Process Library

Security Incident Response

A disciplined response to a suspected security incident that contains the threat, preserves evidence, and meets disclosure obligations.

IT & Security 6 steps
When to use

When a breach, account compromise, or data exposure is suspected.

Trigger
Runs when: A suspected security incident

The procedure

6 steps

  1. Declare the incident and name a security incident lead immediately.
  2. Contain first: isolate affected accounts and systems to stop spread.
  3. Preserve evidence and logs before making changes that could destroy them.
  4. Assess scope: what data, systems, and people are affected.
  5. Notify the required parties on the legal and contractual timeline; do not over- or under-disclose.
  6. Eradicate, recover, then run a blameless review and harden against a repeat.
Outputs
  • A contained incident with preserved evidence
  • A scope assessment
  • Required notifications sent and a hardening plan
Tools
SIEM / logsIdentity / SSOIncident channel
Note: Preserve evidence before you start fixing. The instinct to clean up first is the instinct that destroys the trail you need.
Download .md

Use this SOP in OrgTP

Don't just download it. Drop this SOP onto a seat in OrgTP and every AI agent under that seat inherits and runs it at runtime — with the trigger, steps, outputs, and tools already filled in.

Use in OTP → Browse more SOPs
Related searches
security incident sop breach response process incident response plan data breach checklist cybersecurity response

Related SOPs

IT & Security
Access Provisioning
6 steps
IT & Security
Access Review
6 steps
IT & Security
Backup Test
6 steps
IT & Security
Device Setup
6 steps
← Back to the Process Library