When’s the Last Time You Had an Objective Look at Your IR Plan?

As a keen sailor, I see the IR plan as the organisation’s lifejacket, you don’t want to put it on after you’ve already fallen overboard. We often hear of analogies like this, but I still hear about too many organisations treating their IR plan as a “checkbox” document, written once, filed away, and only dusted off during annual audits. The real question is: will it hold up when you’re facing a real-world incident?

Test Before You Trust: Tabletop Exercises Matter

If your IR plan hasn’t been stress-tested with tabletop exercises, it’s essentially unproven. Simulated scenarios help uncover gaps, clarify roles, and expose assumptions. Importantly, these exercises shouldn’t be limited to your IT or security teams, leadership needs to be at the table too. Their participation boosts organisational readiness, strengthens communication channels, and often opens the door to additional budget and resources when gaps are identified.

Keep It Alive: Updating Beyond the Schedule

An IR plan should evolve as your business evolves. Major changes such as mergers, new technology deployments, expansion into new geographies, or onboarding new critical vendors should trigger an off-cycle review of your plan. Waiting until your next scheduled review leaves your organisation vulnerable to blind spots.

Define Roles, Responsibilities and Communication Flows

A good plan doesn’t just list names, it defines responsibilities, escalation paths, and decision-making authority. Equally critical is a clear communication flow, what happens if Microsoft Teams, Slack, or mobile services are down? Alternative communication channels, pre-arranged meeting points, and out-of-band contact details must be built into the plan. During an incident, time lost can amplify risk.

Don’t Overlook Third Parties

If third-party vendors, managed service providers, or partners play a role in your operations, they’re also part of your incident response chain. Your third-party risk management (TPRM) process should ensure they have appropriate response capabilities and that your contracts specify clear expectations for incident notification and collaboration.

A Continuous Cycle, Not a One-Off Project

Incident response isn’t a once-a-year exercise, it’s a living cycle of preparation, testing, response, learning, and improvement. Every incident or exercise should feed back into your plan, making it stronger and more aligned with your business realities.

Final Thought

An incident response plan only works if it reflects the reality of your people, your processes, and your partners. Taking an objective look, running realistic tests, and updating it regularly can mean the difference between a controlled incident and a costly crisis.

#IncidentResponse #CyberResilience #CyberLeadership #RiskManagement #Governance