The purpose of having a written incident response plan is to enable an organization to move from being reactionary to (perceived) information security incidents to being well-prepared and able to respond in a way that has been previously determined.

Having a well-defined response plan in place avoids panic, and allows an organization to assess the impact, determine the proper response, and then execute what needs to be done. As a result, response activities will be appropriately scaled and cost-effective as much as possible. It will also ensure that adequate documentation is maintained so that lessons can be learned when the dust has settled.

One activity that an information security manager should never underestimate is the effort that must be deployed to communicate the incident response plan within the stakeholders and obtain buy-in among all those who are affected by it. The plan must be reinforced regularly, either through scheduled reviews and discussion in plenary meetings, or by doing actual drills and exercises.

In an organization that is heavily driven by audit requirements, you probably want to collect some form of sign-off to ensure that all members of your team, as well as key constituents, have read the document and taken note of it.

An incident response plan is only useful if everyone who is affected by it knows about it. Do not fall into the trap of developing a plan and not communicating it. Also avoid the mistake of not developing one all.