Severity
SEV-1 (Critical)
- Affects regulated data or many customers; major service impact
- Acknowledge 15 min, engage command channel immediately
- Hourly external comms (as applicable) until contained
Incident Response
Severity definitions, SLAs, roles, and runbooks to detect, contain, and recover quickly - with audit-ready evidence and a clear PIR process.
Severities & Target SLAs
Severity
SEV-2 (High)
- Material impact with containment workarounds available
- Acknowledge 30 min; comms every 2-4 hours until stable
Severity
SEV-3 (Medium)
- Limited scope or degraded component; no regulated impact
- Acknowledge 4 hours; daily updates until resolved
Severity
SEV-4 (Low)
- Minor defect or documentation/alerting issue
- Track and close within standard backlog SLAs
Roles & RACI
| Role | Responsibilities |
|---|---|
| Incident Commander (IC) | Owns timeline, decisions, and status comms; ensures roles are staffed |
| Comms Lead | Stakeholder updates (internal/external/regulator) and message approvals |
| Technical Lead | Directs triage, containment, and recovery tasks; artifacts to Evidence Lead |
| Evidence Lead | Collects immutable evidence tiles; maintains chain of custody & log |
| Security/Privacy | Assessment of data impact; coordinates DPA/BAA/SCC and regulator steps |
| Client Owner | Customer-specific notices and contractual obligations |
Phase
Detect & Acknowledge
- Verify signal (alert, report) and declare severity
- Staff roles; open incident channel and timeline
Phase
Contain
- Block/limit blast radius; rotate secrets; access reviews
- Stabilize service; prepare interim customer messaging
Phase
Eradicate & Recover
- Remove root cause; restore services; monitor for reoccurrence
- Validate integrity; confirm metrics within thresholds
Phase
Communicate
- Internal cadence by severity; customer/regulator notices as required
- Single source of truth for status; approved talking points
Phase
Post-Incident Review (PIR)
- Root cause analysis; timeline; what went well/poorly
- Actions with owners/dates; change control updates
Evidence Requirements
- Immutable links to logs, alerts, tickets, and dashboards
- Screenshots/hashes for changed artifacts; who/when/what
- Access reviews (JML), credential rotations, and approvals
- Copy of customer communications and regulator filings
Templates & Exports
Replace placeholders with approved documents before launch.
Need to align our IR plan to your clauses?
We can map severities, comms, and evidence to your regulator or customer requirements.