GuideUpdated 2026-07-1122 min readBy HubSecure Editorial TeamReviewed by security reviewers

Short summary

An incident response plan is not just a document — it is the operational capability your team exercises before a breach happens. This guide gives SMBs a structured, NIST-aligned IRP with communication templates and regulatory checklists, without requiring a dedicated security team.

  • Why GDPR, NIS2, DORA, and SOC 2 all mandate incident response capability.
  • The NIST 6-phase framework adapted for teams as small as 5 people.
  • Notification templates for regulators, clients, and press — ready to adapt.

How to Build an Incident Response Plan (SMB Guide with Templates)

A practical guide to creating an incident response plan for small and mid-size businesses — including the NIST 6-phase framework, role assignments for small teams, severity classification, ready-to-adapt notification templates for GDPR, clients, and press, and a tabletop exercise guide.

Written byHubSecure Editorial Team

Practical guides for secure client portals, RBAC, and regulated client operations security.

Reviewed byHubSecure Security & Compliance Review

Reviewed for technical accuracy, regulatory alignment, and practical applicability to SMB operations.

Last updatedJuly 11, 2026

Reflects GDPR Art. 33/34 obligations, NIS2 (effective 2024), DORA (effective Jan 2025), and NIST SP 800-61r3.

TL;DR

Why every SMB needs an incident response plan (and which regulations require it)

Small and mid-size businesses frequently assume that incident response planning is an enterprise concern — something for organisations with a dedicated CISO and a security operations centre. This is a costly misconception. Every regulated SMB is legally required to have documented incident response capability, and the regulatory penalties for failing to notify the relevant authority within the required timeframe can exceed the cost of the incident itself.

Here is the regulatory landscape as of 2026:

GDPR (UK and EU)

Article 32 of GDPR requires controllers and processors to implement technical and organisational measures to ensure an appropriate level of security, which explicitly includes "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing." An IRP is not optional under GDPR — it is part of the baseline technical and organisational measures. Article 33 requires notification to the supervisory authority (the ICO in the UK, the relevant Data Protection Authority in each EU member state) within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. Article 34 requires direct notification to the individuals affected when the breach is likely to result in a high risk to those individuals.

NIS2 Directive (EU)

The Network and Information Security 2 Directive, which became enforceable across EU member states from October 2024, significantly expands the scope of mandatory incident reporting compared to the original NIS Directive. Under NIS2, covered entities — which now includes many mid-size businesses in sectors including digital infrastructure, managed services, financial market infrastructure, and professional services — must report significant incidents to their national competent authority within 24 hours of becoming aware (early warning), with a full incident notification within 72 hours, and a final report within one month. NIS2 penalties can reach €10 million or 2% of global annual turnover for essential entities.

DORA (EU Financial Services)

The Digital Operational Resilience Act, which became applicable from January 2025, requires financial services firms — banks, investment firms, insurance companies, payment institutions, crypto-asset service providers, and their ICT third-party service providers — to maintain comprehensive incident response and recovery capabilities. DORA mandates specific incident classification criteria, detailed reporting timelines (initial notification within 4 hours of classification for major incidents), and regular testing of digital operational resilience including threat-led penetration testing (TLPT) for larger firms.

SOC 2

The AICPA's SOC 2 framework, under the Availability and Security trust service criteria, requires covered organisations to have incident response procedures that include identifying, documenting, and addressing incidents. SOC 2 auditors will specifically test whether the IRP has been documented, whether staff have been trained on it, and whether it has been tested within the audit period. An undocumented or untested IRP is a finding that will prevent a clean SOC 2 Type II report.

The 72-hour clock starts when you "become aware" — not when you complete your investigation. A common and expensive mistake is treating the regulatory notification deadline as something that can wait until the investigation is complete. Under GDPR Article 33, the clock starts when you have reasonable grounds to believe a breach has occurred. You can — and should — submit an initial notification marked as provisional, updating it as the investigation progresses. Waiting for certainty before notifying is a breach of the notification obligation itself.

The 6 phases of incident response (NIST framework adapted for SMBs)

The National Institute of Standards and Technology (NIST) Special Publication 800-61 (Computer Security Incident Handling Guide) defines the authoritative framework for incident response. It is a US government standard, but it is widely adopted globally and is the framework referenced by SOC 2, most cyber insurance underwriters, and many national incident response guidelines. NIST SP 800-61r3, updated in 2024, organises incident response into six phases. Here is how each phase works for an SMB without a dedicated security team.

