ICAEW.com works better with JavaScript enabled.

Cyber attack response plan

Helpsheets and support

Published: 07 Mar 2019 Update History

This guide provides an overview of a cyber attack response plan. Organisations of all sizes and types should download this plan today in readiness for when a cyber incident takes place. This will help reduce your business risk and improve business resiliency.

These days most organisations rely heavily on information technology. This means a cyber attack can seriously harm a business. However, the disruption caused by a cyber attack can be minimised if an organisation creates guidance documents, as well as tests and reviews a business resiliency plan (BRP).

A cyber attack response plan must form part of a BRP for organisations of any size, including small/medium-sized businesses. A key step to help reduce the impact of a cyber attack is to have an incident response team and a response plan in place. This guide will help you prepare.

1. Action Plan

The key stages to responding to a cyber incident are:

  • Containment – understanding the scope of the incident and forming the appropriate response team and communication channels.
  • Preservation – preservation of log or (IT) audit files that could be used later to help identify the cause of the incident. The creation of an incident log. This record of the steps taken during the incident could potentially be used later by regulators or authorities if an investigation is deemed necessary.
  • Eradication – taking the necessary technical steps to resolve the cyber incident. This may include implementing temporary processes or technology to ensure business continuity. These changes need to be reviewed once the initial incident has been resolved.
  • Recovery – taking the necessary steps to ensure normal operations are resumed. This may include testing of applications or systems before returning them to normal operations.
  • Lessons learned – once the incident has been resolved a review team should convene to discuss any issues that were encountered during the incident. These lessons should be incorporated into the cyber attack response and business continuity plans as appropriate.

We have devised an example response plan into the key components and stages of a response plan and colour coded the suggested actions to match these components.

2. Incident log

During a cyber attack event it is recommended that a log of all the major events and actions is maintained. This log helps to manage and coordinate the response to the incident. The log may also be used later as mitigating evidence if the incident were to be investigated by a regulator or supervisory body.

3. Reporting to the ICO

Not all cyber incidents need to be reported to the ICO but those that do will have to be reported within 72 hours of becoming aware of the breach.

For advice on how to report a data breach to the Information Commissioner’s Office (ICO), and examples of what constitutes a data breach, see ICAEW helpsheet: GDPR – Data Breaches. The ICO advice on how to report a data breach can be found here.

Finance in a Digital World

Make sure you're ready for the changes that digital technologies are bringing to finance functions and accountancy work. Complete eLearning, watch webinars and read bite-sized summaries on the opportunities and challenges brought by automation, artificial intelligence and big data.

Bookshelves on laptop screen
Download the guide

PDF (329kb)

Download the Example Action Plan PDF

Download
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250