Cyber Incident Response Checklist

Use the Cyber Incident Response Checklist to prepare, assess, manage, mitigate, and review cybersecurity incidents, ensuring effective response to threats.

Cyber Incident Response Checklist



Gathering Evidence

1. Are you documenting the summary of the incident for evidence purposes?


Photo Comment

2. Have you gathered incident indicators and system events?


Photo Comment

3. Are you recording actions taken during the incident?


Photo Comment

4. Are you collecting logs of affected systems and forensic copies for further analysis?


Photo Comment

5. Have you identified other forms of evidence that need to be documented?


Photo Comment
Knowing Your Stakeholders And/or Fiduciary Obligations

1. Have you notified relevant stakeholders and affected parties, including the Board of Directors?


Photo Comment

2. Are you communicating with regulators, law enforcement, and other government agencies?


Photo Comment

3. Have you informed clients and the media about the incident?


Photo Comment
Developing A Containment Strategy

1. Have you developed strategies to isolate compromised network parts by disconnecting affected systems?


Photo Comment

2. Do you have plans in place to re-route or filter network traffic?


Photo Comment

3. Are you using firewall filtering to block unauthorized access?


Photo Comment

4. Have you closed vulnerable ports and mail servers to prevent further access?


Photo Comment

5. Are you taking steps to block additional unauthorized access?


Photo Comment
Eradicating The Threat

1. Are you prepared to wipe out malware after containing the incident?


Photo Comment

2. Have you disabled any breached user accounts?


Photo Comment

3. Are you patching vulnerabilities that were exploited across all affected hosts?


Photo Comment

4. Are there additional eradication steps that need to be taken?


Photo Comment
Taking Steps Toward Recovery

1. Are you restoring systems from backups after an incident?


Photo Comment

2. Are you rebuilding affected systems from scratch when necessary?


Photo Comment

3. Have you changed both administrator and user passwords as part of the recovery process?


Photo Comment

4. Are you tightening network perimeter security to prevent future incidents?


Photo Comment

5. Have you confirmed the integrity of business systems and controls after recovery?


Photo Comment
Monitoring And Maintaining Vigilance

1. Are you continuing to monitor the network for anomalous activity or signs of intrusion?


Photo Comment

2. Are you considering higher levels of system logging or network monitoring, depending on the incident?


Photo Comment
Post-Incident Review

1. Are you conducting a post-incident review to identify and resolve deficiencies in systems and processes?


Photo Comment

2. Have you identified deficiencies in the planning and execution of your incident response plan?


Photo Comment

3. Are you assessing whether additional security measures are necessary to strengthen your security posture?


Photo Comment

4. Are you communicating lessons learned and building on them for future preparedness?


Photo Comment
Identify Key Contact Information

1. Have you identified key contact information for incident management?


Photo Comment

2. Have you designated an incident response handler within your organization?


Photo Comment

3. Have you appointed a third-party incident response provider?


Photo Comment

4. Do you have contact information for product/service vendors?


Photo Comment

5. Are you aware of the relevant regulatory bodies to contact?


Photo Comment

6. Have you established contacts with law enforcement agencies?


Photo Comment

7. Have you identified key contacts for clients and others?


Photo Comment
Identify Investigation Resources

1. Have you created a list of key assets and data and documented where they are located or hosted?


Photo Comment

2. Do you have network diagrams for investigation purposes?


Photo Comment

3. Have you established a baseline for your IT systems’ activities?


Photo Comment

4. Do you have documentation for IT systems and software versions?


Photo Comment

5. Are there backups of important data available for investigation?


Photo Comment
Develop Relevant Plans

1. Do you have prevention and detection plans in place?


Photo Comment

2. Have you developed containment, eradication, and recovery plans?


Photo Comment

3. Is there a crisis management and communications plan prepared?


Photo Comment

4. Do you have a business continuity plan?


Photo Comment
Preventing Incidents

1. Have you identified and understood the types of attacks that could affect your organization?


Photo Comment

2. Do you have action plans to deal with malware attacks?


Photo Comment

3. Are you prepared for phishing attacks?


Photo Comment

4. Do you have plans for distributed denial of service (DDoS) attacks?


Photo Comment

5. Are you ready to handle ransomware incidents?


Photo Comment

6. Do you have procedures in place for a data breach?


Photo Comment

7. Have you planned for data corruption incidents?


Photo Comment
Communicating And Exercising The Plans

1. Are action plans for responding to common incidents accessible and updated regularly?


Photo Comment

2. Are you communicating with employees and key stakeholders about updates to the plans?


Photo Comment

3. Have you implemented user awareness and training programs?


Photo Comment

4. Are you regularly reviewing and updating plans (e.g., during system onboarding, new hires, or at scheduled intervals)?


Photo Comment

5. Do you conduct walk-throughs or exercises of your plans?


Photo Comment
Detection And Analysis

1. Are you prepared to recognize possible attack vectors?


Photo Comment

2. Do you have systems in place to detect poorly designed web applications?


Photo Comment

3. Are misconfigured systems a recognized attack vector in your organization?


Photo Comment

4. Do you address potential risks from internet downloads?


Photo Comment

5. Are you ensuring good cyber hygiene practices to prevent attacks (e.g., strong passwords, up-to-date software)?


Photo Comment

6. Are human lapses being accounted for in your security preparedness?


Photo Comment

7. Are authorized third parties monitored for security threats?


Photo Comment
Reviewing Possible Sources Of Precursors And Indicators

1. Are you reviewing security software such as Intrusion Detection Systems (IDS), Security Information and Events Management Systems (SIEM), and anti-virus software?


Photo Comment

2. Are you examining logs from operating systems, services, applications, and network devices for potential threats?


Photo Comment

3. Are you reviewing publicly available information and vendor vulnerability notifications?


Photo Comment

4. Are you involving internal staff in identifying potential threats and precursors?


Photo Comment
Making An Initial Assessment And Prioritizing The Next Steps

1. Are you correlating events against your baseline to determine if an incident has occurred?


Photo Comment

2. Are you checking incidents against known threat precursors and indicators?


Photo Comment

3. Have you made an initial assessment of the scope and nature of the incident?


Photo Comment

4. Are you prioritizing incident handling activities, including whether to activate crisis management and communications plans?


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Easy inspection app for your digital checklists