Phase 1
Prepare

Build your IRP before an incident happens. Assign roles, create templates, establish communication channels, and run exercises. Everything you do before an incident determines how well you perform during one.

Phase 2
Identify

Detect that an incident has occurred and determine its scope. What systems are affected? What data is involved? What is the severity classification? The faster you can answer these questions, the better your containment will be.

Phase 3
Contain

Stop the bleeding. Isolate affected systems to prevent the incident from spreading, while preserving evidence for later investigation. Short-term containment (isolate the affected system) and long-term containment (apply controls to prevent recurrence) are distinct steps.

Phase 4
Eradicate

Remove the root cause. Delete malware, revoke compromised credentials, patch the exploited vulnerability, close the misconfigured access. Do not recover before eradicating — restoring a system before removing the attacker's foothold puts you back to square one.

Phase 5
Recover

Restore normal operations from clean backups or rebuild affected systems. Verify that systems are fully functional and that the attacker has been removed before returning to production. Monitor intensively for 30–60 days post-recovery.

Phase 6
Lessons Learned

Conduct a post-incident review within two weeks of resolution. What happened? Why? What would have changed the outcome? Document improvements and update the IRP. This phase is what turns an incident into an investment in resilience.

Phase 1: Prepare — what this looks like in practice for a small team

Preparation is where most SMBs fall short. The IRP document exists, but it has never been tested, the contact numbers are out of date, and the team has never practised their roles. Effective preparation requires five concrete outputs:

  1. A documented IRP with current contact details — names, personal mobile numbers (not just office numbers), and backup contacts for every role. This document must be accessible even when your primary systems are down (print copies and an offline/out-of-band copy stored in a password manager or secure offline location).
  2. Pre-approved communication templates — internal notification, regulatory notification, client notification, and press statement. These must be reviewed and approved by legal and senior leadership before an incident occurs. Drafting them under pressure leads to inaccurate disclosures and legal risk.
  3. A tested backup and recovery procedure — backups that have never been tested are not backups, they are archives of unknown reliability. Test recovery from backup at least quarterly.
  4. An out-of-band communication channel — if your primary email and messaging are compromised, how does the incident response team communicate? A separate Signal group, a personal mobile number chain, or a pre-established conferencing number should be designated and tested.
  5. A relationship with an incident response retainer or managed security provider — for most SMBs, a cyber incident will exceed internal technical capacity within hours. Having a pre-negotiated retainer with an IR firm means you can escalate immediately rather than spending critical hours searching for a vendor during a live incident.

Building your incident response team (even with 5 people)

Many SMBs assume they cannot build a proper incident response team because they do not have dedicated security staff. The reality is that incident response roles do not require specialised security engineers — they require designated individuals who know their responsibilities and have practised them. A 5-person team can cover all necessary IRP roles.

The core roles in an SMB incident response function are:

Role assignments and escalation matrix

Role Responsibility during incident Typical SMB title Backup person When to escalate to them
IR Lead Declares incident, coordinates response, makes key decisions, runs post-incident review IT Manager / Ops Director Deputy Ops Director or CEO If IR Lead is unavailable or incident is P1
Technical Lead Executes containment, forensic preservation, eradication, and recovery actions Senior IT / External MSP External IR retainer If internal technical capacity exceeded (typically within 2 hours of a P1)
DPO / Compliance Lead Assesses personal data scope, prepares regulatory notifications, advises on legal obligations DPO (internal or external) External data protection solicitor Within 2 hours of incident declaration if personal data is involved
Communications Lead Drafts and approves all external communications, manages media enquiries, coordinates with PR MD / CEO / Marketing Director Operations Director As soon as client or reputational impact is identified
Legal Counsel Reviews client notifications for legal accuracy, advises on privilege, manages enforcement risk External solicitor (data protection) Secondary external counsel Before any external notification is sent
Senior Leadership / Board Approves major decisions (system shutdown, public disclosure, regulatory engagement) CEO / Board Chair (if CEO unavailable) For all P1 incidents; for P2 within 4 hours of declaration

Severity classification (P1–P4)

Consistent severity classification ensures that the correct level of response is triggered immediately. Without a pre-defined classification system, teams either over-respond to minor events (causing alert fatigue) or under-respond to serious incidents (causing regulatory breach). The following P1–P4 framework is aligned with common practice and the materiality thresholds referenced in DORA and NIS2.

