Incident Response Plan Development

Today, you learn your company is experiencing a serious cyber incident. It could be a ransomware attack, a hacked O365 email account, the theft of PII or PHI, data exposure from misconfigured network settings. What is the first step you should take?
Contact Us

If a company has a detailed cybersecurity incident response plan (IRP) in place, it will be prepared to act promptly and effectively to protect its network, operations, and reputation. Whether a client wants to validate its existing IRP or develop their first plan, Kroll's experts can help.

Unrivalled Insight Built into Every Incident Response Plan

With a team of cybersecurity experts who respond globally to thousands of incidents each year, Kroll knows the risk landscape and has seen the value of being prepared.

When helping clients develop or validate an IRP, our methodology integrates our experts’ front-line experience investigating persistent and emerging cyber threats with recognised industry security standards, including the NIST Cybersecurity Framework and CIS Controls™, while also considering a client’s unique needs and concerns as well as any local, regional or industry regulations.

Our IRP support covers several key areas including:

  • Assembling the incident response team (IRT).
    Every organisation should have subject matter experts and key resources identified and in place to ensure coverage of specific incident-related issues.
  • Assigning IRT responsibilities.
    An effective response plan will outline the role of everyone on the IRT and ensure their responsibilities are clearly defined.
  • Outlining technical protocols.
    The immediate impulse for most technical teams is to try to resolve an issue before escalating it, but this often results in the loss of crucial evidence that has hurt many organisations. Our experts provide guidance on the procedures for IT and security teams to follow when an issue is detected, including when to escalate the situation.
  • Determining authority to call an incident.
    An IRP should also include protocols for informing senior management, external partners like outside counsel and insurers, and regional or industry-specific regulators.
  • Establishing communications procedures and responsibilities.
    During a crisis, reliable communication is essential. Our incident response experts help organisations determine how the IRT will communicate if corporate email is no longer secure or becomes inaccessible due to ransomware. We also help clients identify and assign responsibility to specific team members for communication with external parties, including outside counsel, insurance providers, regulators, law enforcement, and media outlets.
  • Gathering and documenting pertinent information. 
    Kroll's experts help clients compile information that will become essential in the event of an incident. This typically includes technical diagrams and schematics and detailed contact information for key resources such as:
    • IRT members and any alternates
    • internal stakeholders (e.g., board members, management, and legal counsel)
    • Outside vendors or providers of specialty services (e.g., investigations, forensics and remediation, breach notification, crisis communications, and cyber insurance)
  • Setting a review and testing schedule.
    An IRP should not be considered a one-and-done exercise. Kroll helps clients develop a system and schedule for continual IRP updates and regular testing, depending on the complexity of the organisation and their data security needs.

Call for an Incident Response Plan Consultation Today

Having a robust IRP in place not only provides practical guidance to team members, it also signals to regulators, customers, investors, and other important stakeholders an organisation’s commitment to proactively addressing cyber threats. Take advantage of Kroll's extensive experience and expertise in responding to cyber incidents and be better prepared to respond to a cyberattack. For more information on developing a new incident response plan or testing and validating an existing plan, contact us today. 

Talk to a Cyber Expert

Kroll is ready to help, 24x7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber hotlines or our contact page.
Stay Ahead with Kroll

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Incident Response Plan Development

Today, you learn your company is experiencing a serious cyber incident. It could be a ransomware attack, a hacked O365 email account, the theft of PII or PHI, data exposure from misconfigured network settings. What is the first step you should take?

Incident Response Tabletop Exercises

Kroll’s field-proven incident response tabletop exercises provide a customised test of every aspect of an organisation’s cyber response plan.


Optimised Third-Party Cyber Risk Management Programmes

Manage risk, not spreadsheets. Identify and address cyber threats in third-party relationships to ensure compliance with regulations such as NYDFS, FARS, GDPR, etc.

Third Party Cyber Audits and Reviews

Kroll’s cyber audits and reviews ensure third parties handle sensitive data according to regulatory guidelines and industry standards.

FAST Attack Simulation

Safely perform attacks on your production environment to test your security technology and processes.