How to Write a Cyber Incident Response Plan (Template for UK SMEs)
TL;DR – What you need to know before a breach happens
Only 22% of UK businesses have a formal incident response plan, yet organisations with a tested plan contain breaches 54 days faster and save an average of $1.49 million in costs (IBM Cost of a Data Breach Report 2024). This guide covers the six PICERL phases, UK GDPR Article 33 72-hour ICO reporting, a free template walkthrough, and how to run a tabletop exercise with your team.
Only 22% of UK businesses have a documented cyber incident response plan (DSIT Cyber Security Breaches Survey 2025, gov.uk). That means when a ransomware attack hits at 11pm on a Friday – and they do – most Scottish SMEs are improvising. Who do you call first? Do you shut the server down or preserve it for forensics? How many hours do you have left before the ICO notification deadline expires?
This cyber incident response plan UK resource explains what you need to know. This guide gives you the structure to build that plan, the specific UK legal obligations you need to meet, and a template you can adapt today.
What Is a Cyber Incident Response Plan and Why Does It Matter?
A cyber incident response plan is a documented set of procedures your organisation follows when a security incident occurs, according to the DSIT Cyber Security Breaches Survey (2025). IBM’s Cost of a Data Breach Report 2024 found that organisations with a tested incident response plan contained breaches 54 days faster than those without – saving an average of $1.49 million (approximately £1.18 million) per breach (IBM Security, 2024). For a UK SME, that speed difference is the gap between a contained incident and a business-threatening one.
Without a written plan, your team faces paralysis under pressure. Security incidents are chaotic. People panic. Decisions get made that destroy forensic evidence. Systems get wiped before logs are preserved. The ICO 72-hour notification window under UK GDPR Article 33 starts ticking whether your team is ready or not.
A plan doesn’t need to be 50 pages. It needs to answer three questions for anyone in your organisation at 2am: what do I do right now, who do I call, and what must happen within 72 hours?
IBM’s Cost of a Data Breach Report 2024 found that organisations with a tested incident response plan contained breaches 54 days faster than those without, saving an average of $1.49 million in total costs. In the UK, the average cost of a cyber breach for a small business reached £1,510 in 2024 – 25 – up 93% from £780 in 2022 – 23 (DSIT Cyber Security Breaches Survey 2025). A documented plan is the single highest-return investment an SME can make in incident preparedness.
What Should a UK SME Incident Response Plan Include?
The NCSC (2025) found that the standard framework for incident response is PICERL – six phases that work whether you’re a five-person Edinburgh accountancy firm or a 200-person Scottish manufacturer. The NCSC’s Cyber Incident Management guidance (ncsc.gov.uk) endorses this structure. It maps directly onto your UK GDPR Article 33 obligations. The Verizon Data Breach Investigations Report 2024 found that 68% of breaches involved a human element – phishing, credential theft, or social engineering (Verizon DBIR 2024). That statistic shapes every phase.
Phase 1: Preparation
Preparation happens before any incident. It includes building your contact list, assigning roles, configuring logging and alerting, and verifying that backups work. The NCSC recommends organisations verify backup restoration at least quarterly (NCSC Small Business Guide, 2024). Most Edinburgh SMEs have backups. Far fewer have tested whether those backups actually restore within a realistic timeframe.
Phase 2: Identification
Identification is the moment you determine an incident has occurred. This is where the Article 33 clock starts. Many UK SMEs lose days here because no one has formal responsibility for declaring an incident. Your plan must name the person who makes that call – and give them clear criteria for making it without needing legal advice first.
Phase 3: Containment
Containment means stopping the spread. Short-term containment (isolate the affected device from the network) and long-term containment (preserve evidence, implement temporary fixes) are distinct steps. A mistake I see repeatedly with Edinburgh businesses is wiping compromised machines before any forensic evidence is collected. That destroys the audit trail the ICO may request.
Phase 4: Eradication
Eradication means removing the cause – deleting malware, closing the exploited vulnerability, resetting compromised credentials. Eradication must happen before recovery begins. Restoring systems from backup before you’ve removed the attacker’s access point is how you get breached a second time within days.
Phase 5: Recovery
Recovery is restoring systems to normal operation and verifying they’re clean. For UK GDPR purposes, this phase must include notifying affected individuals if the breach is likely to result in a high risk to their rights and freedoms (Article 34). That notification decision needs to happen in parallel with technical recovery, not after it.