Severity Definition Examples Response time Regulatory notification?
P1 — Critical Confirmed breach of personal data with significant risk to individuals; ransomware affecting production systems; confirmed unauthorised access to client financial data Ransomware encryption of client file server; credential compromise leading to exfiltration of client records; unauthorised access to banking system Immediate — IR team convenes within 30 minutes Yes — ICO/DPA within 72 hours; clients per Art 34 if high risk
P2 — High Potential breach requiring investigation; significant system compromise without confirmed data exfiltration; suspicious access patterns that cannot be quickly explained Suspicious large data download by departing employee; phishing attack with confirmed credential entry; unrecognised admin account created in production system IR Lead notified within 1 hour; team convenes within 2 hours Provisional notification likely — assess within 24 hours
P3 — Medium Security event requiring investigation but with no confirmed breach or data impact; policy violation; successful phishing simulation failure by multiple users User clicked phishing link but no payload executed; lost laptop (encrypted, remote-wipe completed); accidental internal document sent to wrong internal recipient IR Lead notified within 4 hours; investigation completed within 24 hours Likely no notification — document risk assessment
P4 — Low Minor security event with no data impact and no operational disruption; informational only Failed brute-force attempt blocked by firewall; spam email flood (no payload); user attempted to access a resource they were correctly denied Logged and reviewed within 48 hours by IT team No notification required — log for trend analysis

Important: P1 and P2 incidents must be documented from the moment of detection — time-stamped notes of every action taken, decision made, and communication sent. This documentation is what the ICO or relevant regulator will review if enforcement action follows. If it was not written down in real time, regulators will treat it as if it did not happen.

Communication templates

Pre-approved templates are the single highest-leverage preparation action your organisation can take. The following templates are provided as starting points — they must be reviewed by your DPO and legal counsel before an incident occurs, and adapted to reflect your organisation's specific regulatory context, client relationship model, and jurisdiction.

Template 1: Internal incident notification (to all staff)

Internal notification — adapt and send within 2 hours of P1/P2 declaration

Subject: Important security notice — action required

Dear team,

We are currently investigating a security incident affecting [DESCRIBE SYSTEMS — e.g., "our email system" / "our client file server"]. This notice is being sent to make you aware of the situation and to provide immediate guidance.

WHAT YOU MUST DO RIGHT NOW:
1. Do not access [AFFECTED SYSTEMS] until further notice.
2. Do not discuss this incident externally — with clients, press, or on social media.
3. If you receive any unusual requests related to client data or system access, forward them immediately to [IR LEAD NAME] at [PERSONAL MOBILE NUMBER] without acting on them.
4. If you believe you have any information relevant to this incident, contact [IR LEAD NAME] immediately.

We will provide an update by [TIME]. Please do not respond to client enquiries about system availability — all client communications will be handled centrally.

[IR LEAD NAME]
[DATE AND TIME]

Template 2: Regulatory notification — GDPR Article 33 (to supervisory authority)

Article 33 notification to ICO — must be submitted within 72 hours of becoming aware. Submit via the ICO's online reporting tool. This template covers the required information fields.

Organisation name: [FULL LEGAL NAME]
ICO registration number: [ZA NUMBER]
Contact: [DPO NAME], [EMAIL], [PHONE]

Nature of the personal data breach:
On [DATE AND TIME], we became aware of [DESCRIPTION OF INCIDENT — e.g., "unauthorised access to our client management system"]. The breach occurred on or around [ESTIMATED DATE OF BREACH]. We identified the breach on [DATE AND TIME].

Categories and approximate number of data subjects concerned:
Approximately [NUMBER] data subjects are affected. Categories of personal data include: [LIST — e.g., names, email addresses, financial information, identity documents].

Categories and approximate number of personal data records concerned:
[NUMBER] records.

Name and contact details of the DPO or other contact point:
[DPO NAME], [EMAIL], [PHONE]

Likely consequences of the personal data breach:
[DESCRIBE — e.g., "Risk of identity fraud, financial loss, or reputational harm to affected data subjects."]

