What We Deliver: A Plan That Works When It Matters
When you engage Siege Cyber for incident response planning, you receive a complete, tested cyber security incident response plan built specifically for your organisation.
Documented Incident Response Plan (CSIRP)
We develop a comprehensive plan following ACSC guidelines, ISO 27001 Annex A 5.24 requirements, and Essential Eight expectations. Your plan includes clear procedures for detection, containment, eradication, recovery, and post-incident review. Everything documented in plain English your team can follow during a real incident.
Defined Roles and Responsibilities
We identify your incident response team, assign specific roles (incident manager, technical lead, communications coordinator, legal liaison), and document decision-making authority. Everyone knows who does what, who can authorise spending during an incident, and who's responsible for regulatory notifications.
Communication Procedures and Templates
Pre-written templates for internal communications, customer notifications, media statements, and regulatory reporting. When you're dealing with a data breach, you don't want to be drafting emails from scratch at 3am. We include notification procedures for the OAIC under the Privacy Act, ACSC voluntary reporting, and mandatory ransomware reporting under the Cyber Security Act 2024.
Technical Response Playbooks
Step-by-step technical procedures for common incident types: ransomware, data breach, DDoS attack, insider threat, supply chain compromise. Your IT team gets clear instructions they can follow without guessing or improvising.
Escalation Criteria and Contact Lists
Clear criteria for when to escalate incidents, who to notify, and when to engage external support (legal counsel, forensics specialists, PR advisors, law enforcement). Contact lists with mobile numbers, after-hours contacts, and backup contacts when primary responders are unavailable.
Tabletop Exercise and Plan Testing
We facilitate a tabletop exercise simulating a realistic cyber incident. Your team walks through the response procedures, identifies gaps, tests communication workflows, and builds muscle memory. We document lessons learned and update the plan based on what we discover.
Compliance Evidence Package
Documentation proving your incident response capability to auditors, insurers, and regulators. ISO 27001 auditors want to see your CSIRP and evidence of testing. Cyber insurance applications ask specific questions about incident response capability. We provide the evidence you need.
Our Cyber Incident Response Planning Process
Step 1: Discovery and Context
We start by understanding your business, technology environment, compliance obligations, and risk profile. What systems are most critical? What data do you hold? What regulatory requirements apply? What's your biggest nightmare scenario? This shapes everything we build.
Step 2: Current State Assessment
We review any existing incident response documentation, interview key stakeholders, and assess your current capability. What happens today if you detect a breach? Who gets notified? What tools and processes exist? We document the baseline and identify immediate gaps.
Step 3: Plan Development
We write your incident response plan collaboratively. You're not receiving a generic template with your company name filled in. We develop procedures tailored to your environment, your team size, your technology stack, and your specific compliance requirements. We write in language your team actually speaks.
Step 4: Playbook Creation
We develop detailed response playbooks for the incident types that pose the greatest risk to your organisation. Ransomware is on everyone's list. Data breaches if you handle customer information. Business email compromise if you process payments. Each playbook includes technical steps, communication procedures, and escalation triggers.
Step 5: Tabletop Exercise
We facilitate a 2-3 hour simulated incident with your response team. We present a realistic scenario and walk through your response step by step. What works? What doesn't? Where do people get confused? What contact details are wrong? What decisions need clarification? This is where you find the gaps before they matter.
Step 6: Plan Refinement and Finalisation
Based on the tabletop exercise, we update the plan, fix the gaps, and deliver the final version. You receive the complete CSIRP, technical playbooks, communication templates, contact lists, and compliance evidence package. We also provide recommendations for annual testing and ongoing plan maintenance.
Step 7: Ongoing Support (Optional)
Many clients engage our vCISO service to maintain their incident response capability over time. We'll update the plan as your environment changes, facilitate annual tabletop exercises, provide on-call support during actual incidents, and ensure you remain audit-ready.
Who This Service Is For
Organisations Pursuing ISO 27001 Certification
ISO 27001 Annex A 5.24 requires incident management planning and preparation. Auditors expect to see a documented CSIRP, defined roles, communication procedures, and evidence of testing. We develop incident response plans that satisfy ISO 27001 requirements and align with your broader ISMS.
Businesses Meeting Essential Eight Requirements
Essential Eight Maturity Level 2 requires organisations to activate incident response plans. If you're implementing Essential Eight for government contracts, cyber insurance, or internal security maturity, we'll build your CSIRP to align with ACSC guidance and demonstrate the capability assessors expect.
Companies Applying for Cyber Insurance
Every cyber insurance application asks about incident response capability. Do you have a documented plan? Has it been tested? Who's on your incident response team? We help you answer "yes" with confidence and provide the evidence insurers want to see. Better incident response capability often means better premiums.
APRA-Regulated Financial Institutions
APRA CPS 234 requires a documented and tested incident response plan. Financial institutions and superannuation trustees need incident response capabilities that meet regulatory expectations. We understand APRA's requirements and build plans that satisfy both CPS 234 and your operational reality.