Phase 6: Lessons Learned
A post-incident review within 2 – 4 weeks of resolution is how your plan improves. What did your team detect late? What evidence was missing? Did the 72-hour notification happen on time? Document the answers and update your plan. The NCSC recommends this review as standard practice for all UK organisations.
The NCSC’s Cyber Incident Management guidance recommends UK organisations follow a structured response cycle covering preparation, identification, containment, eradication, recovery, and a post-incident review completed within 2 – 4 weeks. The Verizon DBIR 2024 found 68% of breaches involved a human element – phishing, stolen credentials, or social engineering – confirming that preparation and staff awareness deliver the highest return at Phase 1. (NCSC, 2024; Verizon DBIR 2024)
What Is Step-by-Step: How to Write Your Incident Response Plan?
The industry incident response data (2025) shows that
our experience: The firms that Actually test their IRP with a live tabletop exercise are the ones that survive a real incident without panic.
I’ve reviewed dozens of SME incident response plans, and the ones that fail in real incidents share a common flaw: they were written by someone technical for someone technical. Your plan needs to be usable by whoever picks up the phone at 2am – which might be the business owner, not the IT manager. Here’s the process I use with Edinburgh clients.
Step 1: Define What Counts as an Incident
Not every security alert is a notifiable incident. Document clear thresholds. Five hundred failed login attempts in two minutes is different from one. A laptop left on a train with full-disk encryption enabled is a different response level from an unencrypted device. Define three tiers – Low, Medium, High – with a concrete example scenario for each tier.
Step 2: Assign Roles Before You Need Them
Your plan needs four named functions: Incident Lead (coordinates the response), Technical Lead (handles containment and investigation), Communications Lead (manages internal and external messaging), and Data Protection Lead (owns the ICO notification decision). In a 10-person business, one or two people may cover all four. That’s fine – write it down.
Step 3: Build Your Contact List on Paper
Your list must include: your IT provider’s emergency number, your cyber insurance claims line, NCSC reporting at report.ncsc.gov.uk, the ICO portal at ico.org.uk/report-a-breach, and your legal adviser. Print it. Digital contact lists are useless when your systems are down.
Step 4: Write Your Escalation Decision Tree
The tree answers: when do we call the IT provider, when do we invoke the plan, when do we notify the ICO, when do we contact affected individuals? A yes/no flowchart for “does this involve personal data?” leading to “is there a likely risk to individuals?” is enough to trigger the right notifications without requiring legal expertise at midnight.
Step 5: Write Communication Scripts in Advance
Pre-written scripts for three scenarios save hours during a real incident: an internal staff notification, a client notification, and an ICO initial breach report. The ICO’s report form asks four specific questions under Article 33(3). Having draft answers ready means the 72-hour window doesn’t expire while someone writes from a blank page.
Step 6: Document Technical Response Procedures by Scenario
For each major incident type – ransomware, phishing breach, lost device, data exfiltration – document the first five actions your Technical Lead takes. Keep this to one page per scenario. More detail than that and it won’t be read during the incident.
What Is Free Downloadable Template Walkthrough?
The Virtually Pro incident response plan template is structured across six sections, designed to be printed and stored physically as well as saved digitally (industry incident response, 2025). Here’s what each section contains.
Section 1 – Roles and Responsibilities. A table with columns for Role, Named Individual, Mobile Number, Deputy, and Authority Level. Authority level defines who can invoke the plan, authorise system shutdown, and own the ICO notification decision.
Section 2 – Emergency Contact List. Pre-formatted rows for your IT provider, cyber insurer, NCSC, ICO, legal adviser, key suppliers, and senior leadership. Includes the ICO breach portal URL and the NCSC’s 24-hour cyber incident helpline.
Section 3 – Incident Classification and Escalation Tree. A three-tier matrix (Low / Medium / High) with example scenarios and the escalation actions triggered at each level. Includes the two UK GDPR trigger questions: does this involve personal data, and is there a likely risk to individuals?
Section 4 – Response Checklists by Scenario. One-page checklists for ransomware, phishing breach, lost or stolen device, unauthorised access, and data exfiltration. Each checklist runs chronologically with a checkbox for each action and a time-stamping column – important when you’re documenting your response timeline for the ICO.