Measures taken or proposed to address the breach:
[DESCRIBE CONTAINMENT ACTIONS — e.g., "We have isolated the affected system, revoked all active sessions, reset credentials for all affected accounts, and engaged an external incident response provider."]

Note: This notification is provisional. We will submit an updated notification as our investigation progresses. We expect to have a fuller picture by [DATE].

Template 3: Client notification — GDPR Article 34 (high-risk breaches)

Article 34 client notification — required only where breach is likely to result in HIGH RISK to individuals. Review with DPO and legal counsel before sending. Do not send without legal review.

Subject: Important notice regarding your personal information

Dear [CLIENT NAME],

We are writing to notify you of a security incident that may have affected your personal information held by [ORGANISATION NAME].

What happened:
On [DATE], we discovered that [PLAIN LANGUAGE DESCRIPTION — e.g., "an unauthorised person may have gained access to our client file system"]. We immediately [DESCRIBE CONTAINMENT ACTIONS]. We have notified the [ICO/relevant DPA] as required by law.

What information may have been affected:
The information that may have been accessed includes: [LIST — e.g., your name, email address, and [other specific data held for this client type]].

What we have done:
[DESCRIBE ACTIONS — e.g., "We have contained the breach, revoked all unauthorised access, reset system credentials, and engaged specialist security advisers to conduct a full investigation."]

What you should do:
We recommend that you: [SPECIFIC ACTIONS RELEVANT TO THE DATA TYPE — e.g., for financial data: "Monitor your bank accounts and credit reports for any unusual activity and report any suspicious transactions to your bank immediately." For identity documents: "Be alert to any unexpected identity checks, credit applications, or communications purporting to be from financial institutions."]

If you have questions:
Please contact [DPO NAME OR DESIGNATED CONTACT] at [EMAIL] or [PHONE]. We will respond within [TIMEFRAME — 1 business day for P1 incidents].

We sincerely apologise for this incident and for any concern it causes. We are committed to keeping you informed as our investigation progresses.

[SIGNATORY — ideally MD or CEO for high-risk breaches]
[DATE]

Template 4: Press statement (if media enquiries arise)

Press statement — use only if media enquiries are received. Do not issue proactively for P3/P4 incidents. Review with legal counsel and PR adviser before any release.

[ORGANISATION NAME] is aware of a security incident affecting [DESCRIBE SYSTEMS IN GENERAL TERMS]. We identified the incident on [DATE] and immediately implemented our incident response procedures.

We have notified the [ICO / relevant regulatory authority] as required and are cooperating fully with any investigation. We have also notified affected individuals directly.

The security and privacy of our clients' information is our highest priority. We are conducting a thorough investigation with the assistance of specialist security advisers and will implement any additional measures identified as a result.

We are not able to provide further comment while the investigation is ongoing. We will update this statement as appropriate.

Media enquiries: [COMMUNICATIONS LEAD NAME], [EMAIL], [DIRECT PHONE]

Tabletop exercise guide

A tabletop exercise is a facilitated discussion in which the incident response team walks through a simulated incident scenario in a meeting room — no systems are actually affected. It is the minimum viable testing method for organisations without dedicated security staff, and it is what SOC 2 auditors and cyber insurance underwriters expect to see evidenced.

How to run a tabletop exercise (90-minute format)

Step 1 — Choose a scenario (10 minutes before the session): Select a realistic scenario based on your most likely threat vectors. Good SMB scenarios include: ransomware affecting your file server over a weekend; a phishing attack that compromised a staff member's email account and was used to send fraudulent payment instructions to clients; or a former employee accessing a client portal after their access should have been revoked.

Step 2 — Introduce the scenario (10 minutes): The facilitator (IR Lead or an external consultant) describes the initial discovery: "It is Monday morning. Your IT provider has called to say they cannot connect to the file server and are seeing ransom notes on the desktop. What do you do first?"

Step 3 — Work through the phases (60 minutes): The facilitator injects new information every 10–15 minutes (the attacker is also in the email system; the incident occurred three days ago, not this morning; a journalist has called asking for comment). The team discusses what they would do at each stage, who they would contact, what decisions need to be made, and what templates they would use.

Step 4 — Debrief (20 minutes): What went well? What was unclear? Where were the gaps in the IRP? What information was missing when you needed it? Document findings and assign owners for each improvement action.

