When was the last time you tested your incident response plan (IRP) to see how your business would react in the event of an incident? Whilst it may seem that your current plan has all the necessary threats covered, it is important to test your IRPs for potential gaps rather than trusting everything will go smoothly during an incident.

A detailed IRP ensures you identify and mitigate any gaps that could be exploited and needs to include relevant steps and precautions for all areas of the business, considering all aspects of people, processes and technology. As businesses grow and evolve, so do their security requirements. That’s why it’s vital that a detailed incident response plan is not just made – but tested regularly – to ensure it aligns with current business security needs. By stress testing the plan, you can see first-hand how effective it is and how people respond to their roles and responsibilities.

So, how do you test your incident response plan?

Depending on the size and complexity of the organisation, it can be difficult to know where to start, especially if you have a wide range of departments and teams to include for exercises. But exercising your plan doesn’t have to be an overcomplicated or lengthy process. Small, bite sized exercises carried out regularly can help ensure your plan is consistently updated and teams are familiar with the process, helping you stay prepared.

Exercises to try could include:

  • Short, focused tabletop hypothetical discussion of scenarios.
  • Testing individual components periodically.
  • Past incidents or near-incidents review and analysis.
  • Spontaneous micro-scenarios to test in-the-moment response.

Following IRP exercise testing, you should take the time to assess lessons learnt. Were there any bottlenecks which caused delays in the response during the simulated ‘incident’? Was any information unavailable or did you face delays which could be streamlined in an updated plan? Any issues should be highlighted and reviewed to improve the process for future events.

If you want to practice your company’s incident response plans, the NCSC’s ‘Exercise in a box’ is a valuable and free resource which provides organisations with numerous scenarios to practice these exercises through, all based on common cyber threats and updated as threats evolve.

Additionally, we have outlined the four key stages of creating and implementing a successful incident response plan – Preparation, Practice, Response, Improvement – and included just a few questions to ask yourself at each stage to ensure your business is well prepared.

Preparation

  • Does my incident response plan align with other relevant management plans?
  • Have I clearly identified stages of incident severity in my IRP, so that staff and third parties understand what actions to take at each stage?
  • Do all staff know their roles and responsibilities, and has this been communicated effectively?

Practice

  • How is the severity of the incident determined? Is this clear to company staff and external parties? Do they know how to identify each level?
  • Are relevant contacts known to all relevant team members? Do they know who to contact when an incident occurs? And are these contacts accessible?
  • Did the plan provide enough guidance for timely, effective decision-making? Or did we encounter any delays or confusion which could be fixed?
  • Is there a hard copy of the plan stored in a safe location?

Response

  • Are there clear roles and responsibilities, and are the right actions and necessary steps being taken to address and resolve this incident quickly and effectively?
  • Are there clear lines of external and internal communication?
  • Are all the necessary contacts involved for the level of incident occurring?
  • Are there immediate actions we can take to contain the severity of the incident?
  • Are we documenting all the actions and communications in real time as evidence of our response and for future review?

Improvement

  • When was the last time our IRP was updated? Did we do it after the last incident? Or if it’s been a while/we haven’t experienced an incident, is now the time to review and update our IRP in line with current cyber threats and business operations?
  • Did our plan, tools and training work effectively and as planned? Or did anything hinder our response that we could improve?
  • Have we identified how and why the incident occurred, and put processes and tools in place to prevent this from happening again?

For further information on incident management and how we can help your organisation prepare for and manage incidents, visit our Cyber Resilience page, or book a free 30-minute consultation with us for more detail.

Related Posts

Did You Know NCSC’s Cyber Assessment Framework (CAF) Has Been Updated?
Did You Know NCSC’s Cyber Assessment Framework (CAF) Has Been Updated?
Gallery

Did You Know NCSC’s Cyber Assessment Framework (CAF) Has Been Updated?

November 5, 2025
We Are A NCSC Assured Cyber Resilience Audit Service Provider
We Are A NCSC Assured Cyber Resilience Audit Service Provider
Gallery

We Are A NCSC Assured Cyber Resilience Audit Service Provider

October 1, 2025
Internal Audits Explained: The Purpose, Process And Benefits
Internal Audits Explained: The Purpose, Process And Benefits
Gallery

Internal Audits Explained: The Purpose, Process And Benefits

September 2, 2025
Building better resilience through compliance
Building better resilience through compliance
Gallery

Building better resilience through compliance

August 4, 2025