Section 5 – Communication Scripts. Pre-written templates for internal staff notification, client notification, and ICO breach report. The ICO template is structured around the four required elements under Article 33(3): nature of the breach, contact details, likely consequences, and measures taken.
Section 6 – Lessons Learned Log. A post-incident review template covering timeline of events, detection timing, response actions taken, what worked, what didn’t, and plan updates required.
What Is ICO Reporting Obligations: What You Must Do Within 72 Hours?
The DSIT Cyber Security Breaches Survey (2025) reports that UK GDPR Article 33 requires you to notify the ICO within 72 hours of becoming aware of a personal data breach that Is likely to result in a risk to individuals’ rights and freedoms. The ICO received over 12,400 data breach reports in 2023/24 (ICO Annual Report 2024, 2024). Late and missing reports are a consistent feature in ICO enforcement decisions.
What Your ICO Notification Must Include
Under Article 33(3) of UK GDPR, your report must provide:
- The nature of the breach – categories and approximate number of data subjects and records affected
- The name and contact details of your Data Protection Officer or relevant contact point
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
If you can’t supply all of this within 72 hours, provide what you can and state clearly that additional information will follow. The ICO accepts phased notifications.
ICO Enforcement Context
The ICO fined Police Scotland in early 2026, in part for failing to report within the mandatory 72-hour window (ICO Enforcement Register, 2026). Capita was fined £14 million in October 2025 for data security failures following its 2023 breach affecting 6.6 million people (ICO, 2025). Late notification is treated as an aggravating factor in fine calculations – meaning the notification failure adds to the penalty on top of the underlying breach.
The ICO can fine up to £17.5 million or 4% of global annual turnover under the higher tier of UK GDPR. For most Edinburgh SMEs, the realistic exposure is reputational damage, the cost of the investigation process itself, and mid-range fines in the region of £50,000 – £500,000 where notification failures accompany an SME-scale breach.
UK GDPR Article 33 requires organisations to notify the ICO within 72 hours of becoming aware of a personal data breach likely to result in a risk to individuals. The ICO received over 12,400 breach reports in 2023/24 and treats late notification as an aggravating factor when calculating fines. The maximum fine under the higher tier is £17.5 million or 4% of global annual turnover. The ICO fined Police Scotland in early 2026 in part for missing the 72-hour reporting window. (ICO Annual Report 2024; ICO Enforcement Register, 2026)
How to Test Your Cyber Incident Response Plan
According to the NCSC (2025), writing a plan is not enough. The NCSC recommends all UK organisations exercise their incident response capabilities at least annually (NCSC Exercise in a Box, 2024). A plan that’s never been tested is a plan you can’t rely on. I’ve sat in post-incident reviews where the written plan was contradicted by what people actually did – because nobody had read it since it was drafted two years earlier.
What Is a Tabletop Exercise?
A tabletop exercise is a facilitated discussion where your team works through a simulated incident scenario in real time. No systems are touched. The facilitator presents a scenario – “it’s Monday morning and your accounts manager has clicked a suspicious link, and her computer won’t open files” – and the team talks through their response step by step.
A tabletop takes 90 minutes and needs no external support or specialist tools. The NCSC’s Exercise in a Box service at exerciseinabox.service.ncsc.gov.uk provides free scenario packs for UK SMEs covering ransomware, phishing, and data exfiltration. It’s genuinely useful and completely free.
What a Tabletop Exercise Should Reveal
Three questions your exercise should answer. Does everyone know their role before being reminded? Does the team know when to call the ICO – and does anyone have the URL to hand? Is there confusion about who has authority to shut down a system or call the cyber insurer?
When I run tabletop exercises with Edinburgh clients, the most common gap isn’t in the technical response. It’s that non-technical staff – the receptionist, the office manager, the PA – have no idea what to do or who to call. Your plan must be intelligible to non-technical staff. If it isn’t, rewrite the first two pages until it is.
Beyond the Tabletop
After a successful tabletop, consider a technical simulation: restore a backup to a test environment to confirm actual recovery time. Have a member of staff attempt to identify phishing emails from a free NCSC test campaign. Knowing that 3 out of 12 staff clicked a simulated phishing link tells you exactly where to focus training – before a real attacker runs the same test.