Tabletop exercises should feel uncomfortable. If everyone agrees on every decision and nobody is uncertain about who does what, the scenario is not realistic enough. A good facilitator will inject dilemmas: "The DPO says you need to notify clients, but legal counsel says the notification could create litigation risk. Who makes the call?" That is a real decision that needs a pre-established answer.

Testing cadence

Tool requirements for SMB incident response

You do not need an enterprise security operations stack to respond effectively to incidents. These are the minimum tool categories an SMB incident response capability requires:

Logging and audit trail

Every system that holds or processes client data — your client portal, CRM, email platform, file storage — must produce access logs that are centralised and retained for at least 12 months (longer for regulated sectors). Without logs, you cannot determine what data an attacker accessed, when, or for how long. This is the single biggest evidence gap in most SMB incident investigations. Microsoft Sentinel (or the free Microsoft Defender for Business log collection) and Google Chronicle are accessible options for SMBs.

Endpoint detection and response (EDR)

Every managed device should have an EDR agent installed. Microsoft Defender for Business (included in M365 Business Premium) provides enterprise-grade EDR at an SMB price point. CrowdStrike Falcon Go and SentinelOne Singularity are strong alternatives. An EDR tool provides the telemetry you need to understand how an attacker moved through your environment.

Backup and recovery

The 3-2-1 rule remains the standard: 3 copies of data, on 2 different media types, with 1 copy offsite and offline (air-gapped from your network). For most SMBs, this means your primary SaaS systems (Microsoft 365, Google Workspace) plus a daily backup to an immutable cloud storage provider (Backblaze B2, AWS S3 with Object Lock, or Azure Blob Storage with immutability policies). The backup must be tested — untested backups are not backups.

Out-of-band communications

Signal (end-to-end encrypted) for an incident response group containing all IR team members. Personal mobile numbers for all team members and key external contacts (DPO, legal counsel, IR retainer). A pre-arranged bridge number for conference calls that does not depend on your primary telephony.

Incident tracking

A simple shared document or incident log (even a Google Doc or Microsoft SharePoint page accessible from personal devices) where the IR Lead records a time-stamped chronology of events, decisions, and actions during the incident. This record is what regulators will review and what supports your Article 33 notification.

Common IRP mistakes

Mistake 1: The IRP is a document that no one has read. A written IRP that was never tested and that most of the IR team has never reviewed is not an operational capability — it is a compliance artefact. If your team cannot walk through the core actions without referring to the document, the document is not working.

Mistake 2: Waiting for full investigation before notifying regulators. As covered above, the 72-hour GDPR clock starts when you become aware of a likely breach — not when the investigation concludes. Submit a provisional notification, clearly marked as preliminary, and update it as facts emerge. Regulators consistently treat proactive notifiers more favourably than those who delay notification while "completing their investigation."

Mistake 3: Sending client notifications without legal review. A client notification that makes incorrect factual claims, overstates the scope of the breach, or inadvertently admits liability can create significant legal exposure. Every client notification under Article 34 must be reviewed by legal counsel before it is sent. This is why pre-approved templates reviewed before an incident are so important — they dramatically shorten the review time during the incident.

Mistake 4: Recovering systems before eradicating the attacker. Restoring from backup without first removing the attacker's persistence mechanisms — backdoors, compromised credentials, rogue admin accounts, malware that survives the restore — means you restore an infected environment. Eradication must be completed and verified before recovery begins.

Mistake 5: No post-incident review. The lessons-learned phase is the phase most SMBs skip. The reason is understandable — by the time recovery is complete, the team is exhausted and relieved it is over. But the lessons-learned review is what converts a painful incident into a resilience investment. Block two hours within two weeks of incident closure. Document what worked, what did not, and what specific IRP improvements will be made before the next incident. Without this step, you will make the same mistakes in the next incident.

The most dangerous IRP mistake: not having one. A Ponemon Institute study found that organisations with a tested incident response plan reduced the average cost of a data breach by 35% compared to those without one. The cost difference is partly the direct cost of response (without a plan, teams are less efficient), partly the regulatory penalty (regulators treat documented, tested IR capability as a mitigating factor), and partly the reputational cost (a structured, professional response to an incident is materially better than an improvised, chaotic one from the perspective of clients and press).

