How to build an incident response framework

What are frameworks and why are they important?

An incident response framework is the foundation for building an incident response program. An ideal framework provides structure and guidance for addressing all incident response activities.

For existing incident response programs, frameworks can ensure teams address relevant issues, such as staffing, administration, response playbooks, awareness and training, testing and resource identification.

CISOs and cybersecurity teams responsible for developing a new incident plan and associated activities will quickly recognize the benefits of using a framework, especially when ensuring all the right boxes are checked.

Properly used, a framework can be adapted into a variety of formal documents, including incident response programs, policies and individual plans. Organizations required to demonstrate compliance with both domestic and international standards and regulations should use specific frameworks when developing incident response programs and plans. From legal, operational and audit perspectives, using frameworks helps demonstrate compliance with these important requirements.

Key elements of an IR framework

Regardless of its source, an incident framework should include at least five specific components. Each standard and framework has its own nomenclature for these components, which generally follows the five-Rs structure.

Research

Before a cyberattack occurs, security teams should carefully examine all elements of the organization's IT infrastructure. A risk analysis determines which elements of the business are most susceptible to attack, the types of security events most likely to occur and the effects those events would have on the business.

The research phase includes a review of measures to prepare for and respond to an actual attack. These include preparing policies and plans, deploying cybersecurity systems and software, training incident response teams, performing threat hunting and penetration testing, patching software and testing cybersecurity plans.

Recognition

This stage occurs when an incident is identified. It could be an alert from an intrusion prevention or detection system, a firewall or an antimalware program, among others. Once an alert has sounded, the next stage is launched.

Response

In this stage, cybersecurity teams identify the nature and source of the threat, isolate it, analyze its potential impacts and decide the most appropriate response.

Resolution

In this stage, incident responders eliminate the threat or mitigate its severity so it no longer disrupts business operations. This is especially important in ransomware incident response, where a rapid resolution might save the organization thousands or even millions of dollars in costs associated with recovering compromised systems, networks, files and databases.

Recap

Once the event has been resolved, it is essential to document how the incident response team handled the event from initial awareness to final resolution. Assessing what worked and what did not enables teams to identify areas for improvement in the incident process and to refine the incident response framework and incident response plan.

Incident response standards and frameworks

There are several well-known incident response standards and frameworks. Some have their roots in government service, while others were developed for the private sector. Each approach can help develop an incident framework for enterprise cybersecurity requirements.

ISO/IEC 27035 series

The ISO/IEC 27035 series has three parts:

• ISO/IEC 27035-1 introduces incident management principles.
• ISO/IEC 27035-2 focuses on incident management preparation and planning.
• ISO/IEC 27035-3 describes how to respond to cybersecurity incidents.

The series breaks the incident response process into the following five phases:

• Planning and preparation. Establish an incident management policy and create an incident response team.
• Detection and reporting. Set up the processes, procedures and technologies required to detect and report the incident.
• Assessment and decision. Create processes and procedures, and establish incident descriptions and criteria.
• Response to incidents. Establish controls to prevent, respond to and recover from incidents.
• Lessons learned. Learn from security incidents to improve overall incident management.

Collectively, the series provides a comprehensive framework for incident response and incident management.

"ISO 22320:2018 Security and resilience -- Emergency management -- Guidelines for incident management" closely mirrors ISO 27035. It can serve as a standalone framework or as a complement to ISO 27035.

NIST incident response framework

NIST Special Publication 800-61 Rev. 3 was updated in April 2025 to reflect the modern incident response landscape and align with the NIST Cybersecurity Framework 2.0.

The updated guidance identifies the incident response lifecycle in three sections:

• Preparation. NIST wrote that this phase is not part of incident response itself but part of the broader ongoing risk management process. It includes risk assessment and analysis, policy creation, system monitoring and the implementation of security tools and technologies.
• Incident response. This stage involves detecting, responding to and recovering from a cybersecurity event.
• Lessons learned. This step involves gathering feedback from all activities in all steps to identify improvements and adjust policies, processes and plans.

SANS incident response framework

SANS Institute, a private cybersecurity training, certification and research organization, published an incident response framework that has the following phases:

• Preparation. Review and codify security policies, perform a risk assessment, identify sensitive assets, define critical security incidents and build an incident response team.
• Identification. Monitor IT systems, detect deviations from normal operations and determine whether they represent real security incidents. If an incident is discovered, collect additional evidence, establish its type and severity, and document everything.
• Containment. Perform short-term containment, and then focus on long-term containment, which involves temporary fixes to enable systems to be used in production while rebuilding clean systems.
• Eradication. Remove malware from affected systems, identify the root cause of the attack and take action to prevent similar attacks.
• Recovery. Bring affected production systems back online cautiously to prevent further attacks. Test, verify and monitor affected systems to ensure they return to normal operation.
• Lessons learned. Compile all relevant information about the incident and identify lessons that will help with future incident response activities.

