Ajax Privacy and Cybersecurity Lawyer, Rajen Akalu, of Akalu Law P.C., provides his comments on creating an incident response plans.

Most people at some point in their lives have had the experience of being let down by someone they thought would be there for them. Crisis has a tendency to reveal character, or lack of it, better than anything else.  Who would you want to be assisting you in a crisis?  For some people this can be a very uncomfortable question.  It can feel like an admission of vulnerability or weakness.  We shy away from such questions because they make us uncomfortable.  However, the reality is we will all be vulnerable and weak at some point in our lives.  We make plans to deal with these scenarios and adapt them to the circumstances

Businesses and the IT systems are no different in this regard.  If there is a cybersecurity incident there needs to be a plan in place that can be executed when the incident occurs.  Any plan will only be as good as the people responsible for carrying it out.

A good place to start the process of developing an incident response plan is the CyberSecure Canada learning hub.  They have a fillable template with an example to get you started.  You could also use an AI tool, but this will be more general and unlikely to meet the specific needs of your organization.  Once you have completed this exercise, it is a good idea to speak to a lawyer, to validate your plan.  A lawyer or cybersecurity specialist can spot weaknesses, ask tough questions, ensure that everyone is aware of their roles and responsibilities.  Any plan is only a piece of paper if it is not actionable, so this step is key.

Here are the steps to develop your IRP.

Step 1: Understand Your Risk Landscape

Before you can respond to an incident, you need to understand what you are up against. Start by:

  • Conducting a risk assessment: Identify your most valuable assets, potential threats, and vulnerabilities.
  • Mapping out potential attack vectors: Think phishing, malware, insider threats, or supply chain compromises.
  • Prioritizing risks: Use a risk matrix to determine which threats deserve the most attention based on likelihood and impact.

Step 2: Define Your Response Team

Your response plan is only as strong as the team behind it. Define roles and responsibilities clearly:

  • Incident Response Manager: Oversees the process from start to finish.
  • IT and Security Leads: Handle technical containment, investigation, and recovery.
  • Legal/Compliance Advisor: Ensures all actions align with regulatory requirements.
  • Communications Lead: Manages internal and external communication, including media inquiries and customer updates.
  • HR and Executive Leadership: Involved when employee action or major business decisions are required.

Step 3: Create an Incident Classification Framework

Not all incidents are created equal. Classify incidents based on severity and impact to determine the appropriate response:

  • Low Severity: Minor issues like spam or a harmless phishing attempt.
  • Medium Severity: Suspicious behavior or isolated malware infections.
  • High Severity: Data breaches, ransomware attacks, or threats to critical systems.

Each classification should trigger a specific set of actions and escalation protocols.

Step 4: Build Your Incident Response Procedures

This is the heart of your IRP. Break down your procedures into six key phases (based on NIST guidelines):

  1. Preparation: Train your team, run tabletop exercises, and keep tools updated.
  2. Identification: Detect the incident through logs, alerts, or user reports.
  3. Containment: Isolate affected systems to prevent further damage.
  4. Eradication: Remove malware, close vulnerabilities, and clean up affected systems.
  5. Recovery: Restore systems and return to normal operations while monitoring for reinfection.
  6. Lessons Learned: Document everything. Conduct a post-incident review to improve your plan.

Step 5: Establish Communication Protocols

During a crisis, communication can make or break your response. Your plan should outline:

  • Who communicates what and to whom
  • How to notify affected parties and regulators
  • Pre-approved messaging templates
  • Secure channels for internal coordination

Transparency, timeliness, and accuracy are key—especially when trust is on the line.

Step 6: Test and Update the Plan Regularly

A plan on paper isn’t enough. Run regular simulations to stress-test your IRP and ensure team members know their roles. Update your plan when:

  • New threats emerge
  • Your infrastructure changes
  • Lessons are learned from real or simulated incidents

Think of your IRP as a living document—adaptable, flexible, and always improving.

Final Thoughts

 A well-developed Incident Response Plan empowers your team to take decisive, coordinated action in the face of adversity. It protects your business, your customers, and your reputation. Building and refining your incident response plan can actually improve your daily operations, because you know your plans are robust and your team is resilient.

Rajen Akalu
647 299 5079
rajen@akalulaw.com