Frequently asked questions

How long should our incident response plan document be?

Length is not the goal — usability is. An IRP that is 80 pages long and cannot be navigated under pressure is worse than a 15-page document that everyone has read and that contains the information the team actually needs during an incident. The minimum viable IRP contains: a severity classification table, the role matrix with current contact details, containment checklists for your most likely incident types (ransomware, credential compromise, accidental disclosure), the communication templates, and a chronological log template. If your full IRP document is more than 30 pages, extract a 2–3 page "quick reference card" that contains only the information needed in the first four hours. That quick reference card is what gets used during the actual incident.

Do we need to notify clients for every security incident?

No — GDPR Article 34 requires notification to data subjects only when a breach is likely to result in a high risk to their rights and freedoms. Not every security incident meets this threshold. The DPO must assess each P1 and P2 incident against the Article 34 test: what is the nature of the data? What harm could realistically follow for affected individuals? What mitigating factors exist (encryption, rapid containment)? This assessment must be documented. Where the threshold is not met, you still document the incident internally and record the basis for your decision not to notify. The ICO can later review your decision-making — documented reasoning is far better than no reasoning.

What is the difference between an incident response plan and a business continuity plan?

They are related but distinct. An incident response plan (IRP) covers how you detect, contain, eradicate, and recover from security incidents — its primary focus is the security event and its regulatory obligations. A business continuity plan (BCP) covers how you maintain or restore critical business operations during any significant disruption — including non-security events like key staff illness, office loss, or supplier failure. Your IRP should feed into your BCP: the recovery phase of the IRP connects directly to the BCP's restoration procedures. Regulated firms typically need both documents, and both need to be tested. If you only have resource to build one first, start with the IRP — the regulatory obligations around incident response are more immediately enforceable than those around business continuity for most SMBs.

What should we do immediately after discovering a potential breach, before we have classified the severity?

Three things immediately: preserve evidence (do not switch off affected systems without guidance from your Technical Lead — powered-off systems destroy volatile memory forensics); stop the obvious bleeding (if you know an account is compromised, reset its credentials; if a device is actively exfiltrating data, isolate it from the network); and convene your IR team. Do not wait until you know the full scope before gathering the team — the first 30 minutes of a real incident are almost always information-gathering under uncertainty. The IR Lead declares an incident when there are reasonable grounds to believe one has occurred, not after confirmation. Acting on a suspected P1 that turns out to be a P3 costs you an afternoon. Failing to act on a real P1 because you were waiting for certainty costs you the regulatory notification window.

How do we handle incidents that involve our third-party service providers (cloud vendors, MSPs)?

Third-party incidents are one of the most challenging scenarios for SMBs. If your cloud provider, payment processor, or managed service provider suffers a breach that affects your client data, you are still the data controller under GDPR — you still have the notification obligation, even though the breach occurred on a third party's infrastructure. Your GDPR Data Processing Agreements (DPAs) with each sub-processor must include an obligation for them to notify you promptly upon becoming aware of any breach affecting your data. Review all your supplier DPAs and confirm this obligation exists. If a supplier cannot produce a DPA containing breach notification obligations, that is a significant compliance risk that needs to be resolved before a breach occurs, not after. Your IRP should have a specific scenario covering "third-party supplier breach" with the actions your team takes when you are dependent on the supplier's timeline and information.

HubSecure includes incident management as part of your compliance workspace

HubSecure's incident management module provides structured incident logging, evidence preservation, regulatory notification tracking, and post-incident review workflows — built into the same platform as your client portal, AML, and audit trail. See how it works in a real regulated environment.

Book a demo

Reviewed for regulated teams

Prepared by the HubSecure editorial team for compliance officers, IT managers, DPOs, and operations leads at regulated SMBs building incident response capability.

Authors · Reviewers · Editorial policy

Next useful pages

Continue the workflow evaluation

These links connect this page to the most relevant buyer, migration, template and signup paths.

security and trust centerAML & compliancesecure client portalcompliance CRMguides
Canonical hubs

Source-of-truth pages for this topic

These hub pages tell buyers and search engines how this page fits into the wider HubSecure information architecture.

Recommended next step

Continue the evaluation path

After building your incident response plan, the next step is ensuring your client portal and audit trail can support regulatory evidence obligations during an incident.