Key Takeaways
- An IRP is a procedural document, not a marketing artefact. It must give responders specific, executable actions, not high-level principles.
- NIST SP 800-61 r2 is the canonical framework: Preparation, Detection and Analysis, Containment / Eradication / Recovery, Post-Incident Activity. Most Indian IRPs map to this.
- A RACI matrix resolves the recurring 'who decides whether to disconnect' question that paralyses real incidents.
- Indian notification timelines: CERT-In within 6 hours of becoming aware (per April 2022 directions), RBI within 2 to 6 hours depending on incident class, DPDP Act notification per the rules (intimation to the Board and affected data principals).
- The IRP is alive. Update after every incident, exercise, regulatory change, and significant infrastructure change. A plan that has not been touched in 18 months is documentation, not preparedness.
Why a Real IRP Beats an Aspirational One
Most Indian businesses have something called an Incident Response Plan. Open it during an actual incident and you typically find: principles instead of procedures, generic role names that do not map to actual employees, communication templates that reference channels nobody uses, escalation paths to phone numbers that ring forever, and zero references to current regulatory timelines. The plan exists for the auditor, not for the responder.
A real IRP is short, structured and operational. Specific people, specific decisions, specific timelines, specific message templates, specific tools, specific evidence handling steps. It is reviewed every quarter, exercised at least annually, and updated after every incident. The difference between an aspirational IRP and a real one is what determines whether an Indian enterprise contains an incident in hours or watches it metastasize for days.
NIST SP 800-61 r2: The Underlying Framework
ISO/IEC 27035 (information security incident management) and SANS PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned) are close equivalents and can be mapped onto NIST without difficulty. Pick one and stay consistent across the IRP, runbooks and training so responders do not have to translate between vocabularies during an incident.
- Preparation: tools, training, runbooks, contact lists, evidence-handling procedures, technology hardening to reduce incident volume
- Detection and Analysis: SIEM, EDR, NDR signals; analyst triage; incident declaration and classification
- Containment, Eradication and Recovery: short-term containment (limit blast radius), long-term containment (system isolation), eradication (remove attacker), recovery (restore systems and confirm trust)
- Post-Incident Activity: lessons learned, IRP update, control improvements, regulatory and customer notifications closure
Need Incident Response on Standby?
Codesecure offers retainer-based IR for Indian businesses: 24x7 on-call lead, named OSCP and GCFA consultants, evidence-preserving forensics, regulator-ready reporting and ISO/IEC 27001:2022 certified delivery. Available without retainer for active incidents on best-effort basis.
See IR Services →Roles, Responsibilities and RACI
The single most common failure pattern in real Indian incidents: paralysis on the 'who decides whether to disconnect the production database' question. A RACI matrix in the IRP prevents this. Roles to define: Incident Commander (often the CISO or designated deputy), Technical Lead, Forensics Lead, Communications Lead, Legal Lead, HR Lead, Customer Success Lead, External Counsel, External IR Firm, Board / Executive Sponsor.
Each major decision in the IR flow is mapped to RACI: Responsible (does the work), Accountable (decides), Consulted (provides input), Informed (kept in the loop). Examples: 'disconnect production segment' (R: Technical Lead, A: Incident Commander, C: Engineering Director, I: CEO). 'Pay ransom' (R: nobody internal, A: CEO with Board, C: Legal + External Counsel + External IR + Insurance, I: CISO + CFO). 'Notify CERT-In' (R: Legal Lead, A: CISO, C: External Counsel, I: CEO + Communications).
The RACI is a one-page table, kept current with named individuals (and backups), reviewed each quarter and after every personnel change.
Communication Plan: Internal and External
Communication is what most companies underestimate. During an incident, internal channels (Slack, Teams, email) may be compromised or unavailable. External channels (press, customers, regulators) need synchronised messaging from named spokespersons.
Internal communication: define a primary channel for the incident response team (typically a dedicated Slack or Teams channel), an out-of-band fallback (signal group with pre-shared members, dial-in bridge with a fixed number, satellite phone for maritime customers), a status update cadence (every 30 minutes during active response, every 4 hours during containment, daily during recovery), and a single source of truth for incident facts (a shared document or war-room board).
External communication: predefined message templates for customer notification, regulator notification, press statement, social media response, and stakeholder briefing. Each template has named owners, named approvers and target timelines. Never improvise external communication during an incident; the cognitive load is too high.
Indian Regulatory Notification: CERT-In, RBI, SEBI, DPDP
Indian notification obligations have tightened materially since 2022. The IRP must surface them at the moment of declaration, not at the post-mortem.
CERT-In (April 2022 Directions)
CERT-In requires reporting of specified cyber incidents within 6 hours of becoming aware. The list of in-scope incident types is broad and includes targeted scanning, identity theft, ransomware, data breach or leak, attack on critical information infrastructure, malicious mobile apps and several others. The reporting form is at the CERT-In portal. Codesecure clients receive a pre-populated CERT-In notification template as part of the IRP.
