Table of contents

IT Security Incident Response Plan and Process Guide

How to use this guide

This guide is for all users and is part of a set of Ministry of Justice (MoJ) policies and supporting guides that cover various aspects of incident and disaster management and response.

The policies are:

The supporting guides are:

This guide gives information to help create and develop an IT Incident Response Plan for your MoJ IT system or service.

The National Cyber Security Centre (NCSC) also offers guidance on how to effectively detect, respond to and resolve cyber incidents.

Suggested content

Incident response plans are specific to each individual IT system or service.

When deciding what should go into an Incident Response Plan for an MoJ IT system or service, a useful start is to identify every potential incident that might affect the system or service, and list the ways to resolve each one.

Each Incident Response Plan should include:

  • a list of key roles together with a description of their responsibilities - each role should have at least two sets of contact details
  • a list of internal and external stakeholders to be contacted as soon as the incident happens, each stakeholder should have at least two sets of contact details
  • a communication list of everyone who needs to be contacted, together with the chains of communication that shall be followed
  • a list of people who can undertake the role of incident manager
  • a series of steps to follow in order to mitigate the incident
  • a method to identify the need for forensic investigation, and the role responsible for invoking it
  • clear instructions on how to escalate to a higher level of incident response, to include names and contact details and the reason for escalating the incident
  • a detailed process to recover the system to business as usual (BAU)
  • a process to identify and capture lessons learned from the incident
  • the requirement for a written report for medium and high impact incidents

All plans should be stored securely both online and offline. Roles and stakeholders mentioned in the plan should know of its location and be able to access it.

Incident response plans are intended to be flexible guides to help every role listed to respond to an incident.

Reviewing and testing

Incident Response Plans shall be reviewed regularly, and updated if there have been any changes to systems or services, personnel, or communication chains.

Plans shall be tested and practiced regularly to help familiarise each of the roles with the response process.

This is not an exhaustive list. If you would like support in creating a plan, please contact the Service Operations Centre (SOC) and the Major Incident Team.

Contact details

For any further questions or advice relating to security, contact:


If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: