Easy to Use Incident Response Checklist

Organizations should have standardized procedures for responding to incidents, use this incident response checklist next time you respond to an incident.

Join our newsletter:

Detection and Analysis

  • 1. Determine whether an incident has occurred
  • 1.1 Analyze the precursors and indicators
  • 1.2 Look for correlating information
  • 1.3 Perform research (e.g., search engines, knowledge base)
  • 1.4 As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence
  • 2. Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.)
  • 3. Report the incident to the appropriate internal personnel and external organizations

Containment, Eradication, and Recovery

  • 4. Acquire, preserve, secure, and document evidence
  • 5. Contain the incident
  • 6. Eradicate the incident
  • 6.1.Identify and mitigate all vulnerabilities that were exploited
  • 6.2. Remove malware, inappropriate materials, and other components
  • 6.3. If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them
  • 7. Recover from the incident
  • 7.1 Return affected systems to an operationally ready state
  • 7.2 Confirm that the affected systems are functioning normally
  • 7.3 If necessary, implement additional monitoring to look for future related activity

Post-Incident Activity

  • 8. Create a follow-up report
  • 9. Hold a lessons learned meeting

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.