RBI Cyber Security Framework
Regulated banks and NBFCs report unusual cyber events to RBI per the master directions. Timelines depend on incident class and the entity's category, typically 2 to 6 hours for material incidents. The IRP includes the RBI reporting template and the named RBI contact channel for the entity.
SEBI and Other Sector Regulators
SEBI's cyber security and cyber resilience framework requires reporting by stock exchanges, depositories, registered intermediaries and other regulated entities, typically within 6 to 24 hours depending on incident class and category. IRDAI has similar expectations for insurers. PFRDA for pension funds. NCIIPC for critical information infrastructure operators.
DPDP Act 2023
DPDP Section 8 requires personal data breach notification to the Data Protection Board and to affected data principals. The Draft DPDP Rules 2025 specify the operational mechanics. Timelines are short and the definition of 'personal data breach' is broad. The IRP must distinguish DPDP-triggering incidents from non-personal-data-only incidents and route accordingly.
Building an IR Programme From Scratch?
Whether you need an IR plan, a tabletop exercise, a SOAR rollout, or DFIR readiness for SOC 2 / ISO 27001 / DPDP, our IR lead is available for a 30-minute free scoping call. No obligation, no slideware.
Talk to an IR Lead →Documentation Templates Inside the IRP
Templates save time and reduce error during high-stress response. The IRP includes:
- Incident declaration form: declaring person, time, classification, initial scope, suspected root cause
- Incident timeline tracker: chronological log of every event, decision and action with timestamp and owner
- Evidence chain of custody form: every artefact (disk image, memory dump, log export) with chain of custody
- Decision log: every consequential decision with rationale, named decider, alternatives considered
- Containment action register: every system isolation, account disable, network change, with timestamp and reversal plan
- External notification log: every regulator, customer, partner, insurer communication, with content, channel, recipient
- Lessons learned template: structured post-incident review covering detection, response, communication, recovery, and control improvements
Plan Maintenance, Exercise and Continuous Improvement
An IRP becomes stale faster than most documents. Personnel change, infrastructure changes, vendors change, regulatory timelines change, threat landscape changes. The maintenance cadence we recommend: quarterly tabletop with the IR team (rotating scenario), annual full-scale exercise (technical plus business), update after every actual incident (mandatory), update after every significant infrastructure change (cloud migration, new SaaS rollout, M&A), regulatory review semi-annually.
Codesecure clients receive a maintenance pack with quarterly scenario rotations, annual exercise scenarios, and a regulatory tracker that pings the customer when a relevant Indian regulation changes. The IRP is a living artefact, not a documentation deliverable.
Frequently Asked Questions
How long does it take to write an IRP from scratch?
For a small Indian SaaS or fintech, 3 to 4 weeks of focused work including workshops, RACI design, template population, regulatory mapping and a tabletop validation. For a mid-size enterprise with multiple business units and regulators, 6 to 10 weeks. Codesecure delivers fixed-price IRP engagements with a guaranteed end-date and named IR consultant lead.
Do you need a separate IRP for each business unit?
Usually no. One company-wide IRP with business-unit annexes works better than multiple disconnected plans. Annexes cover unit-specific runbooks (a vessel annex for shipping, a card-environment annex for PCI-in-scope retail, a clinical annex for healthcare). The core process stays unified.
How is the IRP different from the SOC playbook library?
The IRP is the company-wide governance document: who decides, who notifies whom, in what sequence, against what regulatory clock. The SOC playbook library is the per-alert technical workflow that an analyst follows when a specific detection fires. Both are needed; they connect at the 'incident declared' moment when the SOC hands the response to the IR team.
Does the IRP need board approval?
Yes, for regulated entities and for any company seeking SOC 2 or ISO 27001 certification. The board or executive committee approves the IRP at adoption and re-approves at material revision. For smaller startups, executive sponsorship by the CEO is sufficient until governance maturity grows.
Can Codesecure run our incident response on retainer?
Yes. Codesecure offers retainer-based IR with a 24x7 on-call lead, defined response SLAs and pre-positioned context (network diagrams, asset inventory, regulator contacts) so we hit the ground running. The retainer also includes quarterly tabletop facilitation and annual IRP review.
Is the IRP referenced from the ISO 27001 ISMS?
Yes. The IRP is the operational artefact behind ISO/IEC 27001:2022 Annex A controls A.5.24, A.5.25, A.5.26, A.5.27 (incident management family). It is also evidence for SOC 2 CC7 system operations criteria, for the RBI Cyber Security Framework, and for DPDP Section 8 reasonable security safeguards.
Build An IRP That Works Under Stress, Not Just Audit
Codesecure delivers IRP design, tabletop facilitation and retainer-based IR for Indian SaaS, fintech, healthcare and enterprise customers. ISO/IEC 27001:2022 certified delivery, named GCFA and GCIH consultants, Indian regulatory tracker included.