Organisations with Privacy Act Obligations
If you hold personal information, the Privacy Act requires you to notify the OAIC and affected individuals when eligible data breaches occur. The notification window is tight. We include Privacy Act notification procedures, decision trees for determining eligibility, and pre-written templates so you can meet your legal obligations under pressure.
SaaS and Technology Companies
When your product goes down or customer data is compromised, every minute counts. SaaS companies need incident response plans that address both technical recovery and customer communication. We help you balance transparency with reputation management and build customer trust through professional incident handling.
Businesses Without Internal Security Teams
You're running a business, not a security operations centre. You don't have a CISO or a dedicated security team. When an incident happens, your IT manager needs clear instructions and external support. We build plans that work for lean teams and include clear escalation criteria for engaging external specialists.
Why Work with Siege Cyber for Incident Response Planning
We've Responded to Real Incidents
Incident response planning isn't theoretical for us. We've helped Australian businesses respond to actual ransomware attacks, data breaches, and business email compromise. We know what works under pressure and what falls apart when things get real. That experience informs every plan we write.
We Understand Australian Regulatory Requirements
Privacy Act notification obligations. ACSC reporting guidelines. Mandatory ransomware reporting under the Cyber Security Act 2024. APRA CPS 234 for financial services. Essential Eight for government contractors. We build incident response plans that satisfy your specific Australian compliance requirements, not generic international frameworks.
We Write Plans People Can Actually Use
Corporate jargon doesn't help when you're dealing with a live incident. We write incident response plans in clear, direct language your team can follow under stress. Step-by-step procedures. Clear decision criteria. Pre-written communications. Everything designed for execution, not shelf decoration.
We Test Plans Through Realistic Tabletop Exercises
A plan that's never been tested is wishful thinking. We facilitate tabletop exercises using realistic scenarios based on actual incidents we've seen in the Australian market. Your team experiences a simulated incident, identifies gaps, and builds confidence before facing the real thing.
Technical Depth with Business Context
We're not just ticking compliance boxes. Our team includes penetration testers, security engineers, and vCISOs who understand both the technical response and business implications of cyber incidents. We balance technical recovery with regulatory obligations, customer communication, and reputation management.
Fixed Pricing for Plan Development
After the discovery phase, we provide fixed-price proposals for developing your incident response plan. You'll know exactly what the investment is before committing. No hourly billing, no scope creep, no surprises.
Frequently Asked Questions
How long does it take to develop an incident response plan?
Most organisations complete the full process in 4-6 weeks, from initial discovery through tabletop exercise and final plan delivery. Timeline depends on your organisation's complexity, stakeholder availability, and how much existing documentation we're building on. We provide a detailed timeline after the discovery phase.
What's the difference between an incident response plan and a disaster recovery plan?
An incident response plan focuses on detecting, containing, and recovering from cyber security incidents. A disaster recovery plan addresses broader business continuity and recovery from any disruption (natural disasters, infrastructure failures, etc.). They're complementary, and we often develop them together to ensure consistent approaches.
Do we need separate playbooks for different incident types?
Yes, different incidents require different responses. Ransomware response is fundamentally different from data breach notification or DDoS mitigation. We develop 3-5 detailed playbooks covering the incident types that pose the greatest risk to your specific organisation, based on your environment and threat profile.
How often should we test our incident response plan?
ISO 27001 and the ISM recommend annual testing at minimum. We also recommend testing whenever significant changes occur: new systems, team changes, regulatory updates, or after learning from incidents affecting similar organisations. Annual tabletop exercises keep skills fresh and identify plan updates needed.
What happens if we have an actual incident before the plan is finished?
We provide interim guidance during plan development. If you experience an incident while we're building your CSIRP, we'll immediately provide on-call support to guide your response. Many clients engage us specifically because they've just experienced an incident and realised they need proper preparation.
Can you help us respond to an active incident?
Yes. While this service focuses on planning and preparation, we also provide incident response support when breaches occur. If you're dealing with an active incident right now, contact us immediately. We'll help you contain the situation, investigate what happened, recover your systems, and meet your notification obligations.
Will this plan satisfy our cyber insurance requirements?
We design incident response plans to meet common cyber insurance policy requirements. During discovery, we'll review your policy's specific language and ensure the plan addresses everything your insurer expects to see. We also provide the documentation and testing evidence insurers typically request.
How do we keep the plan current after you deliver it?
We provide maintenance guidance including review triggers, update procedures, and annual testing requirements. Many clients engage our vCISO service for ongoing plan maintenance, conducting annual tabletop exercises, updating procedures as the environment changes, and ensuring continuous audit readiness.
Get Your Incident Response Plan in Place
Every day without a tested incident response plan is a day you're gambling with your business. When an incident happens, it's too late to start planning.
Siege Cyber has helped Australian SaaS companies, financial services firms, and SMBs across every sector develop incident response plans that actually work under pressure. We'll do the same for you with clear processes, realistic testing, and fixed pricing.
Book a free consultation to discuss your incident response needs. We'll assess your current state, explain what's involved in developing a plan for your organisation, and provide a clear proposal with timelines and investment. No obligation, no pressure, just honest advice from people who've been doing this for 20 years.