CERT Incident Management Capability

Developed by Carnegie Mellon University's Software Engineering Institute and used by the U.S. Department of Homeland Security and U.S. Computer Emergency Readiness Team, the CERT incident management assessment addresses a broad spectrum of cybersecurity event response activities. Its incident response phases include the following:

• Prepare. Establish a formal incident function, set up roles and responsibilities, develop procedures for incident response, and identify tools and key relationships for managing incident responses.
• Protect. Establish measures to identify potential risks, threats and vulnerabilities; deploy upgrades, modifications and enhancements to security infrastructure assets, including firewalls, intrusion detection systems and antivirus; and develop a patch management process.
• Detect. Balance proactive actions, such as monitoring and analysis, with reactive actions, such as event data gathering, to determine the nature of a suspicious activity.
• Respond. Analyze the anomaly, launch mitigation and remediation activities, initiate event notification and begin post-event follow-up to determine how well the response activities performed.
• Sustain. Maintain effective incident response activities, including program funding, training of response teams, reviewing and updating of controls, and post-event reviews to identify ways of improving incident response procedures.

Additional incident response frameworks

Consider the following incident response guidance:

• IEEE has research, guidance and frameworks, but no formal standards.
• IETF has standards and best practices for computer security incident response teams.
• The EU Agency for Cybersecurity developed incident response frameworks that are published via guidance documents, including "Good Practice Guide for Incident Management."
• "NIST SP 800-53 Rev. 3: Security and Privacy Controls for Information Systems and Organizations" is a key information security standard that includes requirements for incident response.
• Mitre ATT&CK is a knowledge base of cybersecurity threat activities that can contribute to the creation of an incident response framework with guidance on incident detection, analysis and reporting.
• CISA has operational procedures and playbooks for planning and conducting cybersecurity vulnerability and incident response activities.
• CISA established the National Cyber Incident Response Plan, a public sector-focused framework providing guidance on responding to cyberattacks.
• "ISO 27001: Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements" is the global standard for information security management systems and aligns with ISO 27035 for incident response activities.
• The U.S. Incident Command System presents a structured approach to incident response and management. It is designed to enable collaboration among various federal, state and local government agencies.

How to create an incident response framework

Organizations that already have an incident response framework in place should compare it to the standards and frameworks outlined above to ensure it aligns with good-practice guidance. Review and update the framework periodically to ensure it remains aligned with the standards.

When developing an in-house incident response framework, consider the following steps:

• Examine existing cybersecurity documentation, including policies, procedures, plans and reports.
• Establish a project plan and team to develop the framework.
• Gather and review existing frameworks. Select the document(s) that best fits the organization's requirements.
• If the framework is part of an enterprise cybersecurity initiative that needs to demonstrate compliance with a standard or regulation, use a framework that aligns with that standard or regulation.
• Prepare an initial draft framework for review.
• Carefully review the draft framework to ensure it aligns with existing cybersecurity policies, procedures and compliance requirements.
• Secure approval from senior management.
• Disseminate the framework to members of the cybersecurity team and the security operations center team.

Once the framework has been completed and approved, formulate incident response program documents based on the framework. Review and update existing incident response activities if necessary.

In situations where a formal incident response program needs to be developed, use the framework to do the following:

• Initiate the incident response program.
• Create incident response policies and processes.
• Identify, secure and train incident response team members.
• Adopt tools and resources for incident response activities.
• Deploy systems for incident identification, event logging and tracking, and event response and reporting.
• Launch activities for threat hunting, pen testing and other forensic activities.
• Regularly patch critical software.
• Schedule and conduct incident response exercises and tests.
• Include incident response activities in weekly IT staff meetings.
• Establish a continuous improvement activity for incident response.

Whether an organization develops its own homegrown framework or uses one or more of the documents mentioned here, be sure it addresses domestic and international compliance requirements.

Most current standards and frameworks share a basic structure. Carefully review them to find one that best meets the organization's incident response requirements.

Also note that while frameworks help, it is the approved incident response plan that an organization uses to protect itself from cyberattacks.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.