Build a free incident response plan template in minutes. Covers detection, containment, eradication and recovery. Aligned to NCSC and ISO 27001 requirements.
Yes. The builder is a free Starkhorn tool. You answer a few questions and get a structured plan outline you can take to your board. We ask for your work email so we can send it and stay in touch; you can unsubscribe at any time.
The structure follows the NCSC's five-step response and recovery model (Prepare, Identify, Resolve, Report, Learn) and the incident response functions in NIST SP 800-61 Revision 3, which aligns incident response with the NIST Cybersecurity Framework 2.0. Notification guidance follows the UK GDPR and ICO rules.
Under Article 33 of the UK GDPR, if a personal data breach is likely to result in a risk to people's rights and freedoms, you must notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. The clock starts when you become aware, not when you finish investigating. If you report late, you must explain the delay. (Source: Information Commissioner's Office.)
No. You only need to notify the ICO if the breach is likely to result in a risk to people's rights and freedoms. You must still record every personal data breach internally, even those you do not report. If you are unsure, the ICO's guidance and a data protection adviser can help you assess the risk. This tool does not make that legal judgement for you.
Treat it as a strong starting artefact, not a finished, tested plan. It gives you the structure, the named roles and the legal clock in one place. Before you rely on it, fill the flagged gaps, run a tabletop exercise, and have it reviewed. A plan that has never been tested is an assumption.
Yes. The builder scales the team model to your size, so a one or two person operation is not asked to staff a large response team. The Cyber Security Breaches Survey 2025/2026 found 19% of charities have a formal incident response plan, so a clear outline puts you ahead of most.
Incident response is how you manage a security incident as it unfolds: contain, investigate, notify, communicate. Disaster recovery and business continuity are how you keep the organisation running and restore operations. They overlap on recovery, and a good incident response plan references your continuity arrangements.
Not in the current version. Revision 2, with its four phases (Preparation; Detection and Analysis; Containment, Eradication and Recovery; Post-Incident Activity), was withdrawn in April 2025. Revision 3 maps incident response to the NIST Cybersecurity Framework 2.0 functions instead. This tool reflects the current Revision 3 approach while keeping the familiar contain, eradicate, recover language teams use in practice.
Name a senior responsible owner at board or executive level who owns the plan and an incident lead who runs the response. Board-level ownership matters: the Cyber Security Breaches Survey 2025/2026 found cyber security is a board-level responsibility in only 31% of businesses, which is a gap most organisations need to close.
Starkhorn is an independent cyber resilience consultancy. We help UK mid-market and non-profit organisations pressure-test and operationalise plans like this one. We sell advisory work, not software, certification or insurance, and there is no commission in what we recommend. If your plan has gaps you want help closing, we are happy to talk, but the tool is genuinely free to use.