risks.

5. Severity assessment & escalation – Deciding how critical it is

Once the immediate risk is contained, the next step is working out just how serious the incident really is. This helps ADITS decide how quickly and with how many resources to respond.

To do this, we use a simple four-level priority system:

• P1 (Emergency) – a major breach or full system outage. These get immediate attention.
• P2 (Critical) – a serious malware infection or data breach. Response begins within 4 hours.
• P3 (Elevated) – a limited breach with a manageable impact. Addressed within 24 hours.
• P4 (Low) – a minor event with little or no impact. Handled within 48 hours.

This way, your business always knows the scale of the issue, how fast help is coming, and what to expect next.

6. Digital forensics & evidence collection (DFIR) – Going deeper if needed

In some cases, it’s not enough to just contain the threat. We need to dig deeper to understand exactly what happened. This stage looks at questions like: How did the attacker get in? Was any data stolen? Are there signs of ongoing access?

Before ADITS begins this kind of forensic work, your business chooses whether to proceed under Legal Professional Privilege (via your legal counsel) or without it. That way, you’re fully aware of the legal implications before anything moves forward.

7. Privacy & OAIC notification – Meeting legal obligations

If there’s a chance that personal or sensitive data has been exposed, we work with you straight away to figure out whether the incident needs to be reported to the Office of the Australian Information Commissioner (OAIC). If it does, the formal notification is normally your responsibility — though we can step in and handle it if you’ve asked us to.

8. External communications & vendor coordination – Managing third parties

Cyber incidents don’t always stop at your internal systems. Sometimes they involve external vendors, like your cloud provider, software partner, or another third party that supports your IT environment. Trying to manage all those conversations during an incident can be stressful and confusing.

ADITS steps in to take that weight off your shoulders. We contact the vendors directly, coordinate the response, and make sure they carry out the remedial actions needed to fix the issue. Just as importantly, we get written confirmation of the steps they’ve taken, so you have a clear record and peace of mind that nothing has been overlooked.

9. Post-incident review – Learning and strengthening

Once things have settled, ADITS runs a post-incident review with your team. We go over what happened, what worked, and what could be improved. Corrective actions are clearly documented and tracked, helping you come out of the experience with a stronger, smarter defence for the future. 

Why partner with ADITS for incident response?

Tackling cyber threats on your own can stretch your resources thin, particularly without a dedicated security team. With ADITS IT Solutions, you gain more than just reactive support.

You get a strategic partner who helps you:

• Stay ahead of threats with continuous monitoring and real-time alerts.
• Strengthen your environment using proven security frameworks and tailored solutions.
• Respond swiftly and decisively when incidents strike, minimising disruption.
• Rebuild with confidence, backed by expert guidance and long-term protection strategies.

Final thought: Start before the storm hits

As you’ve seen, a solid incident response plan isn’t just an IT task. It’s a key part of keeping your business running when things go wrong. The faster and more confidently you can respond, the less damage you'll face and the quicker you’ll bounce back.

The best time to put a plan in place is before an incident hits. And the best partner to help you do that? A Managed IT Services provider who knows how to protect what matters most, like ADITS. 

So, to get the ball rolling and safeguard your business for the long run, reach out to our friendly team today.