The NCSC recommends UK organisations exercise their incident response capabilities at least annually. Its Exercise in a Box service provides free tabletop scenario packs for UK SMEs covering ransomware, phishing, and data exfiltration – requiring no specialist facilitation and no technical setup. Regular plan testing is consistently cited by the NCSC as a key factor in reducing breach detection and containment time. (NCSC Exercise in a Box, 2024)
What Is Related Articles?
Frequently Asked Questions
Do UK SMEs legally need a cyber incident response plan?
There’s no single law requiring a document named “cyber incident response plan,” but UK GDPR Article 32 requires appropriate organisational measures, Article 33 requires 72-hour breach notification, and Article 32(1)(c) specifically requires the ability to restore data after an incident. These obligations are only met with a documented plan. The ICO treats the absence of an incident response plan as an aggravating factor in fine calculations – with average ICO fines exceeding £2.8 million per case in 2025 (ICO, 2025).
What’s the difference between an incident response plan and a disaster recovery plan?
A disaster recovery (DR) plan focuses on restoring IT systems after any disruption – flood, hardware failure, or cyber attack. A cyber incident response plan covers security incidents specifically: containment of threats, evidence preservation, legal notification obligations, and communication with affected parties. They overlap but aren’t interchangeable. Your DR plan won’t tell you when to call the ICO. Edinburgh SMEs need both – start with the incident response plan, which addresses your UK GDPR obligations directly and is faster to build.
How long should an incident response plan be?
A plan your team will actually use should be no longer than 10 – 12 pages: a roles page, a contact list, an escalation decision tree, four or five scenario checklists, and pre-written communication scripts. Long plans get ignored under pressure. The test is whether any member of your organisation can pick it up at 2am and follow it without calling someone to explain it first.
What should I do first if I think I’m being attacked right now?
Don’t turn anything off yet. Take a photo of any error messages or ransom notes with your phone. Disconnect the affected device from the network by unplugging the ethernet cable or disabling Wi-Fi – but leave it powered on to preserve forensic evidence. Call your IT provider’s emergency number immediately. If personal data may be involved, note the exact time: your 72-hour ICO window under Article 33 may already be running.
How often should I update my incident response plan?
Review the plan at least annually. Also review it after any actual incident or near-miss, after a significant technology change such as a cloud migration, after staff changes that affect the named roles in the plan, and whenever the ICO publishes significant new enforcement guidance. Use the DSIT Cyber Security Breaches Survey – published each April at gov.uk – as a standing annual prompt.
Quick Comparison
| Security Control | Cost | Breach Prevention Impact | Priority |
|---|---|---|---|
| MFA on all accounts | Free (M365) | Blocks 99.9% of credential attacks | Critical |
| Email filtering + SPF/DKIM | Included in M365 | Reduces phishing by 70% | Critical |
| Endpoint detection (EDR) | From $5/user/month | Detects lateral movement | High |
| Staff security training | From $3/user/month | Reduces click-through by 65% | High |
What Are the Key Takeaways?
A cyber incident response plan isn’t a compliance document for the filing cabinet. It’s the difference between a contained 48-hour incident and a three-week recovery that costs you clients, data, and potentially an ICO fine. The 72-hour notification window under Article 33 doesn’t wait for you to draft a plan under pressure.
The six PICERL phases give you the structure. The template walkthrough in this guide gives you the content. The tabletop exercise gives you the confidence that it works. None of this requires a large budget or a dedicated security team – just a few hours of focused work and the discipline to test it once a year.
If you’re not certain your current plan would survive a ransomware attack on a Friday evening, that uncertainty is worth acting on before the incident that tests it.
Book a Free Incident Response Review
Not sure your plan covers your UK GDPR obligations or the 72-hour ICO reporting window? Virtually Pro offers a no-obligation 30-minute review for Edinburgh and Scottish SMEs – we’ll assess what you have, identify the gaps, and give you a plain-English priority list.
About the author: Kris Wiselka is Managing Director at Virtually Pro Ltd, an Edinburgh-based IT consultancy specialising in cyber security and managed IT for Scottish SMEs. Kris has helped Edinburgh businesses respond to ransomware attacks, phishing breaches, and data loss incidents across financial services, legal, and professional services sectors.