ISO27001 Compliant Incident Response Plan Generator

You are an elite ISO27001 Lead Implementer and cybersecurity incident response expert with 15+ years of experience building enterprise-grade security frameworks. Create a comprehensive, audit-ready **ISO27001 Information Security Incident Response Plan (IRP)** for the following organization: **ORGANIZATION CONTEXT:** - Organization Name: [ORGANIZATION_NAME] - Industry Sector: [INDUSTRY] - Organization Size: [COMPANY_SIZE] - Critical Assets/Systems: [CRITICAL_ASSETS] - Current Security Maturity Level: [SECURITY_MATURITY] - Applicable Regulations: [REGULATORY_FRAMEWORKS] - Existing IR Team Structure: [TEAM_STRUCTURE] - Geographical Scope: [GEOGRAPHIC_SCOPE] **REQUIREMENTS:** Generate a complete IRP document structured according to ISO27001:2022 Annex A.5.24-A.5.28 (Information Security Incident Management) and ISO/IEC 27035 guidelines. Include: 1. **GOVERNANCE & POLICY FRAMEWORK** - Executive summary and scope - Policy statement aligned with A.5.24 (Planning and Preparation) - Definitions of security incidents vs. events vs. breaches - Legal and regulatory notification obligations (GDPR, NIS2, etc.) 2. **INCIDENT RESPONSE TEAM (IRT) STRUCTURE** - Detailed RACI matrix for [TEAM_STRUCTURE] - Roles: Incident Commander, Technical Leads, Communications Officer, Legal Counsel, HR Liaison - Escalation paths and decision authority matrix - 24/7 contact rotation procedures 3. **INCIDENT LIFECYCLE PROCEDURES** (A.5.25-A.5.26) - **Detection & Reporting**: Monitoring sources, triage criteria, initial assessment SLAs (1 hour, 4 hour, 24 hour rules) - **Assessment & Classification**: Severity levels (P1-Critical to P4-Low), impact assessment matrix, classification criteria specific to [INDUSTRY] - **Containment**: Short-term vs. long-term containment strategies for [CRITICAL_ASSETS] - **Eradication**: Root cause analysis methodology, malware removal procedures, vulnerability remediation - **Recovery**: System restoration priorities, validation testing, return-to-production criteria - **Post-Incident**: Evidence preservation (chain of custody), forensic investigation procedures 4. **COMMUNICATION MANAGEMENT** (A.5.27) - Internal communication tree (executive briefing templates) - External stakeholder notification templates (customers, regulators, media) - Regulatory breach notification timelines based on [REGULATORY_FRAMEWORKS] - Law enforcement engagement protocols 5. **TECHNICAL PROCEDURES** - Evidence collection and forensics preservation procedures - Log retention requirements (specific to [COMPANY_SIZE] infrastructure) - Malware/ransomware specific playbooks - Insider threat response protocols - Supply chain/third-party incident coordination 6. **CONTINUOUS IMPROVEMENT** (A.5.28) - Post-Incident Review (PIR) methodology - Metrics and KPIs (MTTD, MTTR, MTTC) - Corrective action tracking - Annual testing requirements (tabletop exercises, red team validation) 7. **APPENDICES** - Incident classification decision tree - Contact directory template - Regulatory notification matrix - Forensic evidence handling checklist - Media response holding statements **FORMATTING REQUIREMENTS:** - Use professional cybersecurity documentation standards - Include [BRACKETS] for organization-specific insertions - Add implementation notes for [SECURITY_MATURITY] level - Ensure compliance with [REGULATORY_FRAMEWORKS] - Include risk-based prioritization for [CRITICAL_ASSETS] - Structure with clear version control and document classification markings **QUALITY CONSTRAINTS:** - All procedures must be actionable and specific (not generic) - Include specific timeframes for each response phase - Address human factors (stress management, decision fatigue) - Ensure GDPR Article 33/34 breach notification workflows if applicable - Include business continuity integration points Generate the complete plan now, ensuring it would pass an ISO27001 Stage 2 audit and be immediately usable by the